Cisco ISR 4331 Integrated Services Router

BH #CIR4331SECK9 • MFR #ISR4331-SEC/K9
Cisco ISR 4331 Integrated Services Router
Key Features
  • 1 x 10/100/1000 Mb/s RJ45/SFP Port
  • 1 x 10/100/1000 Mb/s RJ45 Port
  • 1 x 10/100/1000 Mb/s SFP Port
  • 1 x 10/100/1000 Mb/s Management Port
Boost the efficiency and functionality of your corporate network with the ISR 4331 Integrated Services Router from Cisco. Boasting an aggregate data throughput of up to 100 Mb/s that's upgradeable to up to 300 Mb/s, the ISR 4331 router is equipped with a total of three WAN/LAN ports, including one Gigabit Ethernet RJ45/SFP port, a Gigabit Ethernet RJ45 port, and a Gigabit SFP port, along with a mini-USB port, a USB 2.0 Type-A port, two NIM (network interface module) slots, and one enhanced service module slot.
Special Order
Expected availability: 7-10 business days
$511/mo. suggested payments
with 12 Mos. Promo Financing* 
Protect your Gear
Add a protection plan from $279.99

True Know-How

Ask Our Experts


Cisco 4331 Overview

  • 1Description
  • 2General Features
  • 3Architectural Features
  • 4Management Features
  • 5Cisco IOS XE Software
  • 6Additional Features
  • 7Security Features
  • 8Cisco IOS Software Licensing and Packaging

Boost the efficiency and functionality of your corporate network with the ISR 4331 Integrated Services Router from Cisco. Boasting an aggregate data throughput of up to 100 Mb/s that's upgradeable to up to 300 Mb/s, the ISR 4331 router is equipped with a total of three WAN/LAN ports, including one Gigabit Ethernet RJ45/SFP port, a Gigabit Ethernet RJ45 port, and a Gigabit SFP port, along with a mini-USB port, a USB 2.0 Type-A port, two NIM (network interface module) slots, and one enhanced service module slot.

The ISR 4331 makes use of Cisco's Software Defined WAN, designed to intelligently route network data over the most optimal links, while offering control over application performance, bandwidth, privacy and WAN link availability. The router also employs Cisco's intent-based Digital Network Architecture (DNA) to interpret and analyze network data, helping to boost security and identify potential network issues.

General Features


Concurrent software services at speeds up to 2 Gb/s. Backplane architecture supports high-bandwidth module-to-module communication at speeds up to 10 Gb/s.

Cisco Software Defined WAN

Designed to reliably and securely connect users, devices, and branch office locations across a diverse set of WAN transport links. SDWAN-enabled routers like the ISR 4331 dynamically route traffic across the best link based on up-to-the-minute application and network conditions for optimal application experiences, allowing for tight control over application performance, bandwidth usage, data privacy, and availability of your WAN links.

Cisco Converged Branch Infrastructure

Consolidates many must-have IT functions, including network, compute, and storage resources, while running multiple concurrent services, including encryption, traffic management, and WAN optimization. New services can be activated on demand through a simple licensing change.

Cisco Intent Based Networking and Digital Network Architecture (DNA)

An open, extensible, software-driven architecture that relies on intent-based networking, a networking approach that helps organizations automate, simplify, and secure the network. The intent-based DNA network interprets every byte of data that flows across it, resulting in better security, more customized experiences, and faster operations. It also translates your intent into the right network configuration, making it possible to manage and quickly provision multiple devices. Intent-based network learns from the data flowing through it and turns that data into actionable insight, helping you solve issues before they become problems.

DNA Center

Provides a centralized management dashboard across your network, including the branch, campus, data center, and cloud components. Rather than relying on box-by-box management, you can design, provision, and set policy end-to-end from the single DNA Center interface. This allows you to respond to organizational needs faster and to simplify day-to-day operations. Cisco DNA Analytics and Assurance and Cisco Network Data Platform (NDP) help you get the most from your network by continuously collecting and putting insights into action. Cisco DNA is open, extensible, and programmable at every layer. It integrates Cisco and third-party technology, open APIs, and a developer platform to support a rich ecosystem of network-enabled applications.

