Cisco ISR1k platform licensing explained

Article about choosing Cisco 1100 series router, explaining its license model and how to apply the licenses to the device.

Cisco ISR1k platform licensing explained
Photo by Kvistholt Photography / Unsplash

Cisco ISR1000 is a popular router series aimed at branch deployment, and it contains many models depending on the required deployment. You can pick a router with a DSL WAN interface, GigabitEthernet, dual-SIM 4G interfaces, Wi-Fi, and PoE. A ton of options there.

I won't go into the details of all the devices in this post, and I will cover one aspect of licensing that I found complicated: licensing. To not dive deep into the number of models available, I will keep this blog post limited to Cisco C1100 models - C1100-8P and C1100-4P as these are the basis for the other alternatives, and the approach to licensing should be similar.

Step 1 - Choosing the right platform.

With ISR1100, there are two parameters we should check.

  1. The number of LAN-side interfaces - this parameter is easy - the routers have 4 or 8 LAN switch interfaces.
  2. Throughput - the 8-port variant has a more powerful CPU. Details of the performance characteristic are below, and I will elaborate on the differences.
  3. Crypto throughput - this is an area where I got lost because of the misleading Cisco documentation.
ISR 1100 Performance
Function ISR1110-4P ISR1100-8P
CPU Frequency 800 MHz 1200 MHz
Ethernet Switch 4xGE LAN w/ 1Gbps uplink 8xGE LAN w/2.5Gbps uplink
PoE capability 2-port POE+ 4-port POE+
Generic throughput Un-throttled Un-throttled
Crypto throughput (default) 50 Mbps 50 Mbps
Crypto throughput (perf) 150 Mbps 250 Mbps
Crypto throughput (HSEC) beyond 150 Mbps beyond 250 Mbps

And some real-life test figures:

Traffic Profiles ISR1110-4P /w HSEC ISR1110-8P /w HSEC
CEF IMIX 1252 Mbps 1750 Mbps
IPsec (AES256) IMIX 230 Mbps 335 Mbps
NAT IMIX 660 Mbps 960 Mbps
HQoS IMIX 650 Mbps 910 Mbps
ACL+NAT+HQoS IMIX 330 Mbps 510 Mbps

Some observations from this summary:

  • The CPU frequency directly translates to throughput figures.
  • The LAN-side switch connects to the backplane with a 1G uplink in C1100-4P and a 2.5G uplink in C1100-8P. It can be a limitation in some use cases because of the oversubscription.

Step 2 - Choosing the correct feature set.

Cisco routers have a long history of using feature licenses, and the point is to get (and pay for) the licenses you will use. In the case of C1100, there are two main branches of licenses.

Cisco C1100 Licensing. Source: Cisco C1100 documentation

There are three feature licenses available:

  • IP Base - this technology package is a default option and contains basic features like routing protocols, ACL, NAT, QoS, BFD, VRF Lite, and IP SLA Responder.
  • APP - this technology package contains everything from the IP Base package and adds advanced networking protocols: L2TPv3 and MPLS. It also has Application Experience functionalities like PfRv3, NBAR2, AVC, and IPSLA Initiator. For the hybrid cloud connectivity, it adds LISP, Virtual Private LAN Services (VPLS), and Ethernet over MPLS.
  • SEC - this technology package adds to IP Base functionality security and cryptographical features and protocols: Zone-based firewall, IPsec VPN, Dynamic Multipoint VPN (DMVPN), FlexVPN, and GETVPN. The router default limits the encrypted traffic throughput to 50 Mbps, where the IPSec performance and HSEC licenses come in.

Step 3 - Choosing the correct IPSec performance.

If you have the SEC feature set, the router, by default, limits the encrypted traffic throughput to 50 Mbps. If you need more, you need to add a Security Performance license. This license comes in two variants, VPERF, which raises the throughput level, and HSEC, which removes the performance restriction completely.

For C1100-4P, the VPERF license adds 100 Mbps for 150 Mbps of total crypto throughput.

For C1100-8P, the VPERF license adds 200 Mbps for 250 Mbps of total crypto throughput.

If even this limit isn't enough, then there is an HSEC feature license, which removes the limit, and the performance is limited just by the performance of the device itself. From the performance figures higher in this article, it is reasonable to expect 230 Mbps of crypto throughput for C1100-4P and 335 Mbps for C1100-8P.

Step 4: How to apply the license to a router

After ordering and receiving the router with desired licenses, you will need to apply the license to the device. We are using the Smart Licensing portal for the portability of the licenses.

In this part of the post, I will show the options we have with the router's configuration.

