In my previous articles, Cisco SD-WAN and Cisco router platforms were briefly introduced. This article is focused on Cisco routers that currently support the SD-WAN image. The blog post contains consolidated information about Cisco SD-WAN router portfolio, performance, feature licensing and various information that can be useful when selecting a correct platform for deployment.
There are 5 families of routers compatible with SD-WAN:
- ISR 1000
- ISR 4000
- ASR 1000
- Virtual Platforms: on-premise and public cloud
- vEdge – Viptela OS devices
ISR 1000 and 4000 are targeted for the branch offices. ASR 1000s are positioned for data center deployment as aggregation devices. Virtual platforms are for the deployment either in public clouds or when the flexibility of virtual device provisioning is required on-premises. vEdges are original Viptela OS devices. Their functionality is being migrated into Cisco’s product portfolio.
Cisco publishes platform performance in datasheets as CEF IMIX traffic. However, it is also important to know encryption throughput of the platform and evaluate requirements depending on the specific use case. For example, in brownfield deployments where SD-WAN is replacing traditional WAN with centralized Internet access via the data center, encryption throughput is important. When local Internet breakout at a branch is enabled, demand for the encryption will go down.
SD-WAN bandwidth license tier and its available maximum per platform provide an additional indicator of what Cisco considers as expected performance in most scenarios. Cisco licenses bandwidth as maximum for download AND upload, which means throughput for symmetrical traffic can be two times higher than the licensed value. For example, with 100 Mbps license – you can have an Ethernet-based Internet service with 100 Mbps down and 100 Mbps up or 200Mbps of aggregate throughput.
Licenses and subscription
SD-WAN functionality is a term-based subscription available in three tiers:
- DNA Essentials; part number ends with -E
- DNA Advantage; part number ends with -A
- DNA Premier; part number ends with -P
Terms are 3- or 5- years for all subscription tiers.
The devices are also licensed with either Network Essentials and Network Advantage perpetual licenses. It might be confusing due to similarities in naming.
DNA Essentials is entry-level subscription and supports up to 50 devices licensed with perpetual Network Essentials. DNA Advantage provides all features of DNA Essentials and additional network and application assurance. DNA Advantage also delivers unlimited segmentation. DNA Premier provides all features of DNA Advantage plus advanced security features, including Cisco Threat Grid and Cisco Umbrella Insights.
To use DNA Premier and DNA Advantage feature, individual devices have to be licensed with perpetual Network Advantage license.
Bandwidth is also a licensed parameter with SD-WAN platforms, which needs to be correctly selected once the subscription level is selected.
Cisco Smart Account is required for license activation. There are benefits of using it related to license portability, which binds the license to an organization, as opposed to a specific device serial number.
There are 2 management options for controllers deployment:
- Cloud management with DNA-C- part numbers
- On-premise management with DNA-P- part numbers
On-premise management requires controller deployment on your infrastructure.
With cloud management, Cisco will host and maintain controllers, such as vManage, vBond, and vSmarts. Cisco recommends using this option, as it simplifies the deployment and operation of SD-WAN.
ISR 1000
ISR 1000 routers provide connectivity for small branch offices. This family of fixed-port routers is constantly expanding with models of various WAN port types and the number of Ethernet switch ports.
The default RAM/Flash configuration for ISR 1000 family is 4GB/4GB. To support Advanced SD-WAN security features, 8GB/8GB is required and some models, for example, 1111X-8P comes with these specs. If there is an upper-case X symbol after 4x digit – it means the platform has 8GB/8GB RAM/FLASH for SD-WAN advanced security support.
What are advanced security features? Intrusion Prevention System, URL filtering and Advanced Malware Protection. These features are not available on Viptela OS vEdge and ASR1000. On other platforms minimum of 8GB or RAM and 8GB of flash is required. Standard security features that are supported on all platforms are Enterprise Firewall with Application awareness and DNS security monitoring.
If you are familiar with Cisco 800 series naming convention, you will notice similarities in model numbering. For example, the last digit indicates the type of WAN port, 1 – for extra WAN Ethernet, 6 – for ADSL2 over ISDN and 7 – for ADSL2 over POTS. Some of the models have –DNA prepended to the part number and some will use the same SKU as non-SD-WAN version, but with L-LIC-DNA-ADD license add-on supported with Cisco DNA Subscription license.
