Cisco SA-VAM - VPN Acceleration Module, SA-VAM2+ Installation And Configuration Manual

Americas Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

VPN Acceleration Module 2+ (VAM2+)
Installation and Configuration Guide

Product Number: SA-VAM2+(=)

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO
CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS
MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY
PRODUCTS.

Text Part Number: OL-5979-03

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to
comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable
protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital
devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:

• Turn the television or radio antenna until the interference stops.

• Move the equipment to one side or the other of the television or radio.

• Move the equipment farther away from the television or radio.

• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits
controlled by different circuit breakers or fuses.)

Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Printed in the USA on recycled paper containing 10% postconsumer waste.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Le
and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Cer

t

Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFas

t

EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream

,

Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Pa cket , PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptSha

r

SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United

S

and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relations

h

between Cisco and any other company. (0601R)

Copyright © 2006 Cisco Systems, Inc.
All rights reserved.

iii

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

CONTENTS

Preface vii

Revision History vii

Audience viii

Warnings viii

Objectives viii

Organization viii

Related Documentation ix

Obtaining Documentation x

Cisco.com x
Product Documentation DVD xi
Ordering Documentation xi

Documentation Feedback xi

Cisco Product Security Overview xi

Reporting Security Problems in Cisco Products xii

Obtaining Technical Assistance xii

Cisco Technical Support & Documentation Website xiii
Submitting a Service Request xiii
Definitions of Service Request Severity xiii

Obtaining Additional Publications and Information xiv

CHAPTER

1 Overview 1 - 1

Data Encryption Overview 1 - 1

SA-VAM2+ Overview 1 - 3

Features 1 - 4

Performance 1 - 5

Supported Standards, MIBs, and RFCs 1 - 6

Standards 1 - 6
MIBs 1 - 6
RFCs 1 - 6

Online Insertion and Removal (OIR) 1 - 7

SA-VAM2+ 1 - 7
Port Adapter Jacket Card 1 - 7

Contents

iv

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

LEDs 1 - 7

SA-VAM2+ 1 - 7
Port Adapter Jacket Card 1 - 8

Cables, Connectors, and Pinouts 1 - 8

Slot Locations 1 - 9

Cisco 7200VXR Routers 1 - 9
Cisco 7301 Router 1 - 9

CHAPTER

2 Preparing for Installation 2 - 1

Required Tools and Equipment 2 - 1

Hardware and Software Requirements 2 - 1

Software Requirements 2 - 2
Hardware Requirements 2 - 2
Restrictions 2 - 3

Safety Guidelines 2 - 3

Safety Warnings and Guidelines 2 - 3
Electrical Equipment Guidelines 2 - 4
Preventing Electrostatic Discharge Damage 2 - 4

Compliance with U.S. Export Laws and Regulations Regarding Encryption 2 - 5

CHAPTER

3 Removing and Installing the SA-VAM2+ 3 - 1

Handling the SA-VAM2+ 3 - 1

Online Insertion and Removal (OIR) 3 - 2

SA-VAM2+ 3 - 2
Port Adapter Jacket Card 3 - 2

Warnings and Cautions 3 - 2

SA-VAM2+ Removal and Installation 3 - 2

Cisco 7200VXR Router Port Adapter Jacket Card 3 - 3
Cisco 7200VXR Series Routers 3 - 4
Cisco 7301 Router 3 - 6

CHAPTER

4 Configuring the SA-VAM2+ 4 - 1

Overview 4 - 1

Configuration Tasks 4 - 2

Using the EXEC Command Interpreter 4 - 2
Enabling SA-VAM2+ 4 - 3
Configuring an IKE Policy 4 - 3
Configuring a Transform Set 4 - 4

Contents

v

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Defining a Transform Set 4 - 5
IPSec Protocols: AH and ESP 4 - 6
Selecting Appropriate Transforms 4 - 7
The Crypto Transform Configuration Mode 4 - 7
Changing Existing Transforms 4 - 7
Transform Example 4 - 8

Configuring IPSec 4 - 8

Ensuring That Access Lists Are Compatible with IPSec 4 - 8
Setting Global Lifetimes for IPSec Security Associations 4 - 8
Creating Crypto Access Lists 4 - 9
Creating Crypto Map Entries 4 - 10
Creating Dynamic Crypto Maps 4 - 12
Applying Crypto Map Sets to Interfaces 4 - 14

Configuring Compression 4 - 14

Configure IKE Policy 4 - 14
Configure IKE Preshared Key 4 - 15
Configure ipsec transform set 4 - 15
Configure access-list 4 - 15
Configure crypto map 4 - 16

