Cisco Router Throughput Explained: CEF, IPsec, and SD-WAN IPsec
Cisco router performance is a set of parameters, not one number. A datasheet reports CEF (IP forwarding) throughput for plain routing, IPsec throughput for encrypted VPN, SD-WAN IPsec throughput for Catalyst SD-WAN overlays, the packet-size basis each figure is tested at (IMIX or 1400-byte), packets-per-second headroom, tunnel scale, and the license and HSEC ceiling that caps them all. For procurement, reading these parameters correctly matters more than counting ports — a router with 1G interfaces rarely forwards 1 Gbps of encrypted traffic.
To keep every parameter concrete, one platform runs through this guide as the example: the Cisco C8300-1N1S-6T. On the same box, Cisco’s datasheet lists up to 19.7 Gbps of plain IP forwarding but only about 1.9 Gbps of IPsec — a tenfold gap on one platform, and a plain sign that port count says little about real capacity. Learn to read these figures on one datasheet and you can size any Cisco router the same way.
The Key Performance Specs on a Cisco Router Datasheet
A Cisco router does more work per packet as encryption and services turn on, so Cisco tests and publishes performance under several conditions. These are the parameters that decide whether a platform fits.
| Parameter | What it measures | Why it matters to a buyer |
|---|---|---|
| CEF / IPv4 forwarding throughput | Plain, unencrypted Layer 3 routing | Internet edge, MPLS, private WAN sizing |
| IPsec throughput | Traditional encrypted VPN traffic | Site-to-site VPN, DMVPN, FlexVPN sizing |
| SD-WAN IPsec throughput | Encrypted Catalyst SD-WAN overlay traffic | SD-WAN branch and hub sizing |
| Packet-size basis (IMIX vs 1400-byte) | The traffic profile a figure was tested at | Realistic vs best-case planning |
| Packets per second (PPS) | The packet-rate ceiling, separate from bit rate | Small-packet traffic (voice, DNS, signalling) |
| IQDF throughput | Encryption plus QoS, DPI, and NetFlow | Sizing with services enabled |
| Tunnel scale | IPsec/SVTI and SD-WAN overlay tunnel counts | Hub, DMVPN, and large-topology sizing |
| Licensed throughput and HSEC | The tier/export cap on usable throughput | The real ceiling, set on the BOM |
The rule that ties them together: read the parameter that matches the traffic type, at the realistic packet size, then confirm the license tier and HSEC entitlement that release it. The Cisco C8300-1N1S-6T — a 1RU Catalyst 8300 branch router with six 1G Layer 3 ports plus one service-module and one network-interface-module slot — carries every one of these figures on its datasheet:
| C8300-1N1S-6T parameter | Value (per Cisco) |
|---|---|
| CEF / IPv4 forwarding (1400B) | Up to 19.7 Gbps |
| IPsec throughput, autonomous (IMIX) | 1.9 Gbps |
| SD-WAN IPsec throughput (IMIX) | 1.8 Gbps |
| SD-WAN IPsec throughput (1400B) | Up to 2 Gbps |
| SD-WAN IPsec + IQDF (IMIX) | 1.7 Gbps |
| 50% IQDF + 50% secure Direct Internet Access | 2.6 Gbps |
| IPsec SVTI tunnels (autonomous) | 4,000 |
| SD-WAN overlay tunnels | 6,000 |
| Throughput / tunnels without HSECK9 | ≤250 Mbps, 1,000 tunnels |
What Is CEF (IP Forwarding) Throughput?
CEF throughput is how fast a router forwards plain, unencrypted IP packets, and it is the highest number on a Cisco datasheet because forwarding is the least work per packet. On the C8300-1N1S-6T it is up to 19.7 Gbps. Every C8300 model rates that same 19.7 Gbps, because forwarding is bounded by the shared data-plane engine rather than the WAN configuration.
