Manuals / Cisco Systems / Computer Equipment / Network Cables

Cisco Systems C7200 manual Hardware Required, Features, Description/Benefit

Models: C7200

1 62

Download 62 pages 7.3 Kb

Page 18

Hardware Required

Chapter 1 Overview

Hardware Required

1

Host IO Bus and PCI-X Bus

2

Power supply

The VSA provides hardware-accelerated support for multiple encryption functions:

•128/192/256-bit Advanced Encryption Standard (AES) in hardware

•Data Encryption Standard (DES) standard mode with 56-bit key: Cipher Block Chaining (CBC)

•Performance to 900 Mbps encrypted throughput with 300 byte packets and 1000 tunnels

•5000 tunnels for DES/3DES/AES

•Secure Hash Algorithm1 (SHA-1) and Message Digest 5 (MD5) hash algorithms

•Rivest, Shamir, Adelman (RSA) public-key algorithm

•Diffie-Hellman Groups 1, 2 and 5

Hardware Required

The hardware required to ensure proper operation of the C7200 VSA is as follows:

•The C7200 VSA is compatible with the Cisco NPE-G2 processor on the Cisco 7204VXR or Cisco 7206VXR routers.

•ROMmon requirement—12.4(4r)XD5

•I/O FPGA requirement—0x25 (decimal 0.37)

•VSA FPGA requirement—0x13 (decimal 0.19)

Features

This section describes the VSA features, as listed in Table 1-1.

Table 1-1 VSA Features

Feature	Description/Benefit

Throughput1	Performance to 900 Mbps encrypted throughput using 3DES
	or AES on the Cisco 7204VXR and Cisco 7206VXR routers

Number of IPSec protected tunnels2	Up to 5000 tunnels3
Number of tunnels per second	Note: will update after further testing

Hardware-based encryption	Data protection: IPSec DES, 3DES, and AES
	Authentication: RSA and Diffie-Hellman
	Data integrity: SHA-1 and Message Digest 5 (MD5)

VPN tunneling	IPsec tunnel mode; Generic Routing Encapsulation (GRE) and
	Layer 2 Tunneling Protocol (L2TP) protected by IPSec

Minimum Cisco IOS software release	12.4(4)XD3 fc2 or later release of 12.4XD
supported	12.4(11)T or later release of 12.4T
	12.4(11)T or later release of 12.4T

