cc/td/doc/product/core/7200vx/portadpt
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Overview

Data Encryption Overview

SA-VAM2 Overview

Features

Performance

Supported Standards, MIBs, and RFCs

Standards

MIBs

RFCs

LEDs

Cables, Connectors, and Pinouts

Slot Locations

Cisco 7200 Series Routers

Cisco 7301 Router


Overview

This chapter describes the Service Adapter VPN Acceleration Module 2 (SA-VAM2) and contains the following sections:

Data Encryption Overview

SA-VAM2 Overview

Features

Supported Standards, MIBs, and RFCs

LEDs

Cables, Connectors, and Pinouts

Slot Locations

Data Encryption Overview

This section describes data encryption, including the IPSec, IKE, and certification authority (CA) interoperability features.

Note For additional information on these features, refer to the "IP Security and Encryption" chapter in the Security Configuration Guide and Security Command Reference publications.

IPSec is a network level open standards framework, developed by the Internet Engineering Task Force (IETF) that provides secure transmission of sensitive information over unprotected networks such as the Internet. IPSec includes data authentication, antireplay services and data confidentiality services.

Cisco follows these data encryption standards:

IPSec—IPSec is an IP layer open standards framework that provides data confidentiality, data integrity, and data authentication between participating peers. IKE handles negotiation of protocols and algorithms based on local policy, and generates the encryption and authentication keys to be used by IPSec. IPSec protects one or more data flows between a pair of hosts, between a pair of security routers, or between a security router and a host.

IKE—Internet Key Exchange (IKE) is a hybrid security protocol that implements Oakley and Skeme key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. IKE can be used with IPSec and other protocols. IKE authenticates the IPSec peers, negotiates IPSec security associations, and establishes IPSec keys. IPSec can be configured with or without IKE.

CA—certification authority (CA) interoperability supports the IPSec standard, using Simple Certificate Enrollment Protocol (SCEP) and Certificate Enrollment Protocol (CEP). CEP permits Cisco IOS devices and CAs to communicate to permit your Cisco IOS device to obtain and use digital certificates from the CA. IPSec can be configured with or without CA. The CA must be properly configured to issue certificates. For more information, see the "Configuring Certification Authority Interoperability" chapter of the Security Configuration Guide at http://www.cisco.com/en/US/products/sw/iosswrel/products_ios_cisco_ios_software_releases.html

The component technologies implemented for IPSec include:

DES and Triple DES—The Data Encryption Standard (DES) and Triple DES (3DES) encryption packet data. Cisco IOS implements the 3-key Triple DES and DES-CBC with Explicit IV. Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet.

AES—The Advanced Encryption Standard, a next-generation symmetric encryption algorithm, used by the U.S. Government and organizations outside the U.S.

MD5 (HMAC variant)—MD5 is a hash algorithm. HMAC is a keyed hash variant used to authenticate data.

SHA (HMAC variant)—SHA is a hash algorithm. HMAC is a keyed hash variant used to authenticate data.

RSA signatures and RSA encrypted nonces—RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA signatures provides non-repudiation while RSA encrypted nonces provide repudiation.

IPSec with the Cisco IOS software supports the following additional standards:

AH—Authentication Header is a security protocol that provides data authentication and optional antireplay services.

The AH protocol uses various authentication algorithms; Cisco IOS software has implemented the mandatory MD5 and SHA (HMAC variants) authentication algorithms. The AH protocol provides antireplay services.

ESP—Encapsulating Security Payload, a security protocol, provides data privacy services, optional data authentication, and antireplay services. ESP encapsulates the data to be protected. The ESP protocol uses various cipher algorithms and (optionally) various authentication algorithms. Cisco IOS software implements the mandatory 56-bit DES-CBC with Explicit IV or Triple DES as the encryption algorithm, and MD5 or SHA (HMAC variants) as the authentication algorithms. The updated ESP protocol provides antireplay services.

