Cisco 4000 Family Integrated Services Routers (ISRs) form an Software Defined WAN platform that delivers the performance, security, and convergence capabilities that today’s branch offices need.

Product Overview

The Cisco 4000 Family Integrated Services Router (ISR) revolutionizes WAN communications in the enterprise branch. With new levels of built-in intelligent network capabilities and convergence, it specifically addresses the growing need for application-aware networking in distributed enterprise sites. These locations tend to have lean IT resources. But they often also have a growing need for direct communication with both private data centers and public clouds across diverse links, including Multiprotocol Label Switching (MPLS) VPNs and the Internet.

The Cisco 4000 Family contains the following platforms: the 4461, 4451, 4431, 4351, 4331, 4321 and 4221 ISRs.

Features and Benefits

Cisco 4000 Family ISRs provide you with Cisco® Software Defined WAN (SDWAN) software features and a converged branch infrastructure. Along with superior throughput, these capabilities form the building blocks of next-generation branch-office WAN solutions.

Cisco Software Defined WAN

Cisco SDWAN is a set of intelligent software services that allow you to reliably and securely connect users, devices, and branch office locations across a diverse set of WAN transport links. SDWAN-enabled routers like the ISR 4000 dynamically route traffic across the “best” link based on up-to-the-minute application and network conditions for great application experiences. You get tight control over application performance, bandwidth usage, data privacy, and availability of your WAN links - control that you need as your branches conduct greater volumes of mission-critical business.

Cisco Converged Branch Infrastructure

The Cisco 4000 Series ISRs consolidate many must-have IT functions, including network, compute, and storage resources. The high-performance, integrated routers run multiple concurrent services, including encryption, traffic management, and WAN optimization, without slowing your data throughput. And you can activate new services on demand through a simple licensing change.

Cisco Intent Based Networking and Digital Network Architecture (Cisco DNA)

The last few years has seen a rapid transformation and adoption of digital technologies. This puts pressure on the on the Network teams supporting this changing infrastructure - especially when provisioning, managing, monitoring and troubleshooting these diverse devices. Additionally innovations such as Software Defined WAN (SDWAN), Network Function Virtualization (NFV), Open APIs and Cloud Management show great promise in transforming Organizations IT networks. This transformation raises further questions and challenges for the IT teams.

The Cisco Digital Network Architecture (Cisco DNA) is an open, extensible, software-driven architecture that provides for faster innovation, helping to generate deeper insights, and deliver exceptional experiences across many different applications. Cisco DNA relies on intent-based networking, a revolutionary approach in networking that helps organizations automate, simplify, and secure the network.

The intent-based Cisco DNA network is:

● Informed by Context: Interprets every byte of data that flows across it, resulting in better security, more customized experiences, and faster operations.

● Powered by Intent: Translates your intent into the right network configuration, making it possible to manage and provision multiple devices and things in minutes.

● Driven by Intuition: Continually learns from the massive amounts of data flowing through it and turns that data into actionable insight. Helps you solve issues before they become problems and learn from every incident.

Cisco DNA Center provides a centralized management dashboard across your entire network — the branch, campus, data center, and cloud. Rather than relying on box-by-box management, you can design, provision, and set policy end-to-end from the single Cisco DNA Center interface. This allows you to respond to organizational needs faster and to simplify day-to-day operations. Cisco DNA Analytics and Assurance and Cisco Network Data Platform (NDP) help you get the most from your network by continuously collecting and putting insights into action. Cisco DNA is open, extensible, and programmable at every layer. It integrates Cisco and third-party technology, open APIs, and a developer platform, to support a rich ecosystem of network-enabled applications.

Table 1 breaks out many of the features and benefits of the Cisco 4000 Family that create a Software Define WAN (SDWAN) and a converged branch infrastructure.

Table 1.             Cisco 4000 Family ISR General Feature Highlights

Platform Architecture

Table 2 lists the primary hardware architectural features and benefits of the Cisco 4000 Family. The routers run modular Cisco IOS XE Software, widely deployed in the world’s most demanding networks. The software’s comprehensive portfolio of services spans multiple technology areas, including security, WAN optimization, app and network Quality of Service (QoS), and embedded management.

Table 2.             Architectural Highlights

Managing your Cisco ISR 4000 Family ISRs

The Cisco network management applications listed at the top of Table 3 are standalone products that can be purchased or downloaded to manage your Cisco network devices. The applications are built specifically for the different operational phases; select those that best fit your needs. Those management capabilities listed under the “Cisco IOS Software XE Embedded Management” heading are directly integrated into the routers’ software operating system.