Prerequisites:

First of all, we need to establish some basic connectivity to the internet.

licensetest(config)#interface GigabitEthernet0/0/0
licensetest(config-if)#ip address 192.0.2.2 255.255.255.0
licensetest(config-if)#no ip redirects
licensetest(config-if)#no ip unreachables
licensetest(config-if)#no ip proxy-arp
licensetest(config-if)#load-interval 30
licensetest(config-if)#negotiation auto
licensetest(config-if)#exit
licensetest(config)#ip route 0.0.0.0 0.0.0.0 192.0.2.1

We will also need a DNS service to be able to resolve the Smart Portal name.

licensetest(config)#ip name-server 8.8.8.8 8.8.4.4 
licensetest(config)#ip domain-lookup

And it will be reasonable to have some other name for the device than Router.

licensetest(config)#hostname licensetest ip domain-name example.com

Now we can safely proceed to connect the device to the Smart Account. For this, we need to know the idtoken we can get in the software.cisco.com Smart Software Manager. As we may be adding some export-controlled functionalities, we need to select the according field for the token.

After we have the token, we need to tell the device to use it for registration. But first, we need to change the device's default behavior, which is to use Cisco Smart License Utility (CSLU), to use a Cisco Smart Software Manager (CSSM).

licensetest(config)#license smart url https://smartreceiver.cisco.com/licservice/license
licensetest(config)#license smart url smart https://smartreceiver.cisco.com/licservic/license
licensetest(config)#license smart transport smart

Then we can register the device (this is done in the exec mode, not config).

licensetest(config)#license smart trust idtoken {{token}}

After we enter this command, the router tries to register itself. If all goes well, we should get this output of show license all:

licensetest#show license all
Smart Licensing Status
======================

Smart Licensing is ENABLED

!!! OUTPUT REMOVED FOR BREWITY

Trust Code Installed: Oct 14 06:11:40 2022 UTC

License Usage
=============

Product Information
===================
UDI: PID:C1111-8P,SN:XXXXXXXXXXXX

Agent Version
=============
Smart Agent for Licensing: 5.0.14_rel/89

License Authorizations
======================
Overall status:
  Active: PID:C1111-8P,SN:XXXXXXXXXXXX
      Status: SMART AUTHORIZATION INSTALLED on Oct 14 06:13:48 2022 UTC
      Last Confirmation code: b2edbdac

Purchased Licenses:
  No Purchase Information Available

The device is connected to the Smart Account portal. Now we need to apply some licenses to it.

Option 1: SEC license only

In this case, if we get a device without any preinstalled license, we need to add one command and reboot the router.

licensetest(config)#license boot level securityk9
licensetest(config)#exit
licensetest#write memory
licensetest#reload

This will result in a change in the show license all output:

License Usage
=============

securityk9 (ISR_1100_8P_Security):
  Description: securityk9
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED
  Feature Name: securityk9
  Feature Description: securityk9
  Enforcement type: NOT ENFORCED
  License type: Perpetual

You will also see the license is "In Use" in the Smart Account "Licenses" view:

Option 2: SEC license and HSEC license

In this case, if we get a device without any preinstalled license, we need to add two commands and reboot the device.

licensetest(config)#license boot level securityk9 
licensetest(config)#platform hardware throughput crypto unthrottled 
licensetest(config)#exit 
licensetest#write memory
licensetest#reload

The platform hardware throughput crypto unthrottled is, per my observation, equivalent to a commandlicense feature hseck9installed automatically. You have, therefore, two options to configure the HSEC functionality. However, I recommend you do the configuration with platform hardware throughput crypto. See the detail in part "Caveats."

Again, this will result in a change in the show license all output:

License Usage
=============

hseck9 (ISR_1100_8P_Hsec):
  Description: hseck9
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: RESTRICTED - ALLOWED
  Feature Name: hseck9
  Feature Description: hseck9
  Enforcement type: EXPORT RESTRICTED
  License type: Perpetual

securityk9 (ISR_1100_8P_Security):
  Description: securityk9
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED
  Feature Name: securityk9
  Feature Description: securityk9
  Enforcement type: NOT ENFORCED
  License type: Perpetual
 
License Authorizations
======================
Overall status:
  Active: PID:C1111-8P,SN:XXXXXXXXXXX
      Status: SMART AUTHORIZATION INSTALLED on Oct 14 06:13:48 2022 UTC
      Last Confirmation code: b2edbdac

Authorizations:
  ISR_1100_8P_Hsec (ISR_1100_8P_Hsec):
    Description: Cisco 1100 Series with 8 LAN Ports, U.S. Export Restriction Compliance license
    Total available count: 1
    Enforcement type: EXPORT RESTRICTED
    Term information:
      Active: PID:C1111-8P,SN:XXXXXXXXXXX
        Authorization type: SMART AUTHORIZATION INSTALLED 
        License type: PERPETUAL
          Term Count: 1

You will also see the license being consumed in the Smart Account "Licenses" view:

Option 3 - SEC license and Performance license

In this case, if we get a device without any preinstalled license, we need to add two commands and reboot the device.

We will apply the desired crypto throughput level depending on the device platform. For C1100-4P, it is going to be:

licensetest#conf t
licensetest(config)#license boot level securityk9 
licensetest(config)#platform hardware throughput crypto 150000
licensetest(config)#exit 
licensetest#write memory
licensetest#reload

For C1100-8P, it is going to be:

licensetest#conf t
licensetest(config)#license boot level securityk9 
licensetest(config)#platform hardware throughput crypto 250000
licensetest(config)#exit 
licensetest#write memory
licensetest#reload

We can see this license is IN USE with show license all command. I don't have this license, so that the output will show failed authorization.

License Usage
=============

throughput (ISR_1100_8P_IPSEC_Throughput_200Mbps):
  Description: throughput
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED
  Feature Name: throughput
  Feature Description: throughput
  Enforcement type: NOT ENFORCED
  License type: Perpetual

securityk9 (ISR_1100_8P_Security):
  Description: securityk9
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED
  Feature Name: securityk9
  Feature Description: securityk9
  Enforcement type: NOT ENFORCED
  License type: Perpetual

The license portal now shows one missing throughput license:


Caveats & lessons learned:

There are a couple of hiccups in the configuration that may strike you, though.

  • Unable to remove HSEC license with throughput other than 50000 (default).
    It is not possible with my software version to go from HSEC level to 250 Mbps level. You need to remove the throughput level entirely, so the device resets itself to default before applying for a 250 Mbps license. Even with the platform hardware throughput level 250000 configuration, it throws this error when removing the HSEC license with no license feature hseck9. You need to enter the command no platform hardware throughput level unthrottled, which is not even applied in the configuration, and then you get the platform level to 50000, allowing you to remove the hseck9 feature.
licensetest#show run | i platform
platform hardware throughput crypto 250000
licensetest#conf t
licensetest(config)#no license feature hseck9
% HSECK9 cannot be disabled with unthrottled crypto level configured, please change throughput level 
licensetest(config)#no platform hardware throughput crypto unthrottled
% Please write mem and reload
% The config will take effect on next reboot

After the reload, it is possible to remove it:

licensetest#show run | i platform
platform hardware throughput crypto 50000
licensetest#show run | i license
license feature hseck9
licensetest#conf t
licensetest(config)#no license feature hseck9
% use 'write' command to disable 'hseck9' license on next boot
licensetest(config)#end
licensetest#write
licensetest#reload

After another reload, you can install the IPSec performance license and reload again :)

licensetest#conf t
licensetest(config)#license boot level securityk9 
licensetest(config)#platform hardware throughput crypto 250000
licensetest(config)#exit 
licensetest#write memory
licensetest#reload

And after another reload, the license is finally applied correctly:

License Usage
=============

throughput (ISR_1100_8P_IPSEC_Throughput_200Mbps):
  Description: throughput
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED
  Feature Name: throughput
  Feature Description: throughput
  Enforcement type: NOT ENFORCED
  License type: Perpetual

securityk9 (ISR_1100_8P_Security):
  Description: securityk9
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED
  Feature Name: securityk9
  Feature Description: securityk9
  Enforcement type: NOT ENFORCED
  License type: Perpetual
  • Licenses can be applied in nonsense combinations.
    I noticed this accidentally - you can have both an HSEC license and a throughput level of 250 Mbps. This a logical nonsense - you can have 50 Mbps or 250 Mbps, or unlimited (HSEC). You can't have limited (250Mbps) and unlimited (HSEC) simultaneously. Yet, you can get that combination if you do as follows:
licensetest(config)#platform hardware throughput crypto 250000
licensetest(config)#license feature hseck9

The resulting license usage will be like this:

License Usage
=============

throughput (ISR_1100_8P_IPSEC_Throughput_200Mbps):
  Description: throughput
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED
  Feature Name: throughput
  Feature Description: throughput
  Enforcement type: NOT ENFORCED
  License type: Perpetual

hseck9 (ISR_1100_8P_Hsec):
  Description: hseck9
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: RESTRICTED - ALLOWED
  Feature Name: hseck9
  Feature Description: hseck9
  Enforcement type: EXPORT RESTRICTED
  License type: Perpetual

securityk9 (ISR_1100_8P_Security):
  Description: securityk9
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED
  Feature Name: securityk9
  Feature Description: securityk9
  Enforcement type: NOT ENFORCED
  License type: Perpetual

Summary

This guide was about choosing an ISR1100 series router and its licenses. I believe the licensing is logical and straightforward. As with everything, the information in the documentation is sometimes contradictory and points in multiple directions. The approach to licensing the device outlined in this article should lead to fewer reloads and less headache with license troubleshooting.