Table 1 lists current models that support SD-WAN and their throughput based on CEF IMIX traffic. Datasheet states that ISR 1000 can encrypt at speeds higher than 350 Mbps, but without numbers per model.
| Model | Description | SD-WAN Advanced Security | Published throughput | Licensed bandwidth |
|---|---|---|---|---|
| C1101-4P | 1xGE WAN + 4xGE LAN switch | No | 250 Mbps | 10, 20, 50, 100 |
| C1101-4PLTEP | 1xGE WAN + 4xGE LAN switch + Pluggable LTE slot (Cat4/Cat6) | No | 250 Mbps | 10, 20, 50, 100 |
| C1101-4PLTEPWX WiFi domain WX; X = A, B, D, E, Z | 1xGE WAN + 4GE LAN switch + Pluggable LTE slot (Cat4/Cat6) + 802.11ac | No | 250 Mbps | 10, 20, 50, 100 |
| C1109-4PLTE2P | 1xGE WAN + 4xGE LAN switch + 2x Pluggable LTE slots | No | 250 Mbps | 10, 20, 50, 100 |
| C1109-4PLTE2PWZ WiFi domain WZ; Z = A, B, D, E, Q, R, Z | 1xGE WAN + 4xGE LAN switch + 2x Pluggable LTE slots | No | 250 Mbps | 10, 20, 50, 100 |
| C1111-4P | 1xGE + 1xGE SFP Combo WAN + 4xGE LAN switch | No | 250 Mbps | 10, 20, 50, 100 |
| C1111-4P LTE LA C1111-4P LTE EA | 1xGE + 1xGE SFP Combo WAN + 4xGE LAN switch + Embedded Cat 6 LTE | No | 250 Mbps | 10, 20, 50, 100 |
| C1116-4P | 1xGE SFP Combo WAN + 1xVA-DSL (Annex B/J) + 4xGE LAN switch | No | 250 Mbps | 10, 20, 50, 100 |
| C1116-4P LTE EA | 1xGE SFP Combo WAN + 1xVA-DSL (Annex B/J) + 4xGE LAN switch + Embedded Cat 6 LTE | No | 250 Mbps | 10, 20, 50, 100 |
| C1117-4P | 1xGE SFP Combo WAN + 1xVA-DSL (Annex A) + 4xGE LAN switch | No | 250 Mbps | 10, 20, 50, 100 |
| C1117-4PM | 1xGE SFP Combo WAN + 1xVA-DSL (Annex M) + 4xGE LAN switch | No | 250 Mbps | 10, 20, 50, 100 |
| C1117-4P LTE EA C1117-4P LTE LA | 1xGE WAN + 4xGE LAN switch + 1xVA-DSL (Annex A) + Embedded Cat 6 LTE | No | 250 Mbps | 10, 20, 50, 100 |
| C1117-4P MLTE EA | 1xGE SFP Combo WAN + 1xVA-DSL (Annex M) + 4xGE LAN switch + Embedded Cat 6 LTE | No | 250 Mbps | 10, 20, 50, 100 |
| C1111-8P | 1xGE + 1xGE SFP Combo WAN + 8xGE LAN switch | No | 350 Mbps | 10, 20, 50, 100 |
| C1111-8P LTE EA C1111-8P LTE LA | 1xGE + 1xGE SFP Combo WAN + 8xGE LAN switch + Embedded Cat 6 LTE | No | 350 Mbps | 10, 20, 50, 100 |
| C1111-8PWY (WiFi domain WY; Y = A, B, E, F, H, N, Q, R, Z) | 1xGE + 1xGE SFP Combo WAN + 8xGE LAN switch + 802.11ac | No | 350 Mbps | 10, 20, 50, 100 |
| C1111-8PLTEEAWX^*^ (WiFi domain WX; X = A, B, E, R) C1111-8PLTELAWY* (WiFi domain WY; Y = D, F, H, N, Q, Z S, E and A) | 1xGE + 1xGE SFP Combo WAN + 8xGE LAN switch + 802.11ac + Embedded Cat 6 LTE | No | 350 Mbps | 10, 20, 50, 100 |
| C1113-8PMLTEEA | 1xGE SFP Combo WAN + 1xADSL G.FAST (Annex A) + 8xGE LAN switch + Embedded Cat 6 LTE | No | 350 Mbps | 10, 20, 50, 100 |
| C1111X-8P | 1xGE + 1xGE SFP Combo WAN + 8xGE LAN + 8GB RAM/FLASH | Yes | 350 Mbps | 10, 20, 50, 100 |
