Skip to content

SYSTEM Cited by 1 source

Cisco 8000 Series Secure Routers

What

The Cisco 8000 Series Secure Routers (cisco.com/8000-series) is Cisco's branch-connector / SD-WAN / secure-router hardware family, positioned as the enterprise-edge device connecting branch offices + remote sites to corporate backbones and cloud networking providers over IPsec, MPLS, or SD-WAN overlays.

On the sysdesign-wiki, the 8000 Series appears as one of the interoperability-verified branch connectors for Cloudflare's 2026-04-30 post-quantum IPsec GA.

(Source: sources/2026-04-30-cloudflare-post-quantum-encryption-for-cloudflare-ipsec-is-ga)

Role in the wiki

Canonical as a hardware implementation of draft-ietf-ipsecme-ikev2-mlkem — the IETF draft specifying hybrid ML-KEM for IPsec. Cloudflare's 2026-04-30 post:

"Customers using Cisco 8000 Series Secure Routers after version 26.1.1 as their branch connector can also now establish post- quantum Cloudflare IPsec tunnels per draft-ietf-ipsecme-ikev2- mlkem." (Source: sources/2026-04-30-cloudflare-post-quantum-encryption-for-cloudflare-ipsec-is-ga)

The structural significance: enterprises with existing Cisco 8000 Series hardware can enable PQ IPsec to Cloudflare without replacing hardware. Cloudflare's framing:

"You can start protecting your wide-area network (WAN) against harvest-now-decrypt-later attacks today using hardware you already have."

This is the default-on security upgrade at no additional cost pattern propagating downstream to hardware vendors — customer hardware investment is preserved; only a software/firmware upgrade is required.

Version requirement

  • Cisco 8000 Series Secure Routers 26.1.1 or later implements draft-ietf-ipsecme-ikev2-mlkem. Earlier versions support classical IPsec but not the post-quantum hybrid.

The Cisco 8000 Series 26.1.x release notes document the PQ support addition.

Why this matters structurally

Enterprise VPN / branch-connector hardware has multi-year refresh cycles. Unlike browsers (auto-update), SSH clients (package-manager update), or server software (operator-triggered update), router firmware upgrades at enterprise sites typically trail the software-upgrade window by months to years. For PQ IPsec to roll out at pace, major branch-connector vendors must ship the new standard inside their normal firmware-update cadence so that enterprise customers get PQ without a forklift upgrade.

Cisco 8000 Series at 26.1.1 = one such vendor shipping on schedule; FortiOS 7.6.6 = the parallel instance. Palo Alto Networks shipped early on RFC 9370 (pre-standardisation) and now has a convergence cost to pay.

Caveats

  • The 2026-04-30 Cloudflare post does not disclose Cisco's architectural approach to ML-KEM integration (software-only, hardware-accelerated, cryptographic accelerator card, etc.). The PQ handshake's CPU cost on Cisco 8000 Series hardware is not quantified.
  • No tunnel-throughput or concurrent-session numbers for the post-quantum path are disclosed by either Cisco or Cloudflare in this post.
  • FIPS-compliance status of the hybrid on Cisco hardware is not explicitly discussed. ML-KEM is FIPS 203 approved; classical DH is FIPS-approved; the composite's FIPS status for US-government customers would need separate verification.
  • This page is a stub scoped to what the 2026-04-30 Cloudflare post names about the Cisco 8000 Series. Detailed Cisco router architecture, SD-WAN orchestration, or non-IPsec Cisco 8000 features are not in scope here.

Seen in

Last updated · 433 distilled / 1,256 read