You are running into one of the fun, new, restrictions of the ISR Generation 2.
I assume you have the basic "security" licensing package installed as noted by this part of the message:
securityk9 technology package license
However the securityk9 package is Cisco's "unrestricted export" version of that license, and will artificially limit you. You need the hseck9 package. See this white paper for more information. It says in part:
The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E.
With the HSEC-K9 license, the ISR G2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps.
The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits. The HSEC license requires the universalk9 image and the SEC license pre-installed.
A quick way to check which license you have, is to issue the following command on your router:
show license feature
This will show you which licenses you have purchased from Cisco and installed on this router. You need to make sure that the hseck9 license is enabled. Otherwise you will be limited to that 85Mbps limit for encrypted traffic. Which on circuits below 100Mbps, might not be an issue, and you could safely ignore this problem. Either way, see this page for more information on installing the new license once you purchase it.
Another handy command for troubleshooting this is:
show platform cerm-information
This will either spit out a list of information about the limits in place, including the failed encrypt/decrypt packet counts, or it will give you the following:
router-1#show platform cerm-information
Crypto Export Restrictions Manager(CERM) Information:
CERM functionality: DISABLED
More information on this command here.
What is the multicast routing latency of Cisco C891F-K9 ISR? Please cite references for your answer. I think it's store-forward type and isn't one of the fastest models (given its price!).
... from the comments: we want to know the effective bandwidth of routing multicast packets w/o dropping any packets.
What you're looking for is the RFC 2544 No Drop Rate (NDR), which is shown in Table 1 of Cisco's Portable Product Sheet, I've included a copy of it inline below...
In short, the fastest a Cisco 891 can forward packets without dropping them is 100Kpps, which translates to 10 microseconds of latency; however, realize this is the fastest you can forward traffic. The performance will be lower if you turn on interface-level features, such as netflow, CBWFQ, or security access-lists. Unfortunately you can't know how much lower without testing the performance yourself; you can use tools such as iperf3 for this kind of testing.
Usually it's a safe assumption to take 60% of the maximum NDR and use that number as your forwarding rate (with a lot of features); 60% of 100Kpps is 60Kpps, or 17 microseconds of latency. There should not be a meaningful difference between unicast and multicast forwarding rates.
... from the comments: the Cisco 891 seems to be limited to 20 us => 50k packets/sec => 26 Mpbs for 64 byte packets. 4.5 us => 114 Mpbs
This is where your assumptions are leading you sideways. A router's NDR is measured with 64-byte frames, but you should not use that to build the maximum possible bandwidth of the device, because no sane person builds services that inefficiently; we all use much larger frames than 64-bytes. You're the only person who can tell us what your average server's packets will be, but let's assume they are 300 bytes:
- Cisco 891 @ 60Kpps (many features) and 300 byte IP packets: 144Mbps
- Cisco 891 @ 100Kpps and 300 byte IP packets: 240Mbps
Final notes:
Keep in mind that the PPS forwarding rate of the router is a unidirectional measurement. Bidirectional traffic will consume part of those numbers... so if we use 60Kpps / 300-byte packets, and you require 90Mbps downstream, you should plan on no more than 54 Mbps of upstream traffic.
Also account for the reality that network engineers do not want to operate routers at 100% CPU all the time. Usually we start looking for upgrades around 70 or 80% CPU.
So... all that said, your best approach to finding out whether a Cisco 891 is enough is to do some testing with the real services and features that you're going to pass in production. If your IT staff won't turn on many features, plan on 100Mbps bi-directionally. If your IT staff needs to turn on a lot of features, you really should test the router with the combination of features you think you'll need.
Best Answer
I think that's an X/Y-problem. What you need to do is route from LTE to IPoE (transparently or NATed) and then connect your firewall for analysis and filtering.
Bridging happens on the data link layer (L2) and that's impossible between LTE and IP due to framing differences. LTE encapsulates IP and IPoLTE to IPoE needs to be routed.
After all, there's little point in jumping through hoops trying to capture from the LTE interface (more or less directly) when you don't do any significant filtering before the firewall.
Edit: Here is a tested config for the isr router to achieve this passthrough routing with 1 to 1 nat:
This works when the firewall/router wan interface is plugged into the isr routers ge9 port and the wan interface is configured with 10.1.1.1 ip address.