| C1121-8PLTEPWX (WiFi domain WX; X = B, E, Z, Q) | 1xGE + 1xGE SFP Combo WAN + 8xGE LAN + 802.11ac + Pluggable LTE slots (Advanced Pro support) | No | 350 Mbps | 10, 20, 50, 100 |
| C1121X-8P | 1xGE + 1xGE SFP Combo WAN + 8xGE LAN + 8GB RAM/FLASH | Yes | 350 Mbps | 10, 20, 50, 100 |
| C1121X-8PLTEP | 1xGE + 1xGE SFP Combo WAN + 8xGE LAN + Pluggable LTE slots (Advanced Pro support) + 8GB RAM/FLASH | Yes | 350 Mbps | 10, 20, 50, 100 |
| C1126X-8PLTEP | 1xGE SFP Combo WAN + 1xVA-DSL (Annex B/J) + 8xGE LAN + Pluggable LTE slots (Advanced Pro support) + 8GB RAM/FLASH | Yes | 350 Mbps | 10, 20, 50, 100 |
| C1127X-8PLTEP | 1xGE SFP Combo WAN + 1xVA-DSL (Annex A) + 8xGE LAN + Pluggable LTE slots (Advanced Pro support) + 8GB RAM/FLASH | Yes | 350 Mbps | 10, 20, 50, 100 |
| C1127X-8PMLTEP | 1xGE SFP Combo WAN + 1xVA-DSL (Annex M) + 8xGE LAN + Pluggable LTE slots (Advanced Pro support) + 8GB RAM/FLASH | Yes | 350 Mbps | 10, 20, 50, 100 |
| C1161X-8P | 1xGE + 1xGE SFP Combo WAN + 8xGE LAN + 8GB RAM/FLASH | Yes | 350 Mbps | 10, 20, 50, 100 |
| C1161X-8PLTEP | 1xGE + 1xGE SFP Combo WAN + 8xGE LAN + Pluggable LTE slots (Advanced Pro support) + 8GB RAM/FLASH | Yes | 500 Mbps | 10, 20, 50, 100 |
Table 1. ISR 1000 routers
LTE Support
LTE plays an important role in SD-WAN deployments. It can be used to rapidly provision new small branches or as a backup link. 3GPP develops standards for mobile networks and LTE is associated with 4G standards.
The table below shows which LTE category ISR 1000 and their modules support.
| Product | Product Number | 3GGP LTE Category | LTE Release and Year | Supported in | Max Down/Up Speed Mbps (Theoretical) |
|---|---|---|---|---|---|
| USB dongle | D-LTE-xx xx – GB (Europe), AS (India, China), NA (US) | Category 4 | Release 8 2008 Q4 | C1101-4P C1121X-8P C1161X-8P | 75/50 |
| Pluggable | P-LTE-xx xx – VZ (Verizon), US (ATT and T-Mobile), GB | Category 4 | Release 8 2008 Q4 | C1101-4PLTEP C1109-4PLTE2P C1121X-8PLTEP C1126X-8PLTEP C1127X-8P[M]LTEP C1161X-8PLTEP | 150/50 |
| Pluggable | P-LTEA-xx xx – is region code: EA: (EMEAR & North America) LA: (LATAM & APAC) | Category 6 LTE Advanced | Release 10 2011 Q1 | C1101-4PLTEP C1109-4PLTE2P C1121X-8PLTEP C1126X-8PLTEP C1127X-8P[M]LTEP C1161X-8PLTEP with IOS XE 16.12 | 300/50 |
| Embedded | C1111-4PLTExx C1111-8PLTExx C1111-8PLTExx C1113-8PMLTEEA C1116-4PLTEEA C1117-4PLTExx C1117-4PMLTEEA xx – is region code: EA: (EMEAR & North America) LA: (LATAM & APAC) | Category 6 LTE Advanced | Release 10 2011 Q1 | 300/50 | |
| Pluggable | P-LTEAP18-GL | Category 18 LTE Advanced Pro | Release 13 2016 Q1 | Module is not listed as officially supported for IOS XE SD-WAN release notes 16.12. | 1200/200 |
Table 2. LTE support
Some models have embedded LTE and other accept pluggable LTE module (P-LTE), as shown in the figure below. It is also possible to use a USB dongle with some of the models as per the table above.