CEF stands for Cisco Express Forwarding, the Layer 3 IP-switching architecture built into Cisco IOS and IOS XE. It replaces the old route-cache model with two purpose-built structures. The Forwarding Information Base (FIB) is a one-to-one mirror of the routing table, reorganized for fastest longest-prefix lookup and updated the moment routes change, so forwarding never waits on a cache miss. The adjacency table holds the Layer 2 rewrite information (next-hop MAC, encapsulation) for each FIB entry, populated as adjacencies are learned through ARP. For each packet the router takes a receive interrupt, does a longest-match FIB lookup on the destination, follows the pointer to the adjacency entry, rewrites the Layer 2 header, and queues the packet out — with minimal CPU involvement, which is why CEF is enabled by default and sustains line-rate forwarding.
On a datasheet this parameter is labeled IPv4 forwarding throughput. It is the number to read when the router mostly moves unencrypted traffic: Internet breakout, NAT, MPLS handoff, and static or dynamic routing (OSPF, EIGRP, BGP) with no encryption. It is the wrong number the moment traffic is encrypted. Reading 19.7 Gbps and assuming the C8300-1N1S-6T “does almost 20 gigs” of VPN is the single most common oversizing mistake, because its encrypted ceiling is roughly a tenth of that. Choose CEF throughput to size plain-routing sites only; once traffic is encrypted, the IPsec or SD-WAN figure governs.
What Is IPsec Throughput, and Why Is It Lower?
IPsec throughput is how fast a router forwards traffic through traditional encrypted VPN tunnels, and it is far lower than CEF throughput because every packet is encrypted, authenticated, and encapsulated. The C8300-1N1S-6T forwards up to 19.7 Gbps in the clear but about 1.9 Gbps of IPsec at IMIX — the encryption engine, not the forwarding path, sets the ceiling.
The cost comes from what IPsec does to each packet. The router runs the payload through a cipher — on Catalyst 8000 and ISR platforms, AES-256 in GCM or CBC mode, handled by a dedicated hardware crypto engine rather than the main CPU — then wraps it in an Encapsulating Security Payload (ESP) header and trailer, which both adds per-packet bytes and consumes crypto-engine cycles. Internet Key Exchange (IKE) negotiates and periodically rekeys each security association. Layer on the NAT, ACLs, and QoS that most VPN sites also run, and effective throughput drops further. Even with hardware acceleration, encryption is simply more work per packet than a FIB lookup, so the IPsec figure lands well below the forwarding figure on every platform.
This parameter sizes the box for site-to-site VPN, DMVPN, FlexVPN, and static VTI (SVTI) designs — anywhere most traffic rides encrypted tunnels. Read it at IMIX for planning, confirm it is the number your deployment mode uses (the autonomous-mode IPsec figure differs from the SD-WAN figure below), and pair it with the tunnel-scale and HSEC parameters — because on the C8300-1N1S-6T, and every C8200/C8300, IPsec above 250 Mbps is impossible without an HSECK9 license no matter what the hardware is rated to do.
What Is SD-WAN IPsec Throughput?
SD-WAN IPsec throughput is the encrypted throughput a router delivers in Cisco Catalyst SD-WAN controller mode, where WAN traffic rides IPsec overlay tunnels managed by the SD-WAN fabric. On the C8300-1N1S-6T it is 1.8 Gbps at IMIX (up to 2 Gbps at 1400 bytes) — close to, but not identical to, its 1.9 Gbps traditional IPsec figure, because the overlay does extra work.
The difference is the fabric. In controller mode the router builds IPsec overlay tunnels to other edge devices, learns routes and transport locators (TLOCs) through the Overlay Management Protocol (OMP), and steers traffic with application-aware routing, per-tunnel QoS, and deep packet inspection, while a DTLS/TLS control channel talks to the controllers. All of that is per-packet or per-flow overhead the traditional IOS XE data path does not carry, so Cisco publishes a separate SD-WAN performance table for every platform. The two numbers can be close on a small branch router and diverge more as services scale, which is exactly why you must not read the autonomous-mode figure for an SD-WAN site or vice versa.
Use SD-WAN IPsec throughput to size any Catalyst SD-WAN branch or hub. Confirm the deployment mode first, read the IMIX value, and check the SD-WAN overlay tunnel scale alongside it. The C8300-1N1S-6T supports 6,000 overlay tunnels, but like all C8200/C8300 platforms it is throttled to 1,000 tunnels and 250 Mbps until an HSECK9 license is present.
