After replacing our 2821 routers with 2921s, I encountered a dilemma.   The 2821s were used to terminate Site to Site IPSec tunnels to AWS, and thanks to offloading crypto operations in their AIM-VPN/SSL-2 modules, could easily push 120 Mbps of traffic.  Not quite so with the 2921s, as I immediately started seeing a whole lot of these:

%CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license

As it turns out, there’s a 85 Mpbs software rate limiter due to Crypto export restrictions.

Router# show platform cerm-information
Crypto Export Restrictions Manager(CERM) Information:
 CERM functionality: ENABLED

 Resource Maximum Limit Available
 Tx Bandwidth(in kbps) 85000 85000
 Rx Bandwidth(in kbps) 85000 85000

Since one of the tunnels carries a replication job that needs to complete within an hour, I needed to match if not exceed what the 2821s had been doing.  The dilemma then was to purchase an L-FL-29-HSEC-29 license which would remove the rate limiter, or simply scrap them in favor of a new 4331 or 4351 router.  The decision really hinged on how much throughput a 2921 with HSEC license would deliver.  After not finding anything on the Googles or Cisco Forums, I turned to Reddit and was pointed to two links.

First was the ISR G2 performance whitepaper from Cisco, which gave an IPSec max throughput of 207 Mbps.  This seemed a bit high to me, and was confusing because it did not state whether this was bi-directional or one-way.

Second was a Miercom Report listing values of 70 Mbps for the 2911 and 150 Mbps of the 2951 respectively.  Since the 2921 is closer in terms of hardware to the 2951 but with 20% less horsepower, I ballparked 125 Mbps for the 2921.

Our reseller had quoted $780 for an HSEC license, but after poking around eBay I found someone willing to sell for $200/each.  Sold!  They were applied this morning.


I was a bit surprised to see the CPU is still well short of 100%.  Would guess that the bottleneck is either on the remote side, or at the sever level.


So doing the math, 130 Mbps / (1/.78) = 166.66 Mbps. I found it amusing that this was exactly halfway between the estimates of 125 and 207 Mpbs.