Apply crypto map to the Interface 4 - 16
Monitoring and Maintaining IPSec 4 - 17
IPSec Configuration Example 4 - 17
Verifying IKE and IPSec Configurations 4 - 18

Verifying the Configuration 4 - 19

Configuration Examples 4 - 21

Configuring IKE Policies Example 4 - 21
Configuring IPSec Configuration Example 4 - 21
Configuring Compression Example 4 - 22

Basic IPSec Configuration Illustration 4 - 22

Router A Configuration 4 - 23
Router B Configuration 4 - 24

Troubleshooting Tips 4 - 24

Monitoring and Maintaining the SA-VAM2+ 4 - 26

I

NDEX

Contents

vi

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

vii

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Preface

This preface describes the objectives and organization of this document and explains how to find
additional information on related products and services. This preface contains the following sections:

• Revision History, page vii

• Audience, page viii

• Warnings, page viii

• Objectives, page viii

• Organization, page viii

• Related Documentation, page ix

• Obtaining Documentation, page x

• Documentation Feedback, page xi

• Cisco Product Security Overview, page xi

• Obtaining Technical Assistance, page xii

• Obtaining Additional Publications and Information, page xiv

Revision History

Document Version Date Notes

OL-5979-01 December 2005 This version introduces the VPN Acceleration

Module 2+ (VAM2+)

OL-5979-02 March, 2006 This version of the document adds Port

Adapter Jacket Card information, and feature
information for IPv6 IPSec and GDOI.

OL-5979-03 August 2006 This version of the document adds NPE-G2

support.

viii

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Preface

Audience

Audience

The audience for this publication should be familiar with Cisco router hardware and cabling along with
electronic circuitry and wiring practices. Experience as an electronic or electromechanical technician is
recommended.

Warnings

Warning

To prevent the system from overheating, do not operate it in an area that exceeds the maximum
recommended ambient temperature of: 24°C (75°F).

Only trained and qualified personnel should be allowed to install, replace, or service this equipment.

Warning

IMPORTANT SAFETY INSTRUCTIONS

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you
work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar
with standard practices for preventing accidents. To see translations of the warnings that appear in
this publication, refer to the translated safety warnings that accompanied this device.

Note: SAVE THESE INSTRUCTIONS

Note: This documentation is to be used in conjunction with the specific product installation guide
that shipped with the product. Please refer to the Installation Guide, Configuration Guide, or other
enclosed additional documentation for further details.

Objectives

This document contains instructions and procedures for installing and configuring the VPN Acceleration
Module 2+ (SA-VAM2+), a single-width acceleration module that installs in the Cisco 7204VXR and
Cisco 7206VXR routers with the NPE-225, NPE-400, NPE-G1 or NPE-G2 processors, and the
Cisco 7301, and the Port Adapter Jacket Card in the I/O controller slot of a Cisco 7200VXR router with
an NPE-G1 or NPE-G2 installed, and allows a port adapter to be installed in it.

The part number for the VAM2+ is SA-VAM2+(=).

Note To ensure compliance with U.S. export laws and regulations, and to prevent future problems, see the

“Compliance with U.S. Export Laws and Regulations Regarding Encryption” section on page 2-5 for

specific, important information.

Organization

This document contains the following chapters:

ix

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Preface

Related Documentation

Related Documentation

This section lists documentation related to your router and its functionality. The documentation
mentioned is available online, or on the Documentation CD-ROM.

• For hardware information on the Cisco 7200VXR Port Adapter Jacket Card, see the Port Adapter

Jacket Card Installation Guide.

• For hardware installation and maintenance information for the Cisco 7200VXR series routers, refer

to the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps341/tsd_products_support_series_home.html

• For Cisco 7301 router documentation, refer to the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps352/prod_technical_documentation.html

• Port Adapter Installation and Configuration guides, available online at:

http://www.cisco.com/en/US/products/hw/modules/ps2033/prod_module_installation_guides_list.
html
and
http://www.cisco.com/en/US/products/hw/modules/ps2033/products_module_installation_guides_
books_list.html

• For configuration information and support, refer to the modular configuration and modular

command reference publications in the Cisco IOS software configuration documentation set that
corresponds to the software release installed on your Cisco hardware. Access these documents at:

http://www.cisco.com/en/US/products/sw/iosswrel/index.html

Note Select translated documentation is available at http://www.cisco.com/ by selecting the topic

‘Select a Location / Language’ at the top of the page.