IMIX vs 1400-Byte Throughput: Why Packet Size Changes the Number
Packet size changes a throughput figure more than almost any other test condition, so the same router publishes two very different numbers. IMIX (Internet Mix) uses an average packet size of 352 bytes — Cisco’s stated definition — blending many small control packets with fewer large data packets to approximate real enterprise traffic. The 1400-byte test uses large packets only and produces the higher, best-case figure.
On the C8300-1N1S-6T the two SD-WAN IPsec figures are close (up to 2 Gbps at 1400 bytes, 1.8 Gbps at IMIX), but the gap widens sharply as platforms get faster: the 10G-WAN C8300-1N1S-4T2X rates up to 17 Gbps of SD-WAN IPsec at 1400 bytes yet 6.3 Gbps at IMIX — a 2.7x difference on one line of the same datasheet. The reason is packet rate: smaller packets mean more packets per gigabit, and per-packet work is what a router runs out of first.
For procurement, size to the IMIX figure and treat the 1400-byte number as a best-case comparison only. Real branch traffic — voice, SaaS, DNS, control-plane packets, mixed with file transfers — sits much closer to IMIX than to a stream of 1400-byte packets. The practical trap is comparison shopping: when two datasheets or two quotes cite different throughput, one may be an IMIX figure and the other a 1400-byte figure, and comparing them directly compares a realistic number against a marketing one.
Throughput vs Packets Per Second (PPS)
Throughput in bits per second has a hidden partner: the router’s ceiling in packets per second (pps), and small packets hit it first. Forwarding, encryption, and inspection each cost work on every packet, so a platform can exhaust its packet-processing headroom before it exhausts bandwidth. Two streams at the same 10 Gbps are not equal work — one built from large packets carries far fewer packets per second than one built from small packets, and the small-packet stream is the harder job.
This is the mechanism behind the IMIX gap. The 352-byte average packs more packets into every gigabit than the 1400-byte test, so a router reports a lower Gbps at IMIX because the pps ceiling bound it before the bit rate did. It is the same reason voice, DNS, and signalling traffic — many tiny packets — stress a router out of proportion to their modest bandwidth, while a bulk file transfer of large packets is comparatively easy. For sizing, this cuts two ways. When a site’s traffic is small-packet-heavy, weight the IMIX figure and add margin instead of trusting the headline number. And a router that easily forwards a link’s bandwidth in large packets can still drop small ones under load, which is exactly where encrypted, inspected branch traffic gets into trouble.
What Is IQDF Throughput (IPsec + QoS + DPI + NetFlow)?
IQDF throughput is Cisco’s most realistic branch number, because it measures encryption with the services a real branch runs turned on. IQDF stands for IPsec + Quality of Service + Deep Packet Inspection + Flexible NetFlow, and on the C8300-1N1S-6T it lowers SD-WAN IPsec from 1.8 Gbps to 1.7 Gbps at IMIX. Add a full security stack and the number moves more.
Each service in the acronym adds per-packet work on top of encryption. QoS classifies, queues, and shapes every packet against policy. Deep packet inspection (via NBAR) looks inside the packet to recognize the application. Flexible NetFlow accounts for every flow. None of these is free, and they run in addition to the crypto engine’s load, so the IQDF figure sits below the bare IPsec figure. Cisco also publishes a heavier mixed profile: on the C8300-1N1S-6T, 50% IQDF traffic plus 50% Direct Internet Access protected by NAT, next-generation firewall, IPS, URL filtering, and malware protection delivers 2.6 Gbps — a useful upper bound for a secure-branch design, tested on a specific IOS XE release.
Plan against the IQDF or security-profile number whenever those services are the reason you are buying the router — which, for most SD-WAN branches, they are. Sizing to the bare IPsec figure and then enabling DPI, QoS, and NetFlow in production is a reliable way to run out of headroom, because the number you sized to was never measured with your feature set on.