Table 3.             Cisco DNA Center

Product Specifications

Table 4 lists the general product specifications for the Cisco 4000 Family routers.

Table 4. Specifications of Cisco 4000 Family Integrated Services Routers

Services plane: Enabling the Branch-in-a-Box
All Cisco ISR 4000 routers contain processing cores built-in as standard to allow full-featured services to run on-board. This includes the full-featured Cisco WAAS engine that provides application acceleration and highly responsive virtual desktop experience. The technology is known as Cisco Service Containers and it uses a standard hypervisor to allow x64 based applications to run.
The 4000 series routers can be fitted with Solid State Drives (SSD) and server cards for local storage and computing capability. The Cisco UCS-E server cards are available with 8-core Intel Xeon processors with up to 48GB of high speed DDR3 memory and three drives built in offering RAID 0, 1 and 5. This immense amount of compute power can eliminate the need for any dedicated servers at branch sites. UCS-E cards can be configured and managed using VMware vCenter and pooled with Data Center compute resources.

Software Subscription through Cisco DNA Licensing
The ISR4000 series supports software based subscription using Cisco DNA based licensing. Three Cisco DNA based software subscription licenses are available for the WAN portfolio: Cisco DNA Essentials, Cisco DNA Advantage and Cisco ONE Advantage allowing customers to have a single unified solution that spans across the ISR4000 series routers and its ASR1000 and ISR1000 counterparts
The license tiers are structured to support the growth in business needs enabling the customer to move from basic functionality using the Cisco DNA Essentials to full-functionality with the Cisco DNA Advantage and expanding that to include WAN Optimization and Analytics on the Cisco ONE Advantage. This provides complete flexibility to move the same license across end-points based on growing network and security requirements, growth in bandwidth based on user and application growth at the sites as also the ability to change the management of the platform from on-prem to cloud or vice-versa.
Cisco DNA Licenses are supported for all ISR4000 platforms using the Cisco DNA Center, the controller and analytics platform at the heart of Cisco’s intent-based network. For more information on the Cisco DNA Center and supported platforms.

Enterprise NFV on ISR4000
Built to reduce costs without compromising vital network services, the UCS E-Series router-integrated branch blade servers provide support for a Virtualization-ready and Application-centric platform that can be seamlessly integrated on the ISR4000 platform. Customers can now install virtualized applications on the ISR4000 routers through the Cisco® Enterprise NFV Infrastructure Software (NFVIS) – a virtualization infrastructure that integrates full VM lifecycle management, monitoring, device programmability, and service chaining in a single, installable package. For more information on Enterprise NFV and NFVIS.

Support for DC Power
ISR4000 platforms support both DC and AC Power Supplies as options. Specifically, the ISR 4331 has two separate product SKU’s – the ISR4331/K9 and the ISR4331-DC/K9 which support AC and DC Power respectively, The ISR4400 can independently support an AC or a DC Power supply on the same chassis. While the 4300 supports between 24V and 60Vdc, the 4400 supports between 48V and 60Vdc. The 4331 provides for upto 250W of power rating while the 4400 provides upto 437W. It is important to note that when DC Power supplies are installed on the router, PoE based modules may not be used.

Product Performance and Scalability
The Cisco 4000 Family is built on a multicore CPU architecture. It runs modular Cisco IOS XE Software, which allows the platform to use to full advantage a distributed multicore architecture. The architecture of the Cisco 4000 separates control- and data-plane operations and integrates an industry-first services plane. This design delivers full-featured integrated services up to Layer 7 at high performance with the ability to deliver application-aware network services while maintaining a stable platform and a high level of performance during periods of heavy network traffic.

The ISR 4000 consists of 3 series of Routers – the ISR 4400 series, the 4300 series and ISR 4200 series whose performance levels maybe represented by the chart below

Common for the new 4000 Family is that all platforms come with fixed maximum performance levels. One fixed base performance level is delivered as factory default with an optional performance-on-demand license to increase the base forwarding throughput. This scenario enables deployment in high-speed WAN environments through performance-on-demand licensing to double or, for one of the platforms, triple the router capacity without any hardware upgrades.
All 4000 platforms have their fixed performance levels set well within actual capacity, with the result that performance does not necessarily degrade when a service is added to the configuration. This setup provides a deterministic performance, eliminating a network administrator’s guesswork when planning for new services.