–

To determine the minimum Cisco IOS software requirements for your router, Cisco maintains
the Software Advisor tool on Cisco.com. This tool does not verify whether modules within a
system are compatible, but it does provide the minimum IOS requirements for individual
hardware modules or components. Registered Cisco Direct users can access the Software

Advisor at: http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl

• For IP security and encryption, refer to the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/tsd_products_support_category_home.html

Chapter Title Description

1

Overview Describes the SA-VAM2+ and SA-VAM2+ LED

displays.

2

Preparing for Installation Describes safety considerations, tools required, and

procedures you should perform before the actual
installation.

3

Removing and Installing the
SA-VAM2+

Describes the procedures for installing and removing
the SA-VAM2+ from the supported platform.

4

Configuring the SA-VAM2+ Describes procedures needed to configure the

SA-VAM2+ in the Cisco 7301 and Cisco 7200VXR
series routers.

x

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Preface

Obtaining Documentation

• For FIPS 140 Security documents:

http://www.cisco.com/en/US/partner/products/hw/routers/ps341/products_regulatory_approvals_a
nd_compliance09186a00800f009e.html

• For the VPN Device Manager documents:

http://www.cisco.com/en/US/partner/products/sw/cscowork/ps2322/products_release_and_installa
tion_notes_list.html

• If you are a registered Cisco Direct Customer, you can access the following tools:

–

Bug Toolkit:

http://www.cisco.com/en/US/partner/products/hw/routers/ps341/prod_bug_toolkit.html

–

Bug Navigator:

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

–

Feature Navigator:

http://www.cisco.com/en/US/partner/products/prod_feature_navigator_for_cisco_IOS_tool_la
unch.html

–

Output Interpreter:
https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl

–

Cisco IOS Error Message Decoder:
http://www.cisco.com/cgi-bin/Support/Errordecoder/home.pl

–

Cisco Dynamic Configuration Tool:

http://www.cisco.com/en/US/ordering/or13/or8/ordering_ordering_help_dynamic_configurati
on_tool_launch.html

–

MIB Locator:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

• Additional tools include:

–

Tools Index:

http://www.cisco.com/en/US/partner/products/prod_tools_index.html

–

Cisco IOS Software Selector Tool:

http://tools.cisco.com/ITDIT/ISTMAIN/servlet/index

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

xi

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Preface

Documentation Feedback

Product Documentation DVD

The Product Documentation DVD is a comprehensive library of technical product documentation on a
portable medium. The DVD enables you to access multiple versions of installation, configuration, and
command guides for Cisco hardware and software products. With the DVD, you have access to the same
HTML documentation that is found on the Cisco website without being connected to the Internet.
Certain products also have .PDF versions of the documentation available.

The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com
users (Cisco direct customers) can order a Product Documentation DVD (product number
DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Ordering Documentation

Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the
Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.
(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by
calling 011 408 519-5055. You can also order documentation by e-mail at

tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,

or elsewhere at 011 408 519-5001.

Documentation Feedback

You can rate and provide feedback about Cisco technical documents by completing the online feedback
form that appears with the technical documents on Cisco.com.

You can submit comments about Cisco documentation by using the response card (if present) behind the
front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to:

• Report security vulnerabilities in Cisco products.

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

xii

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Preface

Obtaining Technical Assistance

A current list of security advisories, security notices, and security responses for Cisco products is
available at this URL:

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you
can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS)
feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them,
and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability
in a Cisco product, contact PSIRT:

• For Emergencies only— security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which
a severe and urgent security vulnerability should be reported. All other conditions are considered
nonemergencies.

• For Nonemergencies— psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to

encrypt any sensitive information that you send to Cisc o. PSIRT can wo r k with information that has been
encrypted with PGP versions 2.x through 9.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page
at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers
before sending any sensitive material to find other means of encrypting the data.

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco
Technical Support & Documentation website on Cisco.com features extensive online support resources.
In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC)
engineers provide telephone support. If you do not have a valid Cisco service contract, contact your
reseller.

xiii

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Preface

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for
troubleshooting and resolving technical issues with Cisco products and technologies. The website is
available 24 hours a day, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user
ID and password. If you have a valid service contract but do not have a user ID or password, you can
register at this URL:

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting

a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &
Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose

Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco
Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by

product ID or model name; by tree view; or for certain products, by copying and pasting show command
output. Search results show an illustration of your product with the serial number label location
highlighted. Locate the serial number label on your product and record the information before placing a
service call.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.

xiv

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Preface

Obtaining Additional Publications and Information

Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations.
You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operations are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of the network is impaired, while most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.