IPPCP—IP Payload Compression Protocol. When using Layer 3 encryption, lower layers (such as PPP at Layer 2) cannot provide compression. When compressing already encrypted packets, expansion usually results. IPPCP provides stateless compression for use with encryption services such as IPSec.

SA-VAM2 Overview

The Service Adapter VPN Acceleration Module 2 (SA-VAM2) is a single-width port adapter (see Figure 1-1) supported on the Cisco 7301 router and the Cisco 7200 series routers with the network processing engine 225 (NPE-225), 400 (NPE-400), G1 (NPE-G1), and the Network Services Engine (NSE-1) services accelerator.

Note The NPE-300 processor is no longer supported.

An SA-VAM2 provides hardware-assisted tunneling and encryption/compression services for Virtual Private Network (VPN) remote access, site-to-site intranets, and extranet applications, including security, quality of service (QoS), firewall and intrusion detection, and service-level validation and management. The SA-VAM2 offloads IPSec processing from the main processor to permit resources on the processor engines for other tasks.

Figure 1-1 SA-VAM2

The SA-VAM2 provides hardware-accelerated support for multiple encryption functions:

128-bit Advanced Encryption Standard (AES) in hardware and 192/256 bits in HSP software

56-bit Data Encryption Standard (DES) standard mode: Cipher Block Chaining (CBC)

Performance to OC3 full duplex with 300 byte packets

5000 tunnels for DES/3DES/AES

Provides compression with IPSec at no extra overhead

3-Key Triple DES (168-bit)

Secure Hash Algorithm (SHA)-1 and Message Digest 5 (MD5) hash algorithms

Rivest, Shamir, Adelman (RSA) public-key algorithm

Diffie-Hellman key exchange RC4-40

IPSec tunnel mode

Features

This section describes the SA-VAM2 features (see Table 1-1), and the SA-VAM2 performance data (see Table 1-2).

Table 1-1 VAM2 Features 

Feature
Description/Benefit

Physical

Service adapter; installs in a single port-adapter slot on any Cisco 7200 series1 or Cisco 7301 router

Platform support

Cisco 7200 Series with NPE G1, NPE-400, NPE-225, or NSE-1 processors and Cisco 7301 Router

Number of IPSec protected tunnels2

Up to 5000 on the Cisco 7200 series routers
Up to 5000 on the Cisco 7301 router

Hardware-based encryption

Data protection: IPSec DES, 3DES, and AES
Authentication: RSA and Diffie-Hellman
Data integrity: SHA-1 and Message Digest 5 (MD5)

VPN tunneling

IPsec tunnel mode; Generic Routing Encapsulation (GRE) and Layer 2 Tunneling Protocol (L2TP) protected by IPSec

Hardware-based compression

Layer 3 IPPCP LZS

LAN/WAN interface selection

Works with most Cisco 7200VXR-compatible port adapters

Standards supported

IPSec/IKE: RFCs 2401-2411, 2451
IPPCP: RFC 2393, 2395

1 The Cisco 7200 series supports up to two VAM2.

2 Number of tunnels supported varies based on the total system memory installed.


Performance

Table 1-2 lists the performance information for the VAM2.

Table 1-2 Performance 

Cisco Router
Throughput1
Description

Cisco 7301

Up to 386 Mbps

Cisco IOS: c7301-jk9o3s-mz.123-1.9
7301/single VAM2, 1GB system memory
3DES/SHA, pre-shared with no IKE-keepalive configured

Cisco 7200 with NPE-G1 or NPE-400

Up to 299 Mbps2 3

Cisco IOS: c7200-jk9o3s-mz.123-1M
7200VXR/NP-G1(700Mhz) /single VAM2, 512MB system memory
3DES/SHA, pre-shared with no IKE-keepalive configured

Up to 489 Mbps 2 3

Same as above, but with dual VAM2s

Cisco 7200 with NPE-225

Up to 218 Mbps

Cisco IOS: c7200-jk9o3s-mz.123-1M
7200VXR/NPE225/single VAM2, 256MB system memory
3DES/SHA, pre-shared with no IKE-keepalive configured

Cisco 7200 with NSE-1

Up to 250 Mbps

Cisco IOS: c7200-jk9o3s-mz.123-1M
7200VXR/NSE-1/VAM2, 256MB system memory
3DES/SHA, pre-shared with no IKE-keepalive configured

1 As measured with IPSec 3DES Hashed Message Authentication Code (HMAC)-SHA-1 on 1400-byte packets. Performance varies depending on the number of modules, bandwidth, traffic volume, Cisco IOS release, etc.

