Cisco Systems C7200 manual Hardware Required, Features, Feature Description/Benefit

Page 18

Chapter 1 Overview

Hardware Required

1

Host IO Bus and PCI-X Bus

2

Power supply

The VSA provides hardware-accelerated support for multiple encryption functions:

•128/192/256-bit Advanced Encryption Standard (AES) in hardware

•Data Encryption Standard (DES) standard mode with 56-bit key: Cipher Block Chaining (CBC)

•Performance to 900 Mbps encrypted throughput with 300 byte packets and 1000 tunnels

•5000 tunnels for DES/3DES/AES

•Secure Hash Algorithm1 (SHA-1) and Message Digest 5 (MD5) hash algorithms

•Rivest, Shamir, Adelman (RSA) public-key algorithm

•Diffie-Hellman Groups 1, 2 and 5

Hardware Required

The hardware required to ensure proper operation of the C7200 VSA is as follows:

•The C7200 VSA is compatible with the Cisco NPE-G2 processor on the Cisco 7204VXR or Cisco 7206VXR routers.

•ROMmon requirement—12.4(4r)XD5

•I/O FPGA requirement—0x25 (decimal 0.37)

•VSA FPGA requirement—0x13 (decimal 0.19)

Features

This section describes the VSA features, as listed in Table 1-1.

Table 1-1 VSA Features

Feature	Description/Benefit

Throughput1	Performance to 900 Mbps encrypted throughput using 3DES
	or AES on the Cisco 7204VXR and Cisco 7206VXR routers

Number of IPSec protected tunnels2	Up to 5000 tunnels3
Number of tunnels per second	Note: will update after further testing

Hardware-based encryption	Data protection: IPSec DES, 3DES, and AES
	Authentication: RSA and Diffie-Hellman
	Data integrity: SHA-1 and Message Digest 5 (MD5)

VPN tunneling	IPsec tunnel mode; Generic Routing Encapsulation (GRE) and
	Layer 2 Tunneling Protocol (L2TP) protected by IPSec

Minimum Cisco IOS software release	12.4(4)XD3 fc2 or later release of 12.4XD
supported	12.4(11)T or later release of 12.4T
	12.4(11)T or later release of 12.4T

Standards supported	IPSec/IKE: RFCs 2401-2411, 2451

1. As measured with IPSec 3DES HMAC-SHA1 on 1400 byte packets.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

1-4	OL-9129-02

Image 18

Contents Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface AudienceObjectives OrganizationChapter Title Description Related Documentation Obtaining DocumentationCisco.com Documentation Feedback Cisco Product Security OverviewProduct Documentation DVD Ordering Documentation Reporting Security Problems in Cisco Products Product Alerts and Field NoticesObtaining Technical Assistance Cisco Technical Support & Documentation WebsiteSubmitting a Service Request Definitions of Service Request SeverityObtaining Additional Publications and Information Xiv Overview Data Encryption OverviewVSA Overview Screws Handle Status LED light VSA Module Front ViewFeature Description/Benefit FeaturesThis section describes the VSA features, as listed in Table Hardware RequiredStandards Supported Standards, MIBs, and RFCsPerformance MIBsDisabling the VSA during Operation Command PurposeEnabling/Disabling the VSA Enabling/Disabling SchemeCondition System is Configured Command Description of VSA BehaviorLEDs Slot Locations ConnectorsSee -2for the VSA connectors Cisco 7204VXR RouterPort adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front ViewCisco 7206VXR Router Cisco 7206VXR Front ViewRequired Tools and Equipment Hardware and Software RequirementsRestrictions Software RequirementsHardware Requirements PlatformSafety Guidelines Safety WarningsOnline Insertion and Removal OIR Electrical Equipment Guidelines Preventing Electrostatic Discharge DamagePreparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damageVSA Removal and Installation This section describes how to remove and install the VSARemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks OverviewUsing the Exec Command Interpreter Configuring an IKE PolicyOptional Specifies the authentication method within an IKE Key Management Protocol Isakmp policy configurationConfig-isakmp mode Signatures as the authentication methodConfiguring a Transform Set Disabling VSA OptionalDefining a Transform Set Transform type Description Crypto Transform Configuration Mode IPSec Protocols AH and ESPSelecting Appropriate Transforms Setting Global Lifetimes for IPSec Security Associations Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Changing Existing TransformsStep Command Purpose Creating Crypto Access Lists Creating Crypto Map EntriesESP authenticator algorithm Only one transform set can be specified when IKE isAuthenticator keys if the transform set includes an Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps If this is configured, the data flow identity proposed Optional Accesses list number or name of anExtended access list. This access list determines For this crypto access listMonitoring and Maintaining IPSec Applying Crypto Map Sets to InterfacesVerifying IKE and IPSec Configurations Router# show crypto isakmp policyVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuring IPSec Configuration Example Configuration ExamplesConfiguring IKE Policies Example This section provides the following configuration examplesBasic IPSec Configuration Illustration Router a ConfigurationCrypto map is applied to an interface Router B Configuration Transform set defines how the traffic will be protectedSpecify the parameters to be used during an IKE negotiation Troubleshooting Tips Router# show diagTunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSAMonitor and Maintenance Commands Configuration Guidelines and RestrictionsD E Sa command, clear crypto Entries, creating Set pfs commandSet session-key command Set transform-set command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1IN-4