Our goal is to provide you with a quick access to the content of the user manual for Cisco Systems 7206VXR NPE-400. Using the online preview, you can quickly view the contents and go to the page where you will find the solution to your problem with Cisco Systems 7206VXR NPE-400.
For your convenience
If looking through the Cisco Systems 7206VXR NPE-400 user manual directly on this website is not convenient for you, there are two possible solutions:
Full Screen Viewing - to easily view the user manual (without downloading it to your computer), you can use full-screen viewing mode. To start viewing the user manual Cisco Systems 7206VXR NPE-400 on full screen, use the button Fullscreen.
Downloading to your computer - You can also download the user manual Cisco Systems 7206VXR NPE-400 to your computer and keep it in your files. However, if you do not want to take up too much of your disk space, you can always download it in the future from ManualsBase.
Cisco Systems 7206VXR NPE-400 User manual - Online PDF
Many people prefer to read the documents not on the screen, but in the printed version. The option to print the manual has also been provided, and you can use it by clicking the link above - Print the manual. You do not have to print the entire manual Cisco Systems 7206VXR NPE-400 but the selected pages only. paper.
Summaries
Below you will find previews of the content of the user manuals presented on the following pages to Cisco Systems 7206VXR NPE-400. If you want to quickly view the content of pages found on the following pages of the manual, you can use them.
Abstracts of contents
Summary of the content on the page No. 1
FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM Introduction This is a non-proprietary Cryptographic Module Security Policy for Cisco Systems. This security policy describes how the 7206 VXR NPE-400 with VPN Acceleration Module (VAM) (Hardware Version: 7206-VXR; VAM: Hardware Version 1.0, Board Version A0; Firmware Version: Cisco IOS software Version12.3(3d)) meets the security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 m
Summary of the content on the page No. 2
FIPS 140-2 Submission Package � Documentation Feedback, page 18 � Obtaining Technical Assistance, page 18 � Obtaining Additional Publications and Information, page 20 FIPS 140-2 Submission Package The Security Policy document is one item in the FIPS 140-2 Submission Package. In addition to this document, the Submission Package includes: � Vendor evidence document � Finite state machine � Module software listing � Other supporting documentation as additional references With the exception of
Summary of the content on the page No. 3
Cryptographic Module Cryptographic Module The Cisco 7206VXR NPE-400 router with VAM is a multiple-chip standalone cryptographic module. The Cisco 7206VXR supports multi-protocol routing and bridging with a wide variety of protocols and port adapter combinations available for Cisco 7200 series routers. The metal casing that fully encloses the module establishes the cryptographic boundary for the router, all the functionality discussed in this document is provided by components within the ca
Summary of the content on the page No. 4
Module Interfaces Table 1 shows the front panel LEDs, which provide overall status of the router operation. The front panel displays whether or not the router is booted, if the redundant power is attached and operational, and overall activity/link status. Figure 2 Cisco 7206VXR Router Front Panel LEDs DUAL FAST ETHERNET INPUT/OUTPUT CONTROLLER C7200-I/O-2FE/E LED Indication Description Enabled Green Indicates that the network processing engine or network services engine and the I/O controll
Summary of the content on the page No. 5
Module Interfaces LED Indication Description Link Green Indicates that the Ethernet RJ-45 receptacle has established a valid link with the network. Off This LED remains off during normal operation of the router unless there is an incoming carrier signal. 100 Mbps Green Indicates that the port is configured for 100-Mbps operation (speed 100), or if configured for auto negotiation (speed auto), the port has detected a valid link at 100 Mbps. Off If the port is configured for 10-Mbps operat
Summary of the content on the page No. 6
Roles and Services Table 1 FIPS 140-2 Logical Interface Router Physical Interface FIPS 140-2 Logical Interface 10/100BASE-TX LAN Port Data Input Interface Port Adapter Interface Console Port Auxiliary Port PCMCIA Slot 10/100BASE-TX LAN Port Data Output Interface Port Adapter Interface Console Port Auxiliary Port PCMCIA Slot Power Switch Control Input Interface Console Port Auxiliary Port 10/100BASE-TX LAN Port LEDs Status Output Interface Enabled LED PCMCIA LEDs IO Pwr Ok LED VAM LEDs Console
Summary of the content on the page No. 7
Roles and Services The User and Crypto Officer passwords and the RADIUS/TACACS+ shared secrets must each be at least 8 alphanumeric characters in length. See the “Secure Operation” section on page 16 for more information. If only integers 0-9 are used without repetition for an 8 digit PIN, the probability of randomly guessing the correct sequence is 1 in 1,814,400. Including the rest of the alphanumeric characters drastically decreases the odds of guessing the correct sequence. Crypto Offi
Summary of the content on the page No. 8
