Cisco 7206 VXR User Manual

Introduction

Note This document may be copied in its entirety and without modification. All copies must include the

Cisco 7206 VXR Router with ISA Security Policy

This nonproprietary Cryptographic Module Security Policy describes how the 7206 VXR NPE-400 routers meet the security requirements of Federal Information Processing Standards (FIPS) 140-1, and how they operate in a secure FIPS 140-1 mode. The policy was prepared as part of the Level 2 FIPS 140-1 certification of the 7206 VXR NPE-400 router.

The FIPS 140-1 publication, "Security Requirements for Cryptographic Modules" details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-1 standard and validation program is available at the following National Institute of Standards and Technology (NIST) website:

http://csrc.nist.gov/cryptval/

This document contains the following sections:

• Introduction, page 1

• The 7206 VXR NPE-400 Router, page 2

• Secure Operation of the Cisco 7206 VXR NPE-400 Router, page 11

• Obtaining Documentation, page 13

• Obtaining Technical Assistance, page 14

Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

The 7206 VXR NPE-400 Router

References

Terminology

This document deals with operations and capabilities of the 7206 VXR NPE-400 router in the technical terms of a FIPS 140-1 cryptographic module security policy. For more information on Cisco 7206 VXR NPE-400 router and the entire 7200 series, check the following sources:

• The Cisco Systems website contains information on the full line of Cisco Systems products. Refer

to the following website:

www.cisco.com.

• The 7200 series product descriptions can be found at the following website:

www.cisco.com/warp/public/cc/pd/rt/7200/

• For answers to technical or sales related questions, please refer to the contacts listed on the

following website:

www.cisco.com.

In this document, the cryptographic module is referred to as the 7206 VXR router, the router, or the system.

Document Organization

The security policy document is part of the complete FIPS 140-1 Submission Package. In addition to this document, the complete submission package contains:

• Vendor evidence document

• Finite state machine

• Module software listing

• Other supporting documentation as additional references

This document provides an overview of the 7206 VXR NPE-400 router and explains the secure configuration and operation of the cryptographic module. It also explains the general features and functionality of the 7206 VXR NPE-400 routers and addresses the required configuration for the FIPS mode of operation.

Note This security policy and other certification submission documentation was produced by Corsec

Security, Inc. under contract to Cisco Systems. With the exception of this nonproprietary security policy, the FIPS 140-1 Certification Submission documentation is Cisco-proprietary and can be released only under appropriate nondisclosure agreements. For access to these documents, please contact Cisco Systems.

The 7206 VXR NPE-400 Router

Cisco 7200 VXR routers are designed to support gigabit capabilities and to improve data, voice, and video integration in both service provider and enterprise environments. Cisco 7200 VXR routers support a high-speed network services engine (NSE) as well as the high-speed network processing engine, NPE-400, and all other available network processing engines.

Cisco 7206 VXR Router with ISA Security Policy

The 7206 VXR NPE-400 Router

Cisco 7200 VXR routers accommodate a variety of network interface port adapters and an I/O controller. A Cisco 7200 VXR router equipped with an NPE-400 can support up to six high-speed port adapters and can also support higher-speed port adapter interfaces including Gigabit Ethernet and OC-12 ATM. Cisco 7200 VXR routers also contain bays for up to two AC-input or DC-input power supplies.

Cisco 7200 VXR routers support the following features:

• Online insertion and removal (OIR)—Add, replace, or remove port adapters without interrupting the

system.

• Dual hot-swappable, load-sharing power supplies—Provide system power redundancy; if one power

supply or power source fails, the other power supply maintains system power without interruption. Also, when one power supply is powered off and removed from the router, the second power supply immediately takes over the router power requirements without interrupting normal operation of the router.

• Environmental monitoring and reporting functions—Maintain normal system operation by resolving

adverse environmental conditions prior to loss of operation.

• Downloadable software—Load new images into Flash memory remotely, without having to

physically access the router.

The 7206 VXR NPE-400 Cryptographic Module

Cisco 7206 VXR routers support multiprotocol routing and bridging with a wide variety of protocols and port adapter combinations available for Cisco 7200 series routers. The metal casing that fully encloses the module establishes the cryptographic boundary for the router. All the functionality discussed in this document is provided by components within the casing. Cisco 7206 VXR routers have six slots for port adapters, one slot for an input/output (I/O) controller, and one slot for a network processing engine or network services engine.

