Resumen del contenido incluido en la página 1
C7200 VSA (VPN Services Adapter)
Installation and Configuration Guide
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-9129-02
Resumen del contenido incluido en la página 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE
Resumen del contenido incluido en la página 3
CONTENTS Preface vii Audience vii Warnings vii Objectives viii Organization viii Related Documentation ix Obtaining Documentation ix Cisco.com ix Product Documentation DVD x Ordering Documentation x Documentation Feedback x Cisco Product Security Overview x Reporting Security Problems in Cisco Products xi Product Alerts and Field Notices xi Obtaining Technical Assistance xii Cisco Technical Support & Documentation Website xii Submitting a Service Request xiii Definitions of Service Request Sev
Resumen del contenido incluido en la página 4
Contents Disabling the VSA during Operation 1 - 6 Enabling/Disabling Scheme 1 - 6 LEDs 1 - 7 Connectors 1 - 8 Slot Locations 1 - 8 Cisco 7204VXR Router 1 - 8 Cisco 7206VXR Router 1 - 10 Preparing for Installation 2 - 1 Required Tools and Equipment 2 - 1 Hardware and Software Requirements 2 - 1 Software Requirements 2 - 2 Hardware Requirements 2 - 2 Restrictions 2 - 2 Online Insertion and Removal (OIR) 2 - 3 Safety Guidelines 2 - 3 Safety Warnings 2 - 3 Electrical Equipment Guidelines 2 - 4 Pre
Resumen del contenido incluido en la página 5
Contents Changing Existing Transforms 4 - 8 Transform Example 4 - 8 Configuring IPSec 4 - 8 Ensuring That Access Lists Are Compatible with IPSec 4 - 8 Setting Global Lifetimes for IPSec Security Associations 4 - 8 Creating Crypto Access Lists 4 - 10 Creating Crypto Map Entries 4 - 10 Creating Dynamic Crypto Maps 4 - 12 Applying Crypto Map Sets to Interfaces 4 - 14 Monitoring and Maintaining IPSec 4 - 14 Verifying IKE and IPSec Configurations 4 - 15 Verifying the Configuration 4 - 16 Configurat
Resumen del contenido incluido en la página 6
Contents C7200 VSA (VPN Services Adapter) Installation and Configuration Guide vi OL-9129-02
Resumen del contenido incluido en la página 7
Preface This preface describes the objectives and organization of this document and explains how to find additional information on related products and services. This preface contains the following sections: • Audience, page vii Warnings, page vii Objectives, page viii Organization, page viii Related Documentation, page ix Obtaining Documentation, page ix Documentation Feedback, page x Cisco Product Security Overview, page x Product Alerts and Field Notices, page xi Obtaini
Resumen del contenido incluido en la página 8
Preface Objectives Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the translated safety warnings that accompanied this device. Note: SAVE THESE INSTRUCTIONS Note: This documentatio
Resumen del contenido incluido en la página 9
Preface Related Documentation Related Documentation This section lists documentation related to your router and its functionality. Because we no longer ship the entire router documentation set automatically with each system, this documentation is available online, or on the Documentation CD-ROM. Note Select translated documentation is available at http://www.cisco.com/ by selecting the topic ‘Select a Location / Language’ at the top of the page. Some online documentation requires that you are
Resumen del contenido incluido en la página 10
Preface Documentation Feedback You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Product Documentation DVD The Product Documentation DVD is a library of technical product documentation on a portable medium. The DVD enables you to access installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the HTML d
Resumen del contenido incluido en la página 11
Preface Product Alerts and Field Notices A current list of security advisories, security notices, and security responses for Cisco products is available at this URL: http://www.cisco.com/go/psirt To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL: http://www
Resumen del contenido incluido en la página 12
Preface Obtaining Technical Assistance To access the Product Alert Tool, you must be a registered Cisco.com user. (To register as a Cisco.com user, go to this URL: http://tools.cisco.com/RPF/register/register.do) Registered users can access the tool at this URL: http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do?local=en Obtaining Technical Assistance Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on
Resumen del contenido incluido en la página 13
Preface Obtaining Additional Publications and Information Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is
Resumen del contenido incluido en la página 14
Preface Obtaining Additional Publications and Information The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL: http://
Resumen del contenido incluido en la página 15
CH A P TER 1 Overview This chapter describes the C7200 VSA (VPN Services Adapter) and contains the following sections: Data Encryption Overview, page 1-1 VSA Overview, page 1-2 Hardware Required, page 1-4 Features, page 1-4 Supported Standards, MIBs, and RFCs, page 1-5 Enabling/Disabling the VSA, page 1-6 LEDs, page 1-7 Connectors, page 1-8 Slot Locations, page 1-8 Data Encryption Overview This section describes data encryption, including the IPSec, IKE, and certification a
Resumen del contenido incluido en la página 16
Chapter 1 Overview VSA Overview IKE—Internet Key Exchange (IKE) is a hybrid security protocol that implements Oakley and Skeme key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. IKE can be used with IPSec and other protocols. IKE authenticates the IPSec peers, negotiates IPSec security associations, and establishes IPSec keys. IPSec can be configured with or without IKE. CA—certification authority (CA) interoperability supports th
Resumen del contenido incluido en la página 17
Chapter 1 Overview VSA Overview Note The C7200 VSA is only supported on the Cisco 7200VXR with the NPE-G2 processor. The VSA features hardware acceleration for Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Triple DES (3DES), providing increased performance for site-to-site and remote-access IPSec VPN services. The Cisco C7200 VSA solution provides quality of service (QoS), multicast and multiprotocol traffic, and broad support of integrated LAN/WAN media. Figur
Resumen del contenido incluido en la página 18
Chapter 1 Overview Hardware Required 1 Host IO Bus and PCI-X Bus 2 Power supply The VSA provides hardware-accelerated support for multiple encryption functions: 128/192/256-bit Advanced Encryption Standard (AES) in hardware Data Encryption Standard (DES) standard mode with 56-bit key: Cipher Block Chaining (CBC) Performance to 900 Mbps encrypted throughput with 300 byte packets and 1000 tunnels 5000 tunnels for DES/3DES/AES Secure Hash Algorithm1 (SHA-1) and Message Digest 5 (MD5
Resumen del contenido incluido en la página 19
Chapter 1 Overview Supported Standards, MIBs, and RFCs 2. Number of tunnels supported varies based on the total system memory installed. 3. On the NPE-G2, the minimum memory requirement is 1 GB of memory. Performance Table 1-2 lists the performance information for the VSA. Table 1-2 Performance for VSA 1 2 Cisco Router Throughput Description Cisco 7200VXR Performance to Cisco IOS release: 12.4(4)XD3 fc2 series routers 900 Mbps 7200VXR/NPE-G2/VSA, 1GB system memory with the encrypted 3DES/
Resumen del contenido incluido en la página 20
Chapter 1 Overview Enabling/Disabling the VSA Enabling/Disabling the VSA This section includes the following topics: Disabling the VSA during Operation, page 1-6 Enabling/Disabling Scheme, page 1-6 The VSA crypto card does not support OIR. The VSA boots up only during system initialization. The VSA will not work if it is inserted after the system is up and running. The VSA can be shut down by a disabling CLI command. The VSA is ready for removal after the disabling CLI command is exec