Tunnel Scale: How Many IPsec and SD-WAN Tunnels a Router Supports
Tunnel scale is a throughput-independent ceiling: a router can have plenty of encrypted bandwidth and still run out of tunnels, or vice versa. The C8300-1N1S-6T supports 4,000 IPsec SVTI tunnels in autonomous mode and 6,000 SD-WAN overlay tunnels in controller mode — but without an HSECK9 license, every C8200 and C8300 is capped at 1,000 tunnels regardless of the rated maximum.
Tunnels cost more than bandwidth alone because each one carries state: a security association, keys that IKE must periodically rekey, and memory for the routing and policy attached to it. That cost is why a hub or aggregation site — where hundreds or thousands of spokes terminate — is often bound by tunnel count and rekey load long before it is bound by throughput. It is also why the parameter matters far more at the head end than at a single branch: a spoke needs a handful of tunnels, a DMVPN or SD-WAN hub needs thousands. For large aggregation, the Catalyst 8500 family scales to several thousand overlay tunnels and, unlike the branch platforms, is not tunnel-capped when HSECK9 is absent. Size a hub by tunnel scale and throughput together, and confirm the HSECK9 entitlement, since the 1,000-tunnel floor is exactly what a large topology will hit first.
How Does Cisco Measure Router Throughput?
Cisco tests each figure under fixed conditions, and changing any of them changes the number — which is why two sources can quote different “throughput” for the same router. Packet size (IMIX vs 1400-byte), covered above, is usually the biggest single condition. Three more decide whether two numbers are even comparable:
- Clear-text basis. Cisco footnotes the IPsec and SD-WAN IPsec figures as clear-text measurements from a traffic generator — the plaintext payload rate the platform sustains, not the encrypted wire rate. Two numbers measured on different bases are not directly comparable.
- Bidirectional vs aggregate. The throughput value in a Catalyst 8000 license PID is the bidirectional (per-direction) figure, and the platform’s aggregate cap is double it: a DNA-C-500M license allows up to 1 Gbps aggregate, and the T1 tier (250 Mbps) allows 500 Mbps aggregate. A quote that cites “500M” and one that cites “1 Gbps aggregate” can describe the same license.
- Software release. Published figures are tied to an IOS XE release; tunnel-scale and security-services numbers in particular are tested on specific releases — the 8000-series security use cases, for example, on IOS XE 17.12.x — and a newer release can raise a figure.
Before comparing two throughput claims, match the packet size, the clear-text basis, the direction, the deployment mode, and the software release. Otherwise you are comparing a realistic figure against a best-case one, and the cheaper-looking router may simply be quoting the more optimistic test.
Does a 1G Port Mean 1 Gbps of IPsec?
No. Port speed defines the physical interface rate; it says nothing about how much traffic the platform can process, and encryption is almost always the tighter limit. The C8300-1N1S-6T makes the point cleanly: its six 1G ports give 6 Gbps of physical Layer 3 capacity, but the platform encrypts roughly 1.9 Gbps, so the crypto engine — not the ports — is the ceiling. Port count tells you how much you can plug in, not how much the router can move once services are on.
This is why a request for a “1G router” needs one more question. It can mean a 1G physical port, 1 Gbps of plain routing, 1 Gbps of encrypted IPsec, 1 Gbps of SD-WAN overlay, or 1 Gbps with NAT, QoS, and security services all running — and each maps to a different parameter, and often a different license, above. The interface spec is the one number that will not resolve which of those the buyer actually means, so pin the traffic type before you read any throughput figure or shortlist any hardware.
How Licensing and HSEC Cap Cisco Router Throughput
On current Cisco platforms the hardware is often not the limit — the license is. Two mechanisms decide how much of a router’s rated throughput is actually usable, and both belong on the bill of materials, not discovered after delivery.
The High Security license (HSECK9) is an export-controlled license required for full cryptographic functionality. On the Catalyst 8000 Edge family, Cisco’s licensing documentation is explicit: for throughput above 250 Mbps, or a tunnel count above the base limit, HSECK9 is required on every model except the Catalyst 8500 and 8500L. Without it, each C8200 and C8300 (the C8300-1N1S-6T included) is capped at 1,000 tunnels and 250 Mbps of throughput, no matter how fast the silicon is rated. Order a C8300 for multi-gigabit SD-WAN, forget HSECK9, and the platform quietly throttles to 250 Mbps until the license is added. On the Catalyst 8500 and 8500L the throughput and tunnel scale are not restricted by the absence of HSECK9 — there it is required only for compliance. That licensed throughput also meters encrypted and unencrypted traffic combined, so size the tier to total traffic, not just the encrypted slice.