Standards supported	IPSec/IKE: RFCs 2401-2411, 2451

1. As measured with IPSec 3DES HMAC-SHA1 on 1400 byte packets.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

1-4	OL-9129-02

Image 18

Cisco Systems C7200 manual Hardware Required, Features, Description/Benefit

Contents

Cisco Systems, Inc 170 West Tasman Drive San Jose, CA C7200 VSA VPN Services Adapter Installation and Configuration GuideCorporate Headquarters 800 553-NETS Fax 408Turn the television or radio antenna until the interference stops C O N T E N T S FeaturesDefinitions of Service Request Severity PrefaceSafety Warnings The Crypto Transform Configuration Mode 4Configuration Tasks 4 Removing and Installing the VSARouter B Configuration Verifying the Configuration 4Router A Configuration Troubleshooting TipsContents C7200 VSA VPN Services Adapter Installation and Configuration GuideOL-9129-02 Warnings PrefaceAudience Audience, page Warnings, page Objectives, page Organization, pageConfiguring the VSA Preparing for InstallationRemoving and Installing the VSA ObjectivesRelated Documentation Obtaining DocumentationCisco.com Product Documentation DVD Documentation FeedbackCisco Product Security Overview Ordering DocumentationReporting Security Problems in Cisco Products Product Alerts and Field NoticesFor emergencies only - security-alert@cisco.com Obtaining Technical Assistance Cisco Technical Support & Documentation Websitehttp//tools.cisco.com/RPF/register/register.do Obtaining Additional Publications and Information Submitting a Service RequestDefinitions of Service Request Severity xiiiThe Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL Overview Hardware Required, page Features, pageEnabling/Disabling the VSA, page LEDs, page Connectors, page Data Encryption OverviewVSA Overview Screws Feature FeaturesHardware Required Description/BenefitStandards Supported Standards, MIBs, and RFCsPerformance MIBsdisabled Disables the C7200 VSAEnables the C7200 VSA after it has been Enabling/Disabling the VSALEDs Hw-module slot 0 shutdown -Not supportedno crypto engine slot accelerator 0 -See Table Cisco 7204VXR Router ConnectorsSlot Locations Cisco 7204VXR Router, page Cisco 7206VXR Router, pageFigure 1-4 Cisco 7204VXR Router - Front View C7200 VSA VPN Services Adapter Installation and Configuration GuideENABLED Chapter 1 Overview Slot LocationsC7200 VSA VPN Services Adapter Installation and Configuration Guide Cisco 7206VXR Router1-10 Figure 1-5 Cisco 7206VXR - Front ViewRequired Tools and Equipment Preparing for InstallationOnline Insertion and Removal OIR, page Safety Guidelines, page Hardware and Software RequirementsRestrictions Software RequirementsHardware Requirements PlatformSafety Warnings, page Electrical Equipment Guidelines, page Safety GuidelinesSafety Warnings Online Insertion and Removal OIRElectrical Equipment Guidelines Preventing Electrostatic Discharge DamageCompliance with U.S. Export Laws and Regulations Regarding Encryption Compliance with U.S. Export Laws and Regulations Regarding EncryptionCompliance with U.S. Export Laws and Regulations Regarding Encryption Chapter 2 Preparing for InstallationC7200 VSA VPN Services Adapter Installation and Configuration Guide OL-9129-02Handling the VSA Removing and Installing the VSAWarnings and Cautions, page VSA Removal and Installation, page Handling the VSA, page Online Insertion and Removal OIR, pageThe safety cover is an integral part of the product. Do not operate the unit without the safety cover installed. Operating the unit without the cover in place will invalidate the safety approvals and pose a risk of fire and electrical hazards VSA Removal and InstallationWarnings and Cautions Online Insertion and Removal OIRStep 3 Unscrew the screws holding the VSA in the slot C7200 VSA VPN Services Adapter Installation and Configuration Guide Chapter 3 Removing and Installing the VSAVSA Removal and Installation OL-9129-02Overview, page Configuration Tasks, page Configuration Examples, page Configuring the VSAConfiguration Tasks Basic IPSec Configuration Illustration, pageVerifying IKE and IPSec Configurations, page 4-15 optional Using the EXEC Command InterpreterConfiguring an IKE Policy Configuring IPSec Configuration Example, page 4-18 optionalDefines an IKE policy and enters Internet Security Association VSA will be enabled after the next Configuring a Transform SetDisables VSA system rebootSelecting Appropriate Transforms The Crypto Transform Configuration Mode Changing Existing TransformsDefining a Transform Set Transform Exampleah-md5-hmac Authentication Transform is used, you mustESP Authentication Transform Pick up to ah-sha-hmacSelecting Appropriate Transforms The Crypto Transform Configuration ModeIPSec Protocols AH and ESP esp-aes and esp-sha-hmac ah-sha-hmac and esp-aes and esp-sha-hmacSetting Global Lifetimes for IPSec Security Associations Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Ensuring That Access Lists Are Compatible with IPSec requiredPurpose CommandStep Router# clear crypto sa spi destination-address4-10 Creating Crypto Access ListsCreating Crypto Map Entries Routerconfig# ip access-list extended nameesp spi cipher hex-key-string authenticator 4-11spi cipher hex-key-string authenticator Routerconfig-crypto-m# set session-key inbound ahCreates a dynamic crypto map entry This is the only configuration statement required inCreating Dynamic Crypto Maps Specifies which transform sets are allowed for the4-13 CommandPurpose Monitoring and Maintaining IPSec Applying Crypto Map Sets to Interfaces4-14 Displays your crypto map configuration Verifying IKE and IPSec ConfigurationsDisplays your transform set configuration Displays information about IPSec security associationsVerifying the Configuration 4-16C7200 VSA VPN Services Adapter Installation and Configuration Guide 4-17Chapter 4 Configuring the VSA Configuration Tasks OL-9129-02Configuring IPSec Configuration Example Configuration ExamplesConfiguring IKE Policies Example Configuring IKE Policies Example, pageBasic IPSec Configuration Illustration Router A Configuration4-19 Router B Configuration 4-20Router# show diag Troubleshooting Tips4-21 Router# show crypto engine accelerator statistic4-22 Chapter 4 Configuring the VSA Troubleshooting TipsC7200 VSA VPN Services Adapter Installation and Configuration Guide Monitor and Maintenance Commands, page Using Deny Policies in Access ListsUsing Deny Policies in Access Lists, page Monitoring and Maintaining the VSADisplays integrated service adapter as part of the interfaces Monitor and Maintenance CommandsConfiguration Guidelines and Restrictions Verifies the VSA is currently processing crypto packetsI N D E IN-1IN-2 creating 4definition IN-3 Index IN-4C7200 VSA VPN Services Adapter Installation and Configuration Guide OL-9129-02