• The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief

product overviews, key features, sample part numbers, and abbreviated technical specifications for
many Cisco products that are sold through channel partners. It is updated twice a year and includes
the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference
Guide, go to this URL:

http://www.cisco.com/go/guide

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo

merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:

http://www.ciscopress.com

• Pack et magazine is the Cisco Systems technical user magazine for maximizing Internet and

networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
technology breakthroughs, and Cisco products and solutions, as well as network deployment and
troubleshooting tips, configuration examples, customer case studies, certification and training
information, and links to scores of in-depth online resources. You can access Packet magazine at
this URL:

http://www.cisco.com/packet

• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies

learn how they can use technology to increase revenue, streamline their business, and expand
services. The publication identifies the challenges facing these companies and the technologies to
help solve them, using real-world case studies and business strategies to help readers make sound
technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

or view the digital edition at this URL:

http://ciscoiq.texterity.com/ciscoiq/sample/

xv

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Preface

Obtaining Additional Publications and Information

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

• Networking products offered by Cisco Systems, as well as customer support services, can be

obtained at this URL:

http://www.cisco.com/en/US/products/index.html

• Networking Professionals Connection is an interactive website for networking professionals to share

questions, suggestions, and information about networking products and technologies with Cisco
experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

• World-class networking training is available from Cisco. You can view current offerings at

this URL:

http://www.cisco.com/en/US/learning/index.html

xvi

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Preface

Obtaining Additional Publications and Information

CHA P T ER

1-1

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

1

Overview

This chapter describes the VPN Acceleration Module 2+ (SA-VAM2+) and contains the following
sections:

• Data Encryption Overview, page 1-1

• SA-VAM2+ Overview, page 1-3

• Features, page 1-4

• Supported Standards, MIBs, and RFCs, page 1-6

• Online Insertion and Removal (OIR), page 1-7

• LEDs, page 1-7

• Cables, Connectors, and Pinouts, page 1-8

• Slot Locations, page 1-9

Data Encryption Overview

This section describes data encryption, including the IPSec, IKE, and certification authority (CA)
interoperability features.

Note For additional information on these features, refer to the “IP Security and Encryption” chapter in the

Security Configuration Guide and Security Command Reference publications.

IPSec is a network level open standards framework, developed by the Internet Engineering Task Force
(IETF) that provides secure transmission of sensitive information over unprotected networks such as the
Internet. IPSec includes data authentication, antireplay services and data confidentiality services.

Cisco follows these data encryption standards:

• IPSec—IPSec is an IP layer open standards framework that provides data confidentiality, data

integrity, and data authentication between participating peers. IKE handles negotiation of protocols
and algorithms based on local policy, and generates the encryption and authentication keys to be
used by IPSec. IPSec protects one or more data flows between a pair of hosts, between a pair of
security routers, or between a security router and a host.

1-2

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Chapter 1 Overview

Data Encryption Overview

• IKE—Internet Key Exchange (IKE) is a hybrid security protocol that implements Oakley and Skeme

key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP)
framework. IKE can be used with IPSec and other protocols. IKE authenticates the IPSec peers,
negotiates IPSec security associations, and establishes IPSec keys. IPSec can be configured with or
without IKE.

• CA—certification authority (CA) interoperability supports the IPSec standard, using Simple

Certificate Enrollment Protocol (SCEP) and Certificate Enrollment Protocol (CEP). CEP permits
Cisco IOS software devices and CAs to communicate to permit your Cisco IOS software device to
obtain and use digital certificates from the CA. IPSec can be configured with or without CA. The
CA must be properly configured to issue certificates. For more information, see the “Configuring
Certification Authority Interoperability” chapter of the Security Configuration Guide at

http://www.cisco.com/en/US/products/sw/iosswrel/products_ios_cisco_ios_software_releases.html

The component technologies implemented for IPSec include:

• DES and Triple DES—The Data Encryption Standard (DES) and Triple DES (3DES) encryption

packet data. Cisco IOS software implements the 3-key Triple DES and DES-CBC with Explicit IV.
Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is
explicitly given in the IPSec packet.

• AES—The Advanced Encryption Standard, a next-generation symmetric encryption algorithm, used

by the U.S. Government and organizations outside the U.S.

• MD5 (HMAC variant)—MD5 is a hash algorithm. HMAC is a keyed hash variant used to

authenticate data.

• SHA (HMAC variant)—SHA is a hash algorithm. HMAC is a keyed hash variant used to

authenticate data.

• RSA signatures and RSA encrypted nonces—RSA is the public key cryptographic system developed

by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA signatures provides non-repudiation while
RSA encrypted nonces provide repudiation.

IPSec with the Cisco IOS software supports the following additional standards:

• AH—Authentication Header is a security protocol that provides data authentication and optional

antireplay services.

The AH protocol uses various authentication algorithms; Cisco IOS software has implemented the
mandatory MD5 and SHA (HMAC variants) authentication algorithms. The AH protocol provides
antireplay services.