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted
ISR 4000
ISR 4000 routers are for medium to large branch offices.
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.
All models support XE SD-WAN with Security image. CEF IMIX published throughput is as per table below. The table also shows default amount of RAM/Flash shipped with the device. Recommended size across all platforms is 8GB/8GB. The last column shows available options per platform for bandwidth licensing.
| Model | Description | Published throughput | Encrypted throughput (AES256) | Bandwidth license |
|---|---|---|---|---|
| 4221 | 2 x GE, 2 NIM slots 4GB/4GB RAM/Flash | 1.2 Gbps | 75 Mbps | 10, 20, 50 |
| 4221X | 2 x GE, 2 NIM slots 8GB/8GB RAM/Flash | 1.2 Gbps | 75 Mbps | 10, 20, 50 |
| 4321 | 2 x GE, 2 NIM slots 4GB/4GB RAM/Flash | 1.5 Gbps | 100 Mbps | 10, 20, 50, 100 |
| 4331 | 3 x GE, 2 NIM slots 4GB/4GB RAM/Flash | 2 Gbps | 500 Mbps | 10, 20, 50, 100, 250, 500 |
| 4351 | 3 x GE, 2 NIM slots 4GB/4GB RAM/Flash | 2 Gbps | 500 Mbps | 10, 20, 50, 100, 250, 500 |
| 4431 | 4 x GE, 3 NIM slots 4GB/8GB RAM/Flash | 4 Gbps | 900 Mbps | 10, 20, 50, 100, 250, 500, 1000 |
| 4451 | 4 x GE, 3 NIM slots 4GB/8GB RAM/Flash | 4 Gbps | 1.6 Gbps | 10, 20, 50, 100, 250, 500, 1000 |
| 4461 | 4 x GE, 3 NIM slots 8GB/8GB RAM/Flash | 10 Gbps | 7 Gbps | 10,20, 50, 100, 250, 500, 1000, 2500* *Not available with DNA Essentials |
Table 3. ISR 4000 routers
NIM (Network Interface Module) slot can accept different types of interfaces. Top figure below has DSL NIMs displayed. SM slot accepts interface and compute modules. Doublewide UCS service module is shown in the second figure below.
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.
Not all modules are supported with the SD-WAN image. Check the last section of this blog post for release notes information and version compatibility.
ASR 1000
ASR 1000 are high-performance aggregation level routers, for example, in the data center. Only models listed below support the SD-WAN software image at the time of writing. CEF IMIX published throughput is as per the table below. The minimum memory requirement is 8GB.
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.
ASR 1000 doesn’t support Advanced Security features and only available with perpetual Network Advantage license. Perpetual licenses and DNA-subscription based licensed required for SD-WAN are described below in the section below.
| Model | Description | Published throughput | Encrypted throughput (1400 byte packets) | Bandwidth license |
|---|---|---|---|---|
| ASR1001-X | 6 x GE, 2 P/S 8GB RAM | 2.5-20 Gbps (up to 8Gbps crypto) | 8 Gbps | 1, 2.5 Gbps |
| ASR1001-HX | 8 x 10GE + 8x1GE, 2 P/S 8GB RAM | 44-60 Gbps (up to 16Gbps crypto) | 19 Gbps | 2.5, 5, 10 Gbps |
| ASR1002-X | 6 x GE, 2 P/S 4GB RAM | 5-36 Gbps (up to 4Gbps crypto) | 4 Gbps | 1 Gbps |
| ASR1002-HX | 4 x 10GE + 4x1GE, 2 P/S 16GB RAM | 44-100 Gbps (up to 25Gbps crypto) | 39 Gbps | 2.5, 5, 10 Gbps |
Table 4. ASR 1000 routers
Virtual Platforms
There are 3 options available for virtual deployments: CSR1000v, ISRv and vEdge Cloud.
What is the difference between CSR1000v and ISRv? CSR1000v supports IOS XE software and SD-WAN image. It can be enabled on all popular hypervisor platforms and public cloud providers. ISRv has a matching feature-set with CSR1000v, however, it is only supported by Cisco NFVIS virtualization on the Cisco ENCS platform.
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.
