Manuals / Cisco Systems / Computer Equipment / Switch

Cisco Systems OL-12518-01 Cisco Encryption Solutions, VPNSM-DES, 3DES MDS MPS-DES, 3DES, AES192

Models: OL-12518-01

1 30
Download 30 pages 46.64 Kb
Page 6
Image 6

Chapter 4 FCIP over IP/MPLS Core

Typical Customer Requirements

SPs providing VPN service to transport FCIP traffic to provide additional security

Using an MPLS extranet for application-specific security

Cisco Encryption Solutions

For selecting compression solutions for FCIP SAN extension, a user needs to determine the requirements for the encryption solution. These requirements may include the speed of the link that needs encryption, the type of encryption required, and the security requirements of the network. Cisco offers three hardware-based encryption solutions in the data center environment. The SA-VAM and SA-VAM2 service modules for the Cisco 7200 VXR and 7400 series routers and the IPSec VPN Services Module (VPNSM) for the Catalyst 6500 switch and the Cisco 7600 router.

Each of these solutions offers the same configuration steps, although the SA-VAM2 and IPSec VPNSM have additional encryption options. The SA-VAM and SA-VAM2 are used only in WAN deployments, whereas the IPSec VPNSM can support 1.6 Gb/sec throughput, making it useful in WAN, LAN, and MAN environments.

The SA-VAM is supported on the 7100, 7200 VXR, and 7401 ASR routers with a minimum Cisco IOS version of 12.1(9)E or 12.1(9)YE. For use in the 7200 VXR routers, the SA-VAM has a bandwidth cost of 300 bandwidth points. The SA-VAM has a maximum throughput of 140 Mps, making it suitable for WAN links up to DS3 or E3 line rates.

The SA-VAM2 is supported on the 7200 VXR routers with a minimum Cisco IOS version of 12.3(1). The SA-VAM2 has a bandwidth cost of 600 bandwidth points. The SA-VAM2 has a maximum throughput of 260 Mps, making it suitable for WAN links up to OC-3 line rates.

The IPSec VPNSM is supported on the Catalyst 6500 switch and the Cisco 7600 router with a minimum Native IOS level of 12.2(9)YO. For increased interoperability with other service modules and additional VPN features, it is recommended that a minimum of 12.2(14)SY be used when deploying this service module.

The choice between these solutions should be based primarily on the following two factors:

Available link speed or bandwidth

Security encryption policies and encryption methods required

The Cisco MDS 9000 with MLS14/2 and the Cisco 9216i support encryption with no performance impact. The MPS Service Module and the Cisco 9216i support line rate Ethernet throughput with AES encryption.

The following are encryption methods supported per module:

SA-VAM—DES, 3DES

SA-VAM2—DES, 3DES, AES128, AES192, AES256

VPNSM—DES, 3DES

MDS MPS—DES, 3DES, AES192

Note An encrypted data stream is not compressible because it results in a bit stream that appears random. If encryption and compression are required together, it is important to compress the data before encrypting it.

Data Center High Availability Clusters Design Guide

4-6

OL-12518-01

 

 

Page 5 Page 7
Page 6
Image 6
Cisco Systems OL-12518-01 manual Cisco Encryption Solutions, VPNSM-DES, 3DES MDS MPS-DES, 3DES, AES192
Page 5 Page 7