Cisco Unified Survivable Remote Site Telephony (SRST)

Serves as a resiliency complement to Cisco Hosted Collaboration Solution (HCS), a Cisco cloud-based UC service.

VoIP and Rich Media Experiences

High-performance analog/digital gateway, allowing VoIP over less expensive Session Initiation Protocol (SIP) trunks. Includes integrated IP PBX (Cisco Unified Communications Express) and Session Border Controller (Cisco Unified Border Element, or CUBE).

Architectural Features

Multicore Processors

High-performance multicore processors support high-speed WAN connections. The data plane uses an emulated Flow Processor (FP) that delivers Application-Specific Integrated Circuit (ASIC)-like performance that's designed not to degrade as services are added.

Embedded IP Security (IPsec) VPN Hardware Acceleration

Helps to increase scalability. When combined with an optional Cisco IOS XE Software Security license, enables WAN link security and VPN services.

USB-Based Console Access

A mini-USB Type-B console port supports management connectivity when traditional serial ports are not available.

Optional Integrated Power Supply for Distribution of PoE

An optional upgrade to the internal power supply provides inline power (802.3af-compliant PoE or 802.3at-compliant PoE+) to optional integrated switch modules. Redundant PoE conversion modules provide an additional layer of fault tolerance.

Optional Integrated Redundant Power Supply (RPS)

Power redundancy is available by installing an optional integrated RPS for decreasing network downtime and protecting the network from power failures. Optional PoE boost mode increases total PoE capacity to up to 530W.

Cisco Enhanced Services Module (SM-X)

Each service-module slot offers high data-throughput capability of up to 10 Gb/s toward the system and up to 1 Gb/s to other module slots. An SM-X slot can be converted into a Network Interface Module (NIM) slot using an optional carrier card. Service modules support Online Insertion and Removal (OIR), avoiding network disruption when installing new or replacement modules.

Cisco Network Interface Modules (NIMs)

Two integrated NIM slots allow for flexible configurations. Each NIM slot offers options of up to two 2 Gb/s connections, including one towards the route processor and one for direct module to module communication. NIMs support OIR. Special NIMs add support solid-state drives (SSDs) and hard disk drives (HDDs). Unified Communications (UC) and UC-based NIMs are not supported.

Cisco Integrated Services Card (ISC) Slot on Motherboard

Integrated Services Card natively supports Cisco High-Density Packet Voice Digital Signal Processor Modules (PVDM4s), providing greater-density rich-media voice. Each Integrated Services Card slot connects to the system architecture through an up to 2 Gb/s link. Future modules can be hosted on the Integrated Services Card slot, improving system functions.

Flash Memory Support

A single flash memory slot is available to support high-speed storage densities, upgradeable to up to 16 GB. A USB 2.0 Type-A port allows for additional storage.


Default memory is 4 GB, upgradeable to 16 GB to provide additional scalability.

Management Features

Cisco IOS Embedded Event Manager (EEM)

A distributed and customized approach to event detection and recovery that offers the ability to monitor events and take informational, corrective, or any desired EEM action when the monitored events occur or when a threshold is reached.

Cisco IOS XE IP Service-Level Agreements (IP SLAs)

Helps assure the performance of new business-critical IP applications as well as IP services that use data and voice in an IP network.

ISR-AX Application Experience

Software bundle with advanced routing and network monitoring services.

Network Monitoring and Accounting Tools

Includes SNMP, Remote Monitoring (RMON), syslog, NetFlow, and IP Flow Information Export (IPFix).

Cisco IOS XE Software


IPv4, IPv6, static routes, Routing Information Protocol Versions 1 and 2 (RIP and RIPv2), Open Shortest Path First (OSPF), Enhanced IGRP (EIGRP), Border Gateway Protocol (BGP), BGP Router Reflector, Intermediate System-to-Intermediate System (IS-IS), Multicast Internet Group Management Protocol Version 3 (IGMPv3), Protocol Independent Multicast sparse mode (PIM SM), PIM Source Specific Multicast (SSM), RSVP, CDP, ERSPAN, IPSLA, Call Home, EEM, IKE, ACL, EVC, DHCP, FR, DNS, LISP, OTV[6], HSRP, RADIUS, AAA, AVC, Distance Vector Multicast Routing Protocol (DVMRP), IPv4-to-IPv6 Multicast, MPLS, Layer 2 and Layer 3 VPN, IP sec, Layer 2 Tunneling Protocol Version 3 (L2TPv3), Bidirectional Forwarding Detection (BFD), IEEE 802.1ag, and IEEE 802.3ah.