ISR 4000 Boost License
In addition to the Performance License, customers may now order a Booster (or Boost) License that allows the router to perform between five or more times than that of the throughput with Performance License. In contrast to the deterministic performance described above, in the Booster mode, the router does not provide the deterministic level of performance as provided when operating with the default license or with the Performance license.
The Boost License provides a license tier above the Performance License allowing customers to completely remove the ISR4000’s performance limiters. This will make the ISR 4000 platforms perform at entirely new performance levels, allowing for 4+ Gbps of IP Routing (CEF) performance on the 4400 series ISRs. For deployments using encryption, IPSec throughput with AES 256 increases to 250Mbps on the lowest platform up to 10Gbps on the ISR4461.

ISR 4000 Interfaces and Modules Support
The Cisco 4000 Series Integrated Services Routers (ISRs) are modular routers with LAN and WAN connectivity. The routers provide for Network Interface Module (NIM) slots and Enhanced service module (SM-X) slots offering a rich set of Modules, such as LAN, WAN and Wireless Interfaces plus a range of Compute engines for embedded services

Software defined WAN with the ISR4000 Series
The ISR 4000 series is optimized for the Software Defined WAN (SD-WAN). For enterprises this means that business critical applications run faster, with more reliability and reduced Operational Expenditure (OpEx). The SDWAN achieves this by making all branches and Data Centers have the ability to monitor, control, move and report on streams of application data such as specific web (HTTP) traffic for example. The ISR 4000 series has deep packet inspection capability and can accurately identify and control thousands of different applications including custom in-house enterprise applications.
The entire SD-WAN implementation on the ISR4000 is maybe implemented by managing the end device either from the Cloud or On-Premise through ascending levels of throughput based licenses. All licenses that support SD-WAN, whether On-Premise or on Cloud are all enabled using Subscription Licenses. These subscription licenses enable all customers to seamlessly transition between On-Premise and Cloud management as needed. The license tiers are structured to support the growth in business needs through simple subscriptions that help simplify the journey to intent-based networking for the WAN.
The SDWAN subscriptions are aligned across three subscription licenses of Cisco DNA Essentials, DNA Advantage and Cisco DNA Premier, each expanding functionally. The Cisco DNA Essentials covers all types of connectivity & router life cycle management, support for Network & application visibility coupled with basic premise and transport security. The Cisco DNA Advantage provides for Advanced WAN topologies, Application aware policies supported by enhanced network security. The Cisco DNA Premier provides for Cloud connectivity with unlimited segmentation, Advanced Application optimization & Network Analytics, secured by advanced threat protection

The benefits are immense;
1. Business-critical applications no longer have to contend each other or with traffic that should be served on best effort basis.
2. The Enterprise network becomes more reliable because multiple paths can be used.
3. Costs are greatly reduced because dual MPLS links can be replaced with a mix of MPLS and Internet.
4. The time to bring up new remote sites is dramatically reduced because the SD-WAN supports rapidly deployed DSL and 3G/4G LTE connections as easily as MPLS.
5. Security is assured across these connections using a zero-touch secure VPN technology used by governments and finance organizations worldwide.

From a platform perspective, the ISR 4000 series has
1. Separated control and data planes for Denial of Service (DoS) attack prevention and Intrusion Prevention System (IPS) and firewall capability built-in.
2. SaaS applications can have content locally cached. The caching is automatic and peers directly with Akamai technology to obtain intelligence.
3. Application performance speed is greatly increased using in-built application acceleration technology that can locally cache at a byte-level.

Cisco Security Solutions for the ISR4000 Series

Cisco WAN MACsec,

Cisco routers support a wide-range of ever enhancing security features on the ISR4000 routers. Cisco WAN MACsec is supported on the ISR4000 series routers using the NIM‑2GE-CU-SFP module. WAN MACsec provides a line-rate network encryption solution over Layer 2 Ethernet transport services and can be leveraged outside campus networks, whether it be over Metro Ethernet transport or Data Center Interconnect (DCI) links. MACsec also secures WAN connections that are leveraging Ethernet as the link-layer media.

Cisco Encrypted Threat Analytics

The rapid rise in encrypted traffic is changing the threat landscape. As more businesses become digital, a significant number of services and applications are using encryption as the primary method of securing information. Encrypted Threat Analytics (ETA) is a functionality that allows customers to do cryptographic assessments and identify malware communications in encrypted traffic through passive monitoring. Using information about events that occur inside of a flow or intraflow telemetry to identify malware communication in encrypted traffic means Encrypted Traffic Analytics can maintain the integrity of the encrypted flow without the need for bulk decryption.