DNA Throughput Tiers and the HSECK9 Threshold
Catalyst 8000 throughput is licensed two ways: a numeric value (10M, 25M, 50M, 100M, 250M, 500M, 1G, 2.5G, 5G, or 10G) or a tier from T0 to T5. T0 maps to about 25 Mbps, and each higher tier is a higher level — any throughput above 250 Mbps, meaning T2 and up, requires HSECK9. The catch that trips up a BOM is that a tier is not a fixed speed: it resolves to a different rate on each platform. Cisco’s own example is that T2 means 1 Gbps on a C8300-2N2S-4T2X, 500 Mbps on a C8200-1N-4T, and 250 Mbps on a C8200L-1N-4T. Order by tier and confirm what that tier resolves to on your exact model. One more limit: T3 and higher tiers are not available with the Network Essentials or DNA Essentials license, so a high-throughput site needs Advantage or Premier.
ISR 4000 Performance Licenses
The older Cisco ISR 4000 family works differently: usable throughput is set by a performance (Performance-on-Demand) license rather than a tier, so an ISR 4331 raised from its 100 Mbps base to 300 Mbps still cannot reach 500 Mbps, and without the ISR HSEC license it faces the same 250 Mbps crypto and 1,000-tunnel ceiling. In practice, the most common bill-of-materials gap our team sees on encrypted-WAN orders is a correct chassis and DNA tier with no HSECK9 line item — confirm the HSEC entitlement and the throughput tier on the quote, not after the router ships.
Which Throughput Parameter Should You Use to Size a Router?
Start from the traffic type, read the matching parameter at IMIX, then confirm the secondary factors that erode it.
| Deployment | Primary parameter | Also confirm |
|---|---|---|
| Basic Internet / MPLS routing | CEF / IPv4 forwarding | NAT, ACL, QoS overhead |
| Site-to-site VPN or DMVPN | IPsec throughput (IMIX) | HSEC, tunnel scale |
| Catalyst SD-WAN branch | SD-WAN IPsec throughput (IMIX) | DNA tier, HSEC, overlay tunnels |
| SD-WAN branch with security | IQDF / security-services throughput | DPI, IPS, URL filtering, NGFW load |
| SD-WAN hub / WAN aggregation | SD-WAN IPsec + tunnel scale | 10G/100G ports, route scale, redundancy |
If your open question is which model rather than which parameter, the Cisco router model selector guide compares the lineup side by side; this guide is about reading the parameters so any comparison makes sense.
Common Mistakes Reading Cisco Router Performance Specs
Most sizing errors trace back to reading the wrong parameter. The recurring ones:
- Reading the CEF (forwarding) number and treating it as encrypted capacity.
- Sizing by port speed instead of the encrypted throughput parameter.
- Assuming SD-WAN IPsec equals traditional IPsec on the same model.
- Quoting the 1400-byte figure and ignoring the lower IMIX number.
- Reading the autonomous-mode table for a site that will run SD-WAN, or vice versa.
- Ignoring the IQDF and security-services numbers when those services are the point of the router.
- Ordering the chassis and DNA tier but omitting HSECK9 — and throttling to 250 Mbps.
- Sizing a hub by throughput alone and overlooking the tunnel-scale ceiling.
- Comparing an ISR 4000 and a Catalyst 8000 without fixing the deployment mode first.
- Comparing two throughput numbers measured at different packet sizes, clear-text bases, or directions.
Cisco Router Sizing by Procurement Scenario
- The parameter that matters most depends on why you are buying, not only what the site does. These are the scenarios where sizing goes wrong most often, and the number to lead with in each.
- Refreshing an aging branch router, or raising a site’s WAN speed. Check the current platform’s throughput ceiling against the new bandwidth before anything else. An ISR 4331 tops out at 300 Mbps aggregate even with its performance license, so a jump to 500 Mbps or 1 Gbps has outgrown the hardware, not just the license; budget for a newer platform such as a Catalyst 8300 and include HSECK9.
