Cisco Part Number Reference


Cisco Systems, Inc., is a manufacturer of high-quality networking and network security hardware, software, and services. They are also known for having a meticulous part numbering system but terrible descriptions of their products in their pre-sales documentation. IT professionals know that decoding the part numbers is the key to knowing the features and capabilities of a given product.

This reference will cover the most common questions, for quick reference.

Encryption: K8 or K9

Encryption capabilities, used primarily for secure remote access, are described by the designation K8 or K9 at the end of a file name or part number.

Code Description Cryptographic Algorithms Supported
K7 or NPE No encryption None
K8 Base encryption DES, 56-bit RC4
K9 Strong encryption 3DES, 128-bit RC4, AES, and all stronger ciphers

This code may appear on hardware part numbers and software image file names. For hardware, this represents the level of encryption the hardware will support. Some hardware, such as the Cisco Adaptive Security Appliance (ASA), can be upgraded from K8 to K9 by entering a Strong Encryption license key, tied to the hardware serial number. The hardware and its software are otherwise exactly the same.

For software images to be installed on Cisco hardware, the code may represent the minimum licensing required of the hardware, not the capabilities of the software itself. For example, the software images for the Cisco ASA all have K8 in the file name, and there are no K9 files to be found. IT managers may think if they have an ASA running strong encryption (K9), they'll reduce their encryption level if they upgrade the software with a K8 image. This is not the case; upgrading the software does not change the hardware's licenses. After you install a new software image with K8 in the name onto an ASA licensed for K9, you can verify that your ASA is still using strong encryption by typing show version in user EXEC mode.

For IOS-based Cisco routers, however, the software images themselves are what enable or disable the encryption level, and are labeled K8 or K9.

Encryption levels in Cisco's catalog were developed for compliance with laws and treaties restricting sales of equipment capable of strong encryption to certain countries, individuals, or entities (export restrictions). The purpose of these laws is to keep high-encryption technology, which we are unable to crack, out of the hands of our enemies. These rules are somewhat complicated. However, if you are a non-government customer in the United States who hasn't ever broken any laws relating to technology exports, you are eligible to purchase and download K9 products.

Equals Sign

If you see = at the end of a Cisco part number, this means it is intended to be sold as a replacement part or upgrade. This part number is used by Cisco technical support representatives, and you'll see it when looking for upgrade modules or memory. The same part number without the = is used when a Cisco pre-sales engineer or partner is putting together components to plan your network configuration and give you a price quote. Cisco's configuration management applications (such as the Cisco Commerce Workspace) implement automated checks to confirm compatibility amongst the components he chooses, and might flag any problems it finds. These checks are skipped for parts with an equals sign.

And that is all it's for. The parts themselves are the same, and the price should be the same, regardless of the presence of an equals sign in the part number.

Service Contracts

Cisco is known for its Smart Net Total Care (SNTC) service contracts (formerly known as SMARTnet), which get you in touch with some of the most highly-trained and skilled technical support representatives in the world, and offer advance hardware replacement. The contract order numbers are generally comprised of three sections:

  1. CON, for "contract"
  2. A code for the service level, such as OSP, covered extensively in the tables below
  3. An allocation code, which is either the hardware or device it applies to (such as AS5B50K9 for an ASA 5505 with a 50-user license) or a generic code SMS, depending on how it is ordered

All SNTC contracts provide:

  • Advance replacement of failed hardware and components within a specified Hardware Delivery Time following a determination that replacement is necessary, regardless of the factory warranty status.
  • The right to open a support case with the Cisco Technical Assistance Center (TAC), at any time, which includes remote diagnostics and configuration assistance. Response time to begin diagnostics depends on severity of the outage, and is not related to the Hardware Delivery Time. If you have a severe impact outage, the TAC will respond promptly late at night on a weekend even if your contract only provides for next-business-day hardware replacement.


Here are some of the more common codes you'll encounter to designate the level of service offered by a given contract.