2 Using Cisco 12.3-1M image. Performance varies by Cisco IOS release.

3 When using two onboard Fast Ethernet I/O boards in UUT, the 1400B performance is approximately 26-40% higher than using one onboard Fast Ethernet I/O board with Fast Ethernet port adapters


Supported Standards, MIBs, and RFCs

This section describes the standards, Management Information Bases (MIBs), and Request for Comments (RFCs) supported on the SA-VAM2. Requests for Comments (RFCs) contain information about the supported Internet suite of protocols.

Standards

IPPCP: RFC 2393, 2395

IPSec/IKE: RFCs 2401-2411, 2451

MIBs

CISCO-IPSEC-FLOW-MONITOR-MIB

CISCO-IPSEC-MIB

CISCO-IPSEC-POLICY-MAP-MIB

To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs

IPPCP: RFC 2393, 2395

IPSec/IKE: RFCs 2401-2411, 2451

LEDs

The SA-VAM2 has three LEDs, as shown in Figure 1-2. Table 1-3 lists the colors and functions of the LEDs.

Figure 1-2 SA-VAM2 LEDs

Table 1-3 SA-VAM2 LEDs

 
LED Label
Color
State
Function
1

ENABLE

Green

On

Indicates the SA-VAM2 is powered up and enabled for operation.

2

BOOT

Amber

On

Indicates the SA-VAM2 is operating.

3

ERROR

Amber

On

Indicates an encryption error has occurred. This LED is normally off.


The following conditions must be met before the enabled LED goes on:

The SA-VAM2 is correctly connected to the backplane and receiving power.

The system bus recognizes the SA-VAM2.

If either of these conditions is not met, or if the router initialization fails for other reasons, the enabled LED does not go on.

Cables, Connectors, and Pinouts

There are no interfaces on the SA-VAM2, so there are no cables, connectors, or pinouts.

Slot Locations

The topics in this section include:

Cisco 7200 Series Routers

Cisco 7301 Router

The SA-VAM2 is supported in the port adapter slots on the Cisco 7301 router and the Cisco 7200 series routers.

Note If a port adapter slot is not populated, insert a blank SM-PA filler in the slot (part number 800-00455-01).

Cisco 7200 Series Routers

See Figure 1-3, Figure 1-4, and Figure 1-5 for the slot numbering for the Cisco 7200 series routers.

Figure 1-3 Cisco 7206 Slot Numbering

1

Port adapter slot 5 (left bus)

5

Port adapter slot 6 (right bus)

2

Port adapter slot 3 (left bus)

6

Port adapter slot 4 (right bus)

3

Port adapter slot 1(left bus)

7

Port adapter slot 2 (right bus)

4

Port adapter slot 0 (left bus)

   

Figure 1-4 Cisco 7204 Slot Numbering

1

Port adapter slot 3

3

Port adapter slot 2

2

Port adapter slot 4

4

Port adapter slot 1


Figure 1-5 Cisco 7202 Slot Numbering

1

Port adapter slot 1

2

Port adapter slot 2


Cisco 7301 Router

See Figure 1-6 for the slot numbering for the Cisco 7301 router.

Note The Cisco 7301 router supports a single VAM2, or port adapter.

Figure 1-6 Cisco 7301 Slot Numbering

1

Latch

3

Slot guides

2

SA-VAM2 partially removed

4

Ground for ESD wrist strap banana jack


hometocprevnextglossaryfeedbacksearchhelp

Posted: Tue Jan 25 10:23:07 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.