Generic routing encapsulation (GRE), Ethernet, 802.1q VLAN, Point-to-Point Protocol (PPP), Multilink Point-to-Point Protocol (MLPPP), Frame Relay, Multilink Frame Relay (MLFR) (FR.15 and FR.16), High-Level Data Link Control (HDLC), Serial (RS-232, RS-449, X.21, V.35, and EIA-530), and PPP over Ethernet (PPPoE).

Traffic management

QoS, Class-Based Weighted Fair Queuing (CBWFQ), Weighted Random Early Detection (WRED), Hierarchical QoS, Policy-Based Routing (PBR), Performance Routing, and NBAR.

Cryptographic Algorithms

Encryption: DES, 3DES, AES-128 or AES-256 (in CBC and GCM modes); Authentication: RSA (748/1024/2048 bit), ECDSA (256/384 bit); Integrity: MD5, SHA, SHA-256, SHA-384, and SHA-512.

Additional Features

Branch-in-a-Box Capabilities

Built-in processing cores allow full-featured services to run on-board. This includes the full-featured Cisco WAAS engine that provides application acceleration and virtual desktop experience. The technology is known as Cisco Service Containers and it uses a standard hypervisor to allow x64 based applications to run. The router can also be fitted with solid-state drives and server cards for local storage and computing capability. Cisco UCS-E server cards are available with 8-core Intel Xeon processors with up to 48GB of high speed DDR3 memory and three drives built in offering RAID 0, 1 and 5, eliminating the need for dedicated servers at branch sites. UCS-E cards can be configured and managed using VMware vCenter and pooled with Data Center compute resources.

Software Subscription through DNA Licensing

The ISR 4331 supports software-based subscription using DNA-based licensing. Three DNA based software subscription licenses are available for the WAN portfolio: DNA Essentials, DNA Advantage and Cisco ONE Advantage, allowing customers to have a single unified solution that spans across ISR 4000 series routers and its ASR 1000 and ISR 1000 counterparts. The license tiers are structured to support the growth in business needs enabling the customer to move from basic functionality using the DNA Essentials to full-functionality with the DNA Advantage and expanding that to include WAN Optimization and Analytics on the Cisco ONE Advantage. This provides flexibility to move the same license across end-points based on growing network and security requirements, growth in bandwidth based on user and application growth at the sites, and the ability to change the management of the platform from on-prem to cloud or vice-versa.

Enterprise NFV (Network Function Virtualization)

Built to reduce costs without compromising vital network services, the UCS E-Series router-integrated branch blade servers provide support for a virtualization-ready and application-centric platform that can be integrated on the ISR 4000 platform. Customers can install virtualized applications on ISR 4000-series routers through the Cisco Enterprise NFV Infrastructure Software (NFVIS), a virtualization infrastructure that integrates full VM life-cycle management, monitoring, device programmability, and service chaining in a single, installable package.

Performance and Scalability

Built on a multicore CPU architecture, the ISR 4331 runs modular Cisco IOS XE Software, which allows it to take advantage of a distributed multicore architecture. The architecture separates control- and data-plane operations and integrates a services plane designed to deliver integrated services up to Layer 7 with the ability to deliver application-aware network services, all while maintaining a stable platform and a high level of performance during periods of heavy network traffic. The platforms comes with fixed maximum performance levels. One fixed base performance level is delivered as factory default, while an optional performance-on-demand license is designed to increase the base forwarding throughput, enabling deployment in high-speed WAN environments through performance-on-demand licensing to potentially triple the router capacity without hardware upgrades. Fixed performance levels are set within actual capacity, with the result that performance does not necessarily degrade when a service is added to the configuration. This setup provides a deterministic performance, eliminating a network administrator's guesswork when planning for new services.

Boost License

Lets customers completely remove the ISR 4331's performance limiters, allowing for more than 2 Gb/s of IP Routing (CEF) performance.