Hardware Device Support

Service Level Code Hardware Service Hardware Delivery Times Software Upgrades1
SW2 None N/A Major releases
SNT Parts delivery only 8x5xNBD Major releases
SNTE Parts delivery only 8x5x4 Major releases
SNTP Parts delivery only 24x7x4 Major releases
S2P Parts delivery only 24x7x2 Major releases
CS or OS Onsite installation 8x5xNBD Major releases
C4S or OSE Onsite installation 8x5x4 Major releases
C4P or OSP Onsite installation 24x7x4 Major releases
C2P or PREM Onsite installation 24x7x2 Major releases

1 Software Upgrades here apply only to the software image that runs the device, not for any separate Cisco software applications you may have purchased. For example, upgrades for the Cisco AnyConnect Plus and Apex software, while deployed from the ASA device, are not covered by a contract on the ASA alone.

2 For SW, TAC support is limited to software issues and equipment installation only. Apart from any Smart Net contract, Cisco hardware generally comes with a 90-day factory warranty.

Software Application Support

Service Level Code Software Upgrades
SAU/SASU/PSAU Major releases
SAS Minor releases only

Cisco Services for IPS

Cisco's Intrusion Prevention Systems (IPS) devices have their own set of service contracts. These contracts include Smart Net support for the module and the device it's installed in, plus IPS signature update subscriptions. Cisco IPS products include modules for the ASA firewall (AIP SSM and IPS SSP), modules for Catalyst 6000-series switches (IDSM-2), modules for ISR routers (AIM-IPS and NME-IPS), and 4200- and 4500-series standalone IPS appliances. Please note these are or have been superseded by the Firepower series of products, and are not generally available anymore.

Service Level Code Hardware Service Hardware Delivery Times Software Upgrades
SUSW None N/A IPS signatures and major software releases
SU1 Parts delivery only 8x5xNBD IPS signatures and major software releases
SU2 Parts delivery only 8x5x4 IPS signatures and major software releases
SU3 Parts delivery only 24x7x4 IPS signatures and major software releases
SU4 Parts delivery only 24x7x2 IPS signatures and major software releases
SUO1 Onsite installation 8x5xNBD IPS signatures and major software releases
SUO2 Onsite installation 8x5x4 IPS signatures and major software releases
SUO3 Onsite installation 24x7x4 IPS signatures and major software releases
SUO4 Onsite installation 24x7x2 IPS signatures and major software releases

More Information

A sample part number might be CON-S2P-1941, which is two-hour advance hardware shipment for a Cisco ISR 1941 router, 24 hours a day.

All contracts are for one year, renewable until the last date specified in any end-of-life announcement for a given product. If you see a numeral preceding the service level code, though, this means the contract is good for that many years. For example, CON-3SNT-WA571AK9 means next-business-day parts delivery and technical support for three years for a Cisco WAP571 wireless access point.

Here is some detail about what's in the above tables.

Hardware Service

Designation Description
Parts delivery only Parts will be sent to you by a third-party courier. This is appropriate if you have onsite technicians who can install hardware.
Onsite installation A Cisco-qualified engineer will visit your site to install the equipment.

Hardware Delivery Times

Designation Description
8x5xNBD Once Cisco determines equipment has failed, the replacement hardware will ship overnight, for business-day delivery. It will go out the same day if before 3 p.m. Otherwise, it will be received on the second business day.
8x5x4 Once Cisco determines equipment has failed, the replacement hardware will be delivered same day if before 1 p.m. Otherwise, it will leave the delivery facility by 9 a.m. the next business day, for four-hour courier delivery.
24x7x4 Once Cisco determines equipment has failed, the replacement hardware will be hand-delivered by courier within four hours, any time of the day or night, every day of the year.
24x7x2 Once Cisco determines equipment has failed, the replacement hardware will be delivered by courier within two hours, any time of the day or night, every day of the year.

Software Upgrades

Designation Description
Minor releases Updates to fix bugs or add minor features only. This would include updates from version 3.5 to 3.6, but not from 3.5 or 3.6 to 4.0.
Major releases Version upgrades with new features and capabilities (such as from 3.6 to 4.0), as well as minor releases in-between major releases.