We discussed the main difference between SEC-K9 license and HSEC-k9 license. What are the Cisco ISR G2 SEC and HSEC License used for?
The SEC-K9 license enables standard encryption (VPN payload and secure voice) on the ISR G2 platforms. The SEC-K9 license is designed to comply with both local and U.S. export requirements for global distribution to all countries. This license enforces a curtailment on the maximum number of encrypted tunnels and the maximum encrypted throughput on the ISR G2 platforms.
The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E. With the HSEC-K9 license, the ISR G2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85 -Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps.
The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits.
Now, in this article, we will discuss the in the context of the security licensing and export restrictions, a tunnel is a construct established between two routers (peers) to transport insecure payloads using data-encryption techniques.
Firstly you can read some general Qs about the security licensing and export restrictions.
The SEC-K9 license limits the number of concurrent encrypted sessions and maximum encrypted throughput per device. This limit helps ensure that the ISR G2 complies with U. S. government export restrictions regardless of the final destination country.
The SEC-K9 permanent licenses apply to the Cisco 1900, 2900, and 3900 ISR G2 platforms; these licenses limit all encrypted tunnel counts to 225 tunnels maximum for IP Security (IPsec), Secure Sockets Layer VPN (SSL VPN), a secure time-division multiplexing (TDM) gateway, and secure Cisco Unified Border Element (CUBE) and 1000 tunnels for Transport Layer Security (TLS) sessions.
The SEC-K9 license limits encrypted throughput to less than or equal to 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps. This requirement applies for the Cisco 1900, 2900, and 3900 ISR G2 platforms.
All threat defense and VPN features that are supported on the Cisco ISR G2 routers are functionally available for configuration with the SEC-K9. The image that includes this license is the universal -k9 image. For example, the Cisco IOS release version is c3900-universalk9-mz.SPA.150-1.M1.
Q. Does the router require a reload after installing the SEC-K9 or the HSEC-K9 license?
A. Reload is needed only for technology package licenses such as datak9, uck9, and securityk9/securityk9_npe. Installing the SEC-K9 or the HSEC-K9 license does not require a reload. Also, moving from a temporary license to a permanent license does not require a reload.
Q. Why do I need to purchase the SEC-K9 license as a spare?
A. If you purchase a Cisco ISR G2 chassis and later decide to turn on security features, you must buy a SEC-K9 license. The administrator must download the license to the router and follow the license installation instructions that come with the license to be able to use the security features on the router.
Q. What information do I need to order either the SEC-K9 or the HSEC-K9 license as a spare for my ISR G2 router?
A. To order the licenses as spares, you need the output of the following command-line interface (CLI) command: show license udi, shown at the end of this section. You must enter the product ID (PID) and the serial number into the tool to complete the order. This information makes the license unique for a particular router, and the license is not transferrable between routers.
The command output follows:
3925-perf#sh license udi
Device# PID SN UDI
—————————————————————————–
*0 C3900-SPE100/K9 FOC133037J9 C3900-SPE100/K9:FOC133037J9
For more information about software license activation on the ISR G2 platforms, please visit: https://www.cisco.com/en/US/docs/routers/access/sw_activation/SA_on_ISR.html.
Q. What features does the npe-k9 image support?
A. The SECNPE image supports Cisco IOS Firewall, Integrated Protection Services (IPS), and URL Filtering (basically all the threat-defense functions). Standard encryption features are not supported on the ISR G2 platforms with this image.
…
More Examples of installing a HSEC license from users and the rules for ordering you can read the full FAQ information here https://www.cisco.com/c/en/us/products/collateral/routers/3900-series-integrated-services-routers-isr/q-and-a-c67-606268.html
More Related
Cisco SEC-K9 License vs. HSEC-K9 License
Cisco Licenses on Cisco ISR G2
Cisco Licenses on Cisco ISR G2
General Features of Cisco ASA Licensing