Cisco Snort IPS and Cisco Umbrella Branch

Cisco® Snort® IPS for Cisco 4000 Series Integrated Services Routers (ISRs) offers a lightweight threat defense solution that uses industry-recognized Snort open-source Intrusion Prevention System (IPS) technology. It is perfect for customers who are looking for a cost-effective solution that provides one box for both advanced routing capabilities and integrated threat defense security to help comply with regulatory requirements.
Cisco Umbrella Branch is a cloud-delivered security service for the Cisco Integrated Services Router (ISR). It provides the first layer of defense against threats at branch offices. And it offers the simplest, fastest way to protect every device on your branch network. You gain visibility and enforcement at the DNS layer, so you can block requests to malicious domains and IPs before a connection is ever made.
When enabling MACsec, you will need to procure the Security and HSEC licenses to stay within the limits of federal export control regulations. When customers wish to enable ETA, the Security (SEC) license needs to be enabled. Enabling Snort needs a Security (SEC) license and a signature subscription license. Enabling Cisco Umbrella Branch needs an Umbrella Branch license and a subscription license.

Reducing Operational Costs using Cisco ISR
Support for Data Modelling

Enterprises and Service Providers (SP’s) wish to drive down the operational cost (opex) of their networks and increase the agility and speed with which they deliver new services furthered by investments in Software Defined Networking (SDN) and Network Function Virtualization (NFV). Cisco routers provide support for Netconf and YANG data-modelling with increasing model coverage in successive releases

Software Maintenance Upgrades (SMU)

The ISR4000 routers now support Software Maintenance Upgrades (SMU)[7]. The Software Maintenance Upgrade (SMU) is a package that can be installed on a system to provide a patch fix or security resolution to a released image. An SMU package is provided on a per release and per component basis and is specific to the platform. An SMU is an independent and self-sufficient package and it does not have any prerequisites or dependencies.

Network Plug and Play

Network Plug and Play helps automate the onboarding of new devices on your network by applying configuration settings without manual intervention. With the ease of a centrally managed controller, it reduces the time a new device takes to join your network and become functional.
Cisco IOS Software Licensing and Packaging

Universal IOS XE and XE-SDWAN Image

A single Cisco IOS XE Universal image encompassing all functions is delivered with the platform. Advanced features can be enabled by simply activating a software license on the Universal image. Technology packages and feature licenses, enabled through right-to-use licenses, simplify software delivery and decrease the operational costs of deploying new features.
Beginning IOS version 16.9.1, SDWAN support is provided for IOS image on the ISR4000 series router. The SDWAN features are provisioned through a separate image, the XE-SDWAN image. While the Universal IOS-XE image provides for routing features, the XE-SDWAN image provides support for OnPrem or Cloud based Software Defined WAN solutions. Unified Communications for XE-SDWAN will be supported in upcoming releases
When ordering an ISR router, a customer may choose either of IOS-XE or XE-SDWAN image. With IOS-XE image, customers may opt for subscription based licensing or for perpetual licensing. With XE-SDWAN image, customers may order only subscription licensing.
Four major technology licenses are available on the Cisco 4000 Family and use the IOS-XE image; these licenses can be activated through the Cisco software activation process identified at https://www.cisco.com/go/sa. The following licenses are available:

● IP Base: This technology package is available as default.

● Application Experience (APPX): This license includes data and application performance features.

● Unified Communications (UC)[8]: This license includes voice features.

● Security (SEC) or Security with No Payload Encryption (SEC-NPE): This license includes features for securing network infrastructure.

The Cisco 4000 Series has a performance-on-demand license to increase the base forwarding throughput with no hardware changes. Also present is the High Security (HSEC) license, which removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. The HSECK9 license is a separately required license for a feature to have full crypto functionality. Without the HSECK9 license, only 1000 secure tunnels and 250[9] Mbps of crypto bandwidth would be available.
IOS-XE provides support for both perpetual and subscription licensing. Subscription Licensing with support for Cisco DNA Center is offered using the 3-Licenses of Cisco DNA Essentials, Cisco DNA Advantage and Cisco DNA Premier in-line with similar licenses that provide support on the XE-SDWAN side.
Software Defined Networks maybe provisioned through three major licenses on the Cisco 4000 Family; these licenses can be activated through the Cisco software activation process identified at https://www.cisco.com/go/sa using the Cisco DNA Center or through the vManage management portal. The XE-SDWAN image provides for its own licensing schema through the Cisco DNA Licensing

