The Cisco 4451-X ISR Router

Author
Peter Welcher
Architect, Operations Technical Advisor

Have you heard about the Cisco 4451-X ISR router? Have you taken a look at it? I’m asking because I try to stay aware of new Cisco products, and somehow the 4451-X announcement slipped by me (around June per Google search of Cisco blogs — probably that frenetic sleep-deprived week of Networkers). If you missed the announcement, here’s the story…

What is the 4451-X ISR?

Let me answer that a bit circuitously… I’ve been assisting a manufacturing company with a network assessment-based  roadmap for network improvements. The two main datacenter sites use 2821 routers for Internet connections, with 3845 routers providing separate GRE tunnel endpoints, and encryption on the ASA 5520 firewalls in between. This strikes me as a bit overly complex, and led to investigating alternatives. The requirements as I see them are (1) router with capability of handling GRE/IPsec or DMVPN at the speed of the Internet link, (2) allowing for some growth of that link from 50 Mbps to 200 Mbps over the lifetime of the router.

That caused me to pull out my not-so-secret Cisco partner cheatsheet of alleged actual VPN performance specs (YMMV). It says that the 3845 is capable of about 180 or 185 Mbps of crypto, with the right circumstances (using hardware crypto for the slightly bigger number). That means about 90 Mbps of encrypt and 90 Mbps of decrypt. So it’s got some life in it, although with the ISR G1 routers some people like to leave some headroom. The ISR G2 routers can handle more in the way of other functions and keep on encrypting.

The obvious thing was to look at the 3945. Its rated at about 244 Mbps with hardware built-in crypto. That isn’t all that much better. It’s not shabby, but if the Internet link goes to 200 Mbps, up to 400 Mbps of crypto would provide lots of headroom. Last time I checked, 244 is less than 400. So the 3945 would buy some future coverage, but might not be enough to cover its projected lifetime.

What’s the next biggest router? The ASR1K is powerful, but kind of pricey. How about that 4451-X model, new as of perhaps June? Well, it’s datasheet says it does about 1 Gbps / 2 Gbps of forwarding and 900 Mbps or 1.6 Gbps of crypto, depending on licensing. As you grow, you buy an upgrade license and get more speed out of it. Saves replacing hardware. Price-wise, it costs out at about 42% more, list price of $25,600 with 8x5x4 SmartNet compared to about $18,000 with 8x5x4 SmartNet. Looking at that a bit differently, for 40% more you get almost 64% more performance. It also allows “trickle down” — replace the 2821 routers, re-use two 2821 routers and two 3845 routers at smalller or new sites.

Conclusion: The 4451-X fills the performance gap between the 3945 and ASR1K nicely.

It also comes with 4 integrated 10/100/1000 ports, which can be handy. They can support either copper or SFP, and 2 can have PoE enabled.

From the product page:

Cisco 4451-X ISR is the new flagship router of the Cisco ISR family. It continues the feature-rich and high-reliability heritage of the ISR family with exceptional performance, services, and simplicity. It includes:

  • A multi-core CPU architecture running Cisco IOS-XE Software that dynamically adapts to the changing needs of branch environments
  • Control data and services plane to deliver application-aware services while maintaining high reliability during peak load
  • Wide range of wired connectivity options, including T1/E1, T3/E3, and Gigabit Ethernet
  • Built-in services virtualization framework that enables faster feature integration and investment protection

The 4451-X ISR has integrated encyption acceleration and IOS firewall functions, support voice and video with call processing, supports Cisco AVC and WAAS WAN optimization and services. It is described as “pay as you grow”, meaning you can get more performance with a license upgrade, no need for new hardware.

The 4451-X internal backplane allows up to 10 Gbps of traffic to a UCS-E server module, which can provide additional services.

Coming Attractions

For my next blog (already written), I plan to continue this theme, writing about IWAN and the just-announced Cisco / Akamai partnership, enhancing what IWAN brings to the table.

Related Links

Cisco product page for 4451-X ISR: http://www.cisco.com/en/US/products/ps12522/index.html

Miercom 4451-X testing review: http://www.cisco.com/en/US/prod/collateral/routers/ps10906/ps12522/miercomreport_cisco_isr_4451-x_router.pdf

Life Log

I’m doing a lot of QoS work lately (3 different customers at one time). We have our own QoS documents based on our interpretation of Medianet 4.0 plus some Best Practices ideas. They are really helping make the work go faster. I hope that results in good value for the consulting customers, who want guidance and templates but plan to deploy QoS themselves.

I’m still looking to re-assert my focus on datacenter topics. By the way, for local readers, we’re planning our next CMUG (Cisco Mid-Atlantic Users Group) session for January.

Twitter: @pjwelcher

Disclosure Statement

 

2 responses to “The Cisco 4451-X ISR Router

  1. We purchased 2 of these. The alternate product was ASRs.
    The ASRs look to be a little less flexible but have higher performance which comes with a higher cost so we went with 4451s.

  2. Realizing this article is two years old, but wanted to add some info about the 4451 for anyone searching for more information about it. It has good crypto abilities that make it’s use attractive for your VPN hub device, but the failover capability to a standby device is subpar. The problem is that the stateful config, which binds the crypto-map to an HSRP address, does not really do stateful failover. It does not replicate the isakmp and ESP sessions to it’s partner. So, when the HSRP flips, the IPSEC peer needs to timeout the old sessions and re-establish phase 1 and phase 2. This can take 60 – 80 seconds and might not be acceptable to you. True IPSEC stateful-ness seems to be a feature that has never been worked into XE.

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.