Figure 1 The 7206 VXR NPE-400 Router

Port adapter

lever

I/O controller

Cisco 7200

Series

ENABLED

PC card slots

LINK

PCMCIA

SLOT 1

EJECT

SLOT 0

Optional Fast Ethernet port (MII receptacle and RJ-45 receptacle)

FE MII

ETHERNET 10BT

FAST SERIAL

Port adapters

TOKEN RING

ESET R U

Auxiliary

FAST ETHERNET INPUT/OUTPUT CONTROLLER

port

X T

Console

port

ENABLED

N E

RJ-45

MII

RJ45

1O PWR

LINK

ETHERNET-10BFL

H5997

Cisco 7206 VXR NPE-400 uses an RM7000 microprocessor that operates at an internal clock speed of 350 MHz. The NPE-400 uses SDRAM for storing all packets received or sent from network interfaces. The SDRAM memory array in the system allows concurrent access by port adapters and the processor.

Cisco 7206 VXR Router with ISA Security Policy

The 7206 VXR NPE-400 Router

The NPE-400 has three levels of cache: a primary and a secondary cache that are internal to the microprocessor, and a tertiary 4-MB external cache that provides additional high-speed storage for data and instructions.

Cisco 7206 VXR routers come equipped with one 280W AC-input power supply. (A 280W DC-input power supply option is available.) A power supply filler plate is installed over the second power supply bay. A fully configured Cisco 7206 VXR router operates with only one installed power supply; however, a second, optional power supply of the same type provides hot-swappable, load-sharing, redundant power.

Module Interfaces

Input/Output Controller

The interfaces for the router are located on the front panel Input/Output (I/O) Controller, with the exception of the power switch and power plug. The module has two Fast Ethernet (10/100 RJ-45) connectors for data transfers in and out. The module also has two other RJ-45 connectors for a console terminal for local system access and an auxiliary port for remote system access or dial backup using a modem.

Figure 2 shows the front panel LEDs, which provide overall status of the router operation. The front

panel displays whether or not the router is booted, if the redundant power is attached and operational, and overall activity/link status.

Figure 2 I/O Controller

C7200-I/O-2FE/E

ENABLED

SLOT 1

SLOT 0

EJECT

PCMCIA

SLOT 1

SLOT 0

LINK

FE/E 0

100 Mbps

DUAL FAST ETHERNET INPUT/OUTPUT CONTROLLER

LINK

IO PW

FE/E 1

100 Mbps

LINK

CPU

AUX

RESET

CONSOLE

IO PWR

CPU

RESET

33444

Table 1 provides detailed information conveyed by the LEDs on the front panel of the I/O Controller.

Cisco 7206 VXR Router with ISA Security Policy

The 7206 VXR NPE-400 Router

Table 1 Front Panel LEDs and Descriptions

LED Indication Description

Enabled Green Indicates that the network processing engine or network

services engine and the I/O controller are enabled for operation by the system; however, it does not mean that the Fast Ethernet port on the I/O controller is functional or enabled. This LED goes on during a successful router boot and remains on during normal operation of the router.

IO POWER OK Amber Indicates that the I/O controller is on and receiving DC power

from the router midplane. This LED comes on during a successful router boot and remains on during normal operation of the router.

Off Powered off or failed.

Slot 0

Slot 1

Green These LEDs indicate which PC Card slot is in use by coming

on when either slot is being accessed by the system. These LEDs remain off during normal operation of the router.

Link Green Indicates that the Ethernet RJ-45 receptacle has established a

valid link with the network.

Off This LED remains off during normal operation of the router

unless there is an incoming carrier signal

100 Mbps Green Indicates that the port is configured for 100-Mbps operation

(speed 100), or if configured for autonegotiation (speed auto), the port has detected a valid link at 100 Mbps.

Off If the port is configured for 10-Mbps operation, or if it is

configured for autonegotiation and the port has detected a valid link at 10 Mbps, the LED remains off.

All of these physical interfaces are separated into the logical interfaces from FIPS as described in

Table 3.

Integrated Service Adapter

The ISA is a single-width service adapter. It provides high-performance, hardware-assisted tunneling and encryption services suitable for VPN applications. The ISA off-loads IPSec and MPPE processing from the main processor of the Cisco 7200 series router, thus freeing resources on the network processor engine.

The ISA has one enabled LED and two status LEDs. After system initialization, the enabled LED goes on to indicate that the ISA has been enabled for operation. If the initialization fails for any reason, the enabled LED does not go on.

Figure 3 shows the LEDs for the ISA Crypto Card with one enabled LED and two status LEDs.

Cisco 7206 VXR Router with ISA Security Policy

+ 11 hidden pages