The following licenses are available:

● Cisco DNA Essentials covers all types of connectivity & router life cycle management, support for Network & application visibility coupled with basic premise and transport security

● Cisco DNA Advantage provides for Advanced WAN topologies, Application aware policies supported by enhanced network security

● The Cisco DNA Premier provides for Cloud connectivity with unlimited segmentation, Advanced Application optimization & Network Analytics, secured by advanced threat protection

Smart Software Licensing Support for IOS-XE

IOS-XE supports Smart Licensing beginning with image version 16.6.1 and Device Led Conversion with image version 16.9.1. Smart Software licensing is a simplified license management system that delivers visibility into customer license ownership and consumption. Licenses are managed through a central Cisco Smart License cloud portal (CSSM). The cloud portal maintains an account of what the customer has bought and what they are using, thus alerting the customer if they go out of compliance. Customers can determine what licenses they own and how they are being used. Customers benefit from being able to pool available licenses thus providing for a more straightforward license usage across like-platforms, thus decreasing operational costs.

While customers can purchase existing SKU’s, they must mandatorily create a Smart Account when implementing Smart Licensing. One or more Virtual Accounts maybe created under the Smart Account to enable the organization to logically segregate the purchased licenses. Device Led Conversion (DLC) allows the customer to convert all existing PAK and RTU licenses on the router into a Smart License. For more information, refer to the link at https://www.cisco.com/c/en/us/products/software/smart-accounts/software-licensing.html.

Cisco ISR 4000 Bundles
Cisco ISR 4000 is available is several attractive bundles. The AX bundles integrate Cisco Wide Area Application Services (WAAS), Security (SEC), and Data (DATA) licenses into a single bundle that is simple to order, configure, and deploy. For customers who are also interested in voice along with all of these features, AXV presents an attractive option. See Table 6 for details.

Cisco ISR 4000 Feature Bundles

• Application Experience with Voice (AXV):AX + Voice:

• Voice with Security (VSEC):Voice + Security

• Application Experience (AX):
  IP Base + Security + advanced networking protocols: L2TPv3, BFD, MPLS, VRF, VXLAN[10] (Bandwidth<100mbps)
  Application Experience: PfRv3, WAAS with AppNav, NBAR2, AVC, IP SLA
  Hybrid Cloud Connectivity: LISP, OTV (for Bandwidth<100Mbps), VPLS, EoMPLS
  Intelligent Web Caching: Akamai Connect

• Voice (V): IP Base + Unified Communications: CME, SRST, CUBE

• Security (SEC) IP Base + Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN

Note: ISR4221/K9 does not support UC (Voice), hence no V, VSEC, AXV bundles for ISR4221/K9
A pay-as-you-grow licensing model lets you increase the performance level for the platforms from the base level to a higher level. So you can purchase at an attractive entry-level price point and increase the performance level as your business demand grows. Table 7 describes the performance licenses.

Cisco ISR 4000 Performance Licenses

ISR4461,FL-4460-PERF-K9 Increases the performance from base performance 1.5 Gbps to 3 Gbps
ISR4451,FL-44-PERF-K9 Increases the performance from base performance 1 Gbps to 2 Gbps
ISR4431,FL-44-PERF-K9 Increases the performance from base performance 500 Mbps to 1 Gbps
ISR4351,FL-4350-PERF-K9 Increases the performance from base performance 200 Mbps to 400 Mbps
ISR4331,FL-4330-PERF-K9 Increases the performance from base performance 100 Mbps to 300 Mbps
ISR4321,FL-4320-PERF-K9 Increases the performance from base performance 50 Mbps to 100 Mbps
ISR4221, FL-4220-PERF-K9 Increases the performance from base performance 35 Mbps to 75 Mbps

Cisco ISR 4000 Booster (boost) Performance Licenses

FL-4220-BOOST-K9 (=) Booster Performance License for 4220 Series Router
FL-4320-BOOST-K9 (=) Booster Performance License for 4320 Series Router
FL-4330-BOOST-K9 (=) Booster Performance License for 4330 Series Router
FL-4350-BOOST-K9 (=) Booster Performance License for 4350 Series Router
FL-4430-BOOST-K9 (=) Booster Performance License for 4430 Series Router
FL-44-BOOST-K9 (=) Booster Performance License for 4450 Series Router
FL-4460-BOOST-K9 (=) Booster Performance License for 4460 Series Router