• ESP—Encapsulating Security Payload, a security protocol, provides data privacy services, optional

data authentication, and antireplay services. ESP encapsulates the data to be protected. The ESP
protocol uses various cipher algorithms and (optionally) various authentication algorithms. Cisco
IOS software implements the mandatory 56-bit DES-CBC with Explicit IV or Triple DES as the
encryption algorithm, and MD5 or SHA (HMAC variants) as the authentication algorithms. The
updated ESP protocol provides antireplay services.

• IPPCP—IP Payload Compression Protocol. IPPCP provides stateless compression for use with

encryption services such as IPSec. When using Layer 3 encryption, lower layers (such as PPP at
Layer 2) cannot provide compression. When compressing already encrypted packets, expansion
usually results.

1-3

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Chapter 1 Overview

SA-VAM2+ Overview

SA-VAM2+ Overview

The VPN Acceleration Module 2+ (SA-VAM2+) is a single-width port adapter (see Figure 1-1)
supported on the Cisco 7204VXR and Cisco 7206VXR routers with the NPE-225, NPE-400, the
NPE-G1 or NPE-G2 processor, and the Cisco 7301 router.

SA-VAM2+ features 128/192/256-bit Advanced Encryption Standard (AES) in hardware, Data Encryption
Standard (DES), Triple DES (3DES), and IPv6 IPSec, providing increased performance for site-to-site
and remote-access IPSec VPN services. The Cisco SA-VAM2+ provides hardware-assisted Layer 3
compression services with its encryption services, conserving bandwidth and lowering network
connection costs over secured links, as well as full Layer 3 routing, quality of service (QoS), multicast
and multiprotocol traffic, and broad support of integrated LAN/WAN media.

The SA-VAM2+ can be installed directly in the port adapter slots (see Figure 1-5) of the Cisco 7000VXR
series routers and the Cisco 7301 router. Alternatively, you can install the SA-VAM2+ into a Port
Adapter Jacket Card (product ID:C7200-JC-PA) that is inserted in the I/O controller slot of a
Cisco 7200VXR router with an NPE-G1 or NPE-G2 processor, for additional bandwidth (see

Figure 1-2).

The SA-VAM2+ support in the Port Adapter Jacket Card allows you to take advantage of the increase in
NPE-G1 or NPE-G2 performance, while maintaining VPN performance. You allow more bandwidth to
the regular port adapter slots when you install the SA-VAM2+ in the Port Adapter Jacket Card. See the

Port Adapter Jacket Card Installation Guide for more information.

Figure 1-1 SA-VAM2+

Figure 1-2 Port Adapter Jacket Card Faceplate

The SA-VAM2+ provides hardware-accelerated support for multiple encryption functions:

119224

ENCRYPTION/COMPRESSION

SA-VAM2+

1 Captive installation screw 4 Handle

2 ENABLE LED 5 SA-VAM2+/port adapter slot

3 PWR (power) LED

138883

PORT ADAPTER JACKET CARD

ENABLED

PWR

3

2 4

5

1

4

1

1-4

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Chapter 1 Overview

Features

• Data Encryption Standard (DES) standard mode with 56-bit key: Cipher Block Chaining (CBC)

• 3-Key Triple DES (168-bit) algorithms at speeds up to 292 Mbps

• 128/192/256-bit Advanced Encryption Standard (AES) in hardware

• Performance to OC3 full duplex with 300 byte packets

• Up to 5000 tunnels for DES/3DES/AES

• Provides compression with IPSec at no extra overhead (LZS)

• Secure Hash Algorithm (SHA)-1 and Message Digest 5 (MD5) hash algorithms

• Rivest, Shamir, Adelman (RSA) public-key algorithm

• Diffie-Hellman Groups 1, 2 and 5

• Online Insertion and Removal (OIR)

Features

This section describes the SA-VAM2+ features, as listed in Table 1 -1.

Table 1-1 SA-VAM2+ Features

Feature Description/Benefit

Throughput

1

1. As measured with IPSec 3DES HMAC-SHA1 on 1400-byte packets.

Up to 292 Mbps using 3DES on the Cisco 7200VXR routers,
and up to 392 Mbps using 3DES on the Cisco 7301 router

Note The number of IPSec tunnels depends on packet size

Number of IPSec protected tunnels

2

2. Number of tunnels supported varies based on the total system memory installed.

Up to 5000 tunnels

3

Number of tunnels per second Up to 50

Hardware-based encryption Data protection: IPSec DES, 3DES, AES, IPv6 IPSec

Authentication: RSA and Diffie-Hellman
Data integrity: SHA-1 and