Software-Defined WAN

The ISR 4331 is optimized for the Software Defined WAN (SD-WAN), which helps business-critical applications run faster, with more reliability and reduced Operational Expenditure (OpEx). The SDWAN gives all branches and Data Centers the ability to monitor, control, move and report on streams of application data such as specific web (HTTP) traffic. The ISR 4000 series has deep packet inspection capability and can accurately identify and control thousands of different applications including custom in-house enterprise applications.

SD-WAN Licenses

The SD-WAN implementation on the router is implemented by managing the end device either from the cloud or on-premise through three ascending levels of throughput-based subscription licenses, enabling customers to transition between on-premise and cloud management as needed. The SDWAN subscriptions are aligned across three subscription licenses:
  • DNA Essentials covers all types of connectivity and router life-cycle management, support for network and application visibility coupled with basic premise and transport security.
  • DNA Advantage provides for Advanced WAN topologies, application-aware policies supported by enhanced network security.
  • DNA Premiere (formerly known as Cisco ONE Advantage) provides for cloud connectivity with unlimited segmentation, advanced application optimization, and network analytics, secured by advanced threat protection.
  • Support for Data Modelling

    Provide support for Netconf and YANG data-modelling with increasing model coverage in successive releases.

    Software Maintenance Upgrades (SMU)

    Supports Software Maintenance Upgrades (SMU), a package that can be installed on a system to provide a patch fix or security resolution to a released image. An SMU package is provided on a per-release and per-component basis and is specific to the platform. An SMU is an independent and self-sufficient package and it does not have any prerequisites or dependencies.

    Network Plug-and-Play

    Helps automate the onboarding of new devices on your network by applying configuration settings without manual intervention. With the ease of a centrally managed controller, it reduces the time a new device takes to join your network and become functional.

    Security Features

    Cisco Trust Anchor Technologies

    Helps mitigate cyberattacks by verifying platform integrity and providing protection from counterfeit and unauthorized modification of hardware and software.

    Cisco WAN MACsec

    Using the NIM‑2GE-CU-SFP module, WAN MACsec provides a line-rate network encryption solution over Layer 2 Ethernet transport services and can be leveraged outside campus networks, whether it be over Metro Ethernet transport or Data Center Interconnect (DCI) links. MACsec also secures WAN connections that are leveraging Ethernet as the link-layer media. When enabling MACsec, you will need to procure the Security and HSEC licenses to stay within the limits of federal export control regulations.

    Cisco Encrypted Threat Analytics

    Allows customers to perform cryptographic assessments and identify malware communications in encrypted traffic through passive monitoring. Using information about events that occur inside of a flow or intraflow telemetry to identify malware communication in encrypted traffic helps maintain the integrity of the encrypted flow without the need for bulk decryption. When customers wish to enable ETA, the Security (SEC) license needs to be enabled.

    Cisco Snort IPS and Cisco Umbrella Branch

    Offers a lightweight threat defense solution that uses industry-recognized Snort open-source Intrusion Prevention System (IPS) technology, ideal for customers looking for a cost-effective solution that provides one box for both advanced routing capabilities and integrated threat defense security to help comply with regulatory requirements. Cisco Umbrella Branch is a cloud-delivered security service that provides visibility and enforcement at the DNS layer, helping to block requests to malicious domains and IPs before a connection is ever made. Enabling Snort needs a Security (SEC) license and a signature subscription license, while enabling Cisco Umbrella Branch requires an Umbrella Branch license and a subscription license.

    Additional Security Features

  • Dynamic Multipoint VPN (DMVPN), zone-based firewalls, Intrusion Prevention (Snort and Umbrella Branch) and Content Management using Cisco Cloud Web security and OpenDNS protecting data, providing authentication credentials, and transmissions not backhauled through the data center.
  • Secure boot feature performs hardware-based authentication of the bootloader software to prevent malicious or unintended software from booting on the system.
  • Code signing verifies digital signatures of executables prior to loading to prevent execution of altered or corrupted code.
  • Hardware authentication protects against hardware counterfeiting by using an on-board tamper-proof silicon, including field replaceable modules. If authentication fails, the module is not allowed to boot.
  • Cisco Cloud Web Security support.
  • Cisco IOS Software Licensing and Packaging