- Opening a new Catalyst SD-WAN branch. Read the SD-WAN IPsec figure at IMIX, plus the IQDF number if DPI, QoS, and a firewall will run. The common miss is sizing to bare encryption and then switching on the security services that justified SD-WAN in the first place, so plan against the IQDF or security-profile figure and put the correct DNA tier and HSECK9 on the order.
- Adding site-to-site VPN to an existing internet router. IPsec throughput at IMIX becomes the number to watch, not the CEF figure the router was first sized on. A plain-routing box does not encrypt at its forwarding rate — its IPsec ceiling is a fraction of it — and anything above 250 Mbps requires HSECK9, which older internet-edge routers were rarely ordered with.
- Building an HQ, data-center, or SD-WAN head-end hub. Size by tunnel scale and throughput together, with 10G or 100G interfaces. A hub usually reaches the tunnel-count ceiling before the throughput ceiling, and a branch platform is limited to 1,000 tunnels without HSECK9, so a Catalyst 8500-class platform — which is not tunnel-capped — is the safer evaluation.
- Buying for three to five years of growth. Leave headroom on the IMIX encrypted figure and choose a DNA tier you can raise later. Sizing to today’s exact bandwidth with no margin, and leaving HSECK9 off the order, is what forces a second purchase when the first throughput increase silently caps at 250 Mbps.
Frequently Asked Questions
Is CEF throughput the same as IPsec throughput?
No. CEF (IPv4 forwarding) throughput measures plain, unencrypted routing, while IPsec throughput measures encrypted VPN traffic and is far lower on the same model. The C8300-1N1S-6T forwards up to 19.7 Gbps of plain traffic but encrypts about 1.9 Gbps at IMIX. For any VPN project, size on IPsec throughput.
Should I size with IMIX or the 1400-byte throughput?
Use IMIX. Its 352-byte average reflects the mixed traffic real branches carry and is the conservative figure — a C8300-1N1S-4T2X rates 6.3 Gbps of SD-WAN IPsec at IMIX versus 17 Gbps at 1400 bytes. The 1400-byte number is useful only for best-case platform comparison.
What is the difference between router throughput and bandwidth?
Bandwidth is the capacity of the link or interface — what the port or circuit can carry. Throughput is how much traffic the router actually processes, which depends on the work per packet: routing, encryption, services, packet size, and the license. A router on a 1 Gbps link can deliver far less than 1 Gbps of usable IPsec, so size on throughput.
Do I need HSEC for high Cisco router IPsec throughput?
Usually, yes. On Catalyst 8000 models except the 8500 and 8500L, HSECK9 is required for throughput above 250 Mbps or tunnel counts above the base limit; without it the platform caps at 1,000 tunnels and 250 Mbps. The ISR 4000 enforces the same 250 Mbps crypto ceiling without its HSEC license.
What throughput does a C8300-1N1S-6T actually deliver?
Per Cisco’s datasheet, the C8300-1N1S-6T forwards up to 19.7 Gbps of plain IP traffic, encrypts about 1.9 Gbps of IPsec at IMIX, and delivers about 1.8 Gbps of SD-WAN IPsec at IMIX, scaling to 4,000 IPsec or 6,000 SD-WAN overlay tunnels. Above 250 Mbps it requires an HSECK9 license.
Final Note for Procurement
The buying rule is short: do not size a Cisco router by port speed or by the forwarding number. Read the parameter that matches the traffic — CEF for plain routing, IPsec for traditional VPN, SD-WAN IPsec for Catalyst SD-WAN — at IMIX, then confirm the license tier and HSECK9 that unlock it.
As a Cisco certified partner, Layer23-Switch supplies brand-new original Cisco routers with a 3-year warranty and RMA support, and can validate the chassis, DNA tier, and HSEC combination against your throughput target before you order. If you know your WAN bandwidth, encrypted percentage, tunnel count, interfaces, and traffic mode, request a quote and we can confirm the right router and license before it ships.