Cisco ENCS 5000 family consists of 4 models:
| Model | CPU | DRAM (Default/Max) | Storage (Default/Max) | Network |
|---|---|---|---|---|
| 5104 | AMD Embedded R-Series SOC RX-421ND (4-core, 3.4 GHz) | 16 GB / 32 GB | 64 GB / 400 GB | 2 GE WAN or LAN (dual mode) |
| 5406 | ENCS5406: Intel Xeon Processor D-1528 (6-core, 1.9 GHz) | 16 GB / 64 GB | 64 GB / 400 GB + 2SFF slots | 2 GE WAN or LAN (dual mode) 8 GE LAN |
| 5408 | ENCS5408: Intel Xeon Processor D-1548 (8-core, 2.0 GHz) | 16 GB / 64 GB | 64 GB / 400 GB + 2SFF slots | 2 GE WAN or LAN (dual mode) 8 GE LAN |
| 5412 | Intel Xeon Processor D-1557 (12-core, 1.5 GHz) | 16 GB / 64 GB | 64 GB / 400 GB + 2SFF slots | 2 GE WAN or LAN (dual mode) 8 GE LAN |
Table 5. ENCS 5000 Platform
vEdge Cloud runs original Viptela software and supports all popular hypervisors and AWS.
vEdge
vEdge runs original Viptela OS and have 4 model families.
| Model | Description | Published throughput |
|---|---|---|
| vEdge-100 | 5 x 10/100/1000 + Wireless LAN/LTE (depending on model) | 100Mbps |
| vEdge-1000 | 8 x 1G SFP | 1Gbps |
| vEdge-2000 | 4 x 1G SFP, 2 x PIM slots | 10Gbps |
| vEdge-5000 | 4 x NIM slots | 20Gbps |
Table 6. vEdge routers
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.
Software versions
There are 2 different types of SD-WAN software:
- IOS XE SD-WAN – runs on IOS-XE devices
- SD-WAN (Viptela OS) – runs on controllers (vManage, vBond and vSmarts) and vEdge devices
As Cisco integrates the SD-WAN feature into IOS XE, some of the Viptela OS features are not yet available. IOS XE SD-WAN and Viptela OS version numbering don’t match and there are minimum requirements for controllers to support newer versions of IOS XE SD-WAN devices.
Each device also has a requirement to have ROMmon version compatible with the IOS XE SD-WAN image.
Supported hardware and features are summarized in the table below.
| XE Device Version | Controllers Version (min) | Released | New features / supported hardware |
|---|---|---|---|
| IOS XE SD-WAN 16.9 | SD-WAN 18.3.5 | July 2018 | C1111-8P, C1117-4P (+LTE versions) ISR 4221, 43xx ASR1001-[H]X ASR1002-[H]X ENCS 5412 virtualized Ethernet NIMs, SMs (no PPPOE) Ethernet switching NIMs 4G NIMs DSL NIMs PPPOE PPPOA T1/E1 MFT NIMs |
| IOS XE SD-WAN 16.10 | SD-WAN 18.4 | Dec 2018 | C1111-4P, C1116-4P, C1117-4P (+LTE versions) C1117-4PM (+LTE version) C1111X-8P, C1111-8PW (+LTE version) ISR 4431/4451 ENCS 5104, 5406, 5408 virtualized Ethernet NIMs PPPOE DSL NIM IPOE Features (subset): SD-WAN security features Service-side IPv6 |
| IOS XE SD-WAN 16.11 | SD-WAN 19.1 | Mar 2019 | ISR 4461 CSR-1000v T1 Serial NIM Features (subset): AMP integration Service-side IPSec tunnels Service-side EIGRP |
| IOS XE SD-WAN 16.12 | SD-WAN 19.2 | Aug 2019 | C1101-4P, C1109-4P (LTE) C1113, C1121X-8P, C1126X-8P, C1127X-8P, C1127X-8P, C1161X-8P (+LTE) C1101-4PW, C1109-4PW, C1121-8PW UCS E Series support (for ISR 4000): UCS-EN120S-M2 UCS-EN140N-M2 UCSE-140S-M[2|3] UCSE-160D-M[2|3] UCSE-180D-M[2|3] Features (subset): Subinterface QoS Self zone support for ZBF TCP Optimization |
Table 7. SD-WAN software versions
Release notes are available here.