Physical Security Physical Security The router is encased in a steel chassis. The front of the router includes six port adapter slots. The rear of the router includes on-board LAN connectors, PC Card slots, and Console/Auxiliary connectors, power cable connection, a power switch, and access to the Network Processing Engine. Any port adapter slot not populated with a port adapter must be populated with a slot cover (blank port adapter) to operate in FIPS compliant mode. Slot covers are inclu
Summary of the content on the page No. 9
NETWORK PROCESSING ENGINE-150 Cryptographic Key Management Figure 4 Tamper Evidence Label Placement (Front View) Port adapters Port adapter lever I/O controller Auxiliary Console PC card slots port port Optional Fast Ethernet port (MII receptacle and RJ-45 receptacle) Figure 5 Tamper Evidence Label Placement (Rear View) Chassis Internal fans grounding receptacles AC-input Power supply receptacle filler plate AC-input Network processing engine power supply or network services engine Power switc
Summary of the content on the page No. 10
Cryptographic Key Management The module supports the following critical security parameters (CSPs): Table 2 Critical Security Parameters # CSP Name Description Storage 1 CSP 1 This is the seed key for X9.31 PRNG. This DRAM key is stored in DRAM and updated (plaintext) periodically after the generation of 400 bytes; hence, it is zeroized periodically. Also, the operator can turn off the router to zeroize this key. 2 CSP2 The private exponent used in Diffie-Hellman DRAM (DH) exchange. Zeroiz
Summary of the content on the page No. 11
Cryptographic Key Management Table 2 Critical Security Parameters (Continued) # CSP Name Description Storage 14 CSP14 The IPSec encryption key. Zeroized when DRAM IPSec session is terminated. (plaintext) 15 CSP15 The IPSec authentication key. The DRAM zeroization is the same as above. (plaintext) 16 CSP16 The RSA public key of the CA. The no NVRAM crypto ca trust
Summary of the content on the page No. 12
Cryptographic Key Management Table 2 Critical Security Parameters (Continued) # CSP Name Description Storage 25 CSP25 This key is used by the router to authenticate NVRAM itself to the peer. The key is identical to #22 (plaintext) except that it is retrieved from the local database (on the router itself). Issuing the no username password command zeroizes the password (that is used as this key) from the local database. 26 CSP26 This is the SSH session key. It is zeroized DRAM when the SSH s
Summary of the content on the page No. 13
Cryptographic Key Management Figure 6 Role and Service Access to CSPs FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM OL-3959-01 13
Summary of the content on the page No. 14
Cryptographic Key Management The module supports DES (only for legacy systems), 3DES, DES-MAC, TDES-MAC, AES, SHA-1, HMAC SHA-1, MD5, MD4, HMAC MD5, Diffie-Hellman, RSA (for digital signatures and encryption/decryption (for IKE authentication)) cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. The module supports three types of key management schemes: � Manual key exchange method that is symmetric. DES/3DES/AES key and HMAC-SHA-1 key a
Summary of the content on the page No. 15
Self-Tests Key Zeroization All of the keys and CSPs of the module can be zeroized. Please refer to the Description column of Table 2 for information on methods to zeroize each key and CSP. Self-Tests To prevent secure data from being released, it is important to test the cryptographic components of a security module to insure all components are functioning correctly. The router includes an array of self-tests that are run during startup and periodically during operations. If any of the self
Summary of the content on the page No. 16
Secure Operation – Continuous random number generator test Secure Operation The Cisco 7206VXR NPE-400 router with a single VPN Acceleration Module (VAM) meets all the Level 2 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS mode of operation. Operating this router without maintaining the appropriate settings will remove the module from the FIPS approved mode of operation. Initial Setup � The Crypto Officer ensures that the VAM cryptogra
Summary of the content on the page No. 17
Obtaining Documentation � If the Crypto Officer loads any IOS image onto the router, this will put the router into a non-FIPS mode of operation. IPSec Requirements and Cryptographic Algorithms There are two types of key management method that are allowed in FIPS mode: Internet Key Exchange (IKE) and IPSec manually entered keys. Although the IOS implementation of IKE allows a number of algorithms, only the following algorithms are allowed in a FIPS 140-2 configuration: � ah-sha-hmac � esp-de
Summary of the content on the page No. 18
Documentation Feedback You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Ordering Documentation You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways: � Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the
Summary of the content on the page No. 19
Obtaining Technical Assistance Cisco Technical Support Website The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year at this URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or
Summary of the content on the page No. 20
Obtaining Additional Publications and Information Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. � Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ � The Cisco Product Catalog describes the networking products offered by Cisco Syst