    Universal IOS XE and XE-SDWAN Image

    A single Cisco IOS XE Universal image encompassing all functions is delivered with the router. Advanced features can be enabled by simply activating a software license on the Universal image. Technology packages and feature licenses, enabled through right-to-use licenses, simplify software delivery and decrease the operational costs of deploying new features. Beginning IOS version 16.9.1, SDWAN support is provided for IOS image on the router. The SDWAN features are provisioned through a separate image, the XE-SDWAN image. While the Universal IOS-XE image provides for routing features, the XE-SDWAN image provides support for on-premises or cloud-based Software Defined WAN solutions.

    Technology Licenses

    Four major technology licenses are available on the Cisco 4000 Family and use the IOS-XE image, including:
  • IP Base: This technology package is available as default.
  • Application Experience (APPX): This license includes data and application performance features.
  • Unified Communications (UC: This license includes voice features.
  • Security (SEC) or Security with No Payload Encryption (SEC-NPE): This license includes features for securing network infrastructure.
    The Cisco 4000 Series has a performance-on-demand license to increase the base forwarding throughput with no hardware changes. Also present is the High Security (HSEC) license, which removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. The HSECK9 license is a separately required license for a feature to have full crypto functionality. Without the HSECK9 license, only 1000 secure tunnels and 250 Mb/s of crypto bandwidth would be available. IOS-XE provides support for both perpetual and subscription licensing. Subscription Licensing with support for DNA Center is offered using the three licenses of DNA Essentials, DNA Advantage, and DNA Premier in-line with similar licenses that provide support on the XE-SDWAN side.
  • Smart Software Licensing Support for IOS-XE

    IOS-XE supports Smart Licensing beginning with image version 16.6.1 and Device Led Conversion with image version 16.9.1. Smart Software licensing is a simplified license management system that delivers visibility into customer license ownership and consumption. Licenses are managed through a central Cisco Smart License cloud portal (CSSM). The cloud portal maintains an account of what the customer has bought and what they are using, thus alerting the customer if they go out of compliance. Customers can determine what licenses they own and how they are being used. Customers benefit from being able to pool available licenses thus providing for a more straightforward license usage across like-platforms, thus decreasing operational costs. While customers can purchase existing SKUs, they must create a Smart Account when implementing Smart Licensing. One or more Virtual Accounts maybe created under the Smart Account to enable the organization to logically segregate the purchased licenses. Device Led Conversion (DLC) allows the customer to convert all existing PAK and RTU licenses on the router into a Smart License.
    UPC: 882658710544

    Cisco 4331 Specs

    Ports1 x 10/100/1000 Mb/s Gigabit Ethernet RJ45
    1 x 10/100/1000 Mb/s Gigabit SFP
    1 x 10/100/1000 Mb/s Gigabit Combo Ethernet/SFP
    1 x Ethernet RJ45 (Console)
    1 x Ethernet RJ45
    1 x Mini-USB
    1 x 480 Mb/s USB Type-A
    Throughput100 Mb/s
    Flash Memory4 GB
    Memory4 GB DDR3
    Power Draw530.00 W
    AC Input Power100 to 240 VAC, 50 / 60 Hz at 1.3 to 3 A
    PoE Power Budget530 W
    Operating Temperature32 to 104°F / 0 to 40°C
    Operating Humidity5 to 85%
    Operating Altitude0 to 10,000' / 0 to 3050 m
    Storage Temperature-40 to 158°F / -40 to 70°C
    Storage Humidity5 to 95%
    Storage Altitude15,584' / 4750 m
    Noise Level81.6 dB (Active)
    CertificationsCAN/CSA, EN 60950-1, UL, as per Manufacturer
    Mean Time Between Failures (MTBF)587,250 Hours
    Rack Form Factor1 RU
    Dimensions1.75 x 17.25 x 17.25" / 44.45 x 438.15 x 438.15 mm
    Weight16.1 lb / 7.3 kg
    Packaging Info
    Package Weight19.3 lb
    Box Dimensions (LxWxH)23.1 x 23 x 6.9"
    See any errors on this page? Let us know