Cisco sec k9 vs hsec k9 what is the difference

Page 1

Cisco SEC-K9 Vs. HSEC-K9: What is the difference? The Cisco licenses play an important role in Cisco hardware upgrading, the HSEC-K9 license and the SEC-K9 license, the two Cisco license are designed for Cisco ISR G2 routers. Both are for Cisco ISR G2. May be you wanna know that the main difference between SECK9 license and HSEC-k9 license? What’s the main difference between SEC-K9 license and HSEC-k9 license? The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E. With the HSEC-K9 license, the ISRG2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps. The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits. The HSEC license and curtailment was introduced in the Cisco IOS Software Release 15.0(1)M1 and will be enforced on all images following that release. Designed to comply with both local and U.S. export requirements for global distribution to all countries, the SEC-K9 license enables standard encryption (VPN payload and secure voice) on the ISR G2 platforms. This license enforces a curtailment on the maximum number of encrypted tunnels and the maximum encrypted throughput on the ISR G2 platforms. The SEC-K9 license limits the number of concurrent encrypted sessions and maximum encrypted throughput per device. This limit helps ensure that the ISR G2


complies with U. S. government export restrictions regardless of the final destination country. If you purchase a Cisco ISR G2 chassis and later decide to turn on security features, you must buy a SEC-K9 license. The administrator must download the license to the router and follow the license installation instructions that come with the license to be able to use the security features on the router. The SEC-K9 permanent licenses apply to the Cisco 1900, 2900, and 3900 ISR G2 platforms; these licenses limit all encrypted tunnel counts to 225 tunnels maximum for IP Security (IPsec), Secure Sockets Layer VPN (SSL VPN), a secure time-division multiplexing (TDM) gateway, and secure Cisco Unified Border Element (CUBE) and 1000 tunnels for Transport Layer Security (TLS) sessions. The SEC-K9 license limits encrypted throughput to less than or equal to 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps. This requirement applies for the Cisco 1900, 2900, and 3900 ISR G2 platforms. All threat defense and VPN features that are supported on the Cisco ISR G2 routers are functionally available for configuration with the SEC-K9. The image that includes this license is the universal-k9 image. For example, the Cisco IOS release version is c3900-universalk9mz.SPA.150-1.M1. To order the licenses as spares, you need the output of the following command-line interface (CLI) command: show license udi, shown at the end of this section. You must enter the product ID (PID) and the serial number into the tool to complete the order. This


information makes the license unique for a particular router, and the license is not transferrable between routers. The command output follows: 3925-perf#sh license udi Device#

PID

SN

UDI

----------------------------------------------------------------------------*0

C3900-SPE100/K9

FOC133037J9

C3900-SPE100/K9:FOC133037J9

For more information about software license activation on the ISR G2 platforms, please visit: http://www.cisco.com/en/US/docs/routers/access/sw_activation/SA_on_ISR.html You can order the HSEC-k9 license from the Cisco.com website for the Cisco 2900, 3900 ISR G2 , 3925E and 3945E platforms. You can order the HSEC license as a spare for e-delivery. After you complete the ordering, the license is delivered as an attachment in an email message. The attachment has a “.lic� suffix. For example, FOC133037J9_20100322212822257.lic is a license file generated for a specific ISR G2 router. You should perform all of the following steps on a Windows PC or laptop. Using an Apple Macintosh has been found to cause problems with loading and installation of the license on the router. The email containing the license file also contains instructions to load and install the HSECk9 license on the ISR G2 router. Please follow the instructions carefully.


To begin with, the ISR G2 router should have a SEC-K9 security feature license that has already been installed on the router. If the router does not have a SEC-K9 license installed, you can purchase the license as a spare using the ordering tool from the Cisco.com website. More rules for ordering and stocking the ISR G2 HSEC-K9 license, you can read the Q&A for Cisco ISR G2 SEC and HSEC Licensing-Export Control Part. http://www.cisco.com/c/dam/en/us/products/collateral/routers/3900-seriesintegrated-services-routers-isr/qa_c67_606268.pdf More examples that are related to Cisco 2900 router license will share here Q1: We have installed a 60 day license for the security k9. The Cisco 2900 router we got. And we are trying to set up a client to site vpn on this and it still does not recognize the ipsec and isakmp commands. Is there a command I need to do to now enable ipsec and isakmp? For the above problem, make sure your Cisco 2900 took the license, issue 'show license' and verify. Show license shows that it is in there and active. I rebooted and it still throws an error whenever i issue crypto ipsec or crypto isakmp Here is your problem: from "show license" License State: Active, Not in Use, EULA accepted "not in use" is the key. Try using "license modify priority securityk9 high" or the config command "license boot module c2900 tech securityk9" to make this feature in use, rather than not in use.


Q2: We know the ISR2 series included VPN hardware acceleration but there is a "HSEC" which included an "advanced" encryption card. We are just trying to get my head around it. Is the HSEC bundle really needed over the standard SEC bundle? Now we need to support a 50meg Internet connection with 4 Site-to-Site VPNs and use of the firewall, NAT and QOS on each router. We are looking at the Cisco2921-SEC/K9 bundle. Does this sound about right? Ahem, if your internet link is 50mb, then a 2921 (non-HSEC) can handle the encryption/decryption. The standard SEC license comes with a software-based rate limiter of 85 Mbps each way. If the protocol does not handle loss/retransmissions very well, throughput can easily plummet. Testing in a lab environment with two Cisco 2921s, I saw speeds drop to 25 Mbps. Also info on the HSEC license can be found here in regards to what it is and what t does for you. It allows for addition through for encrypted traffic NASA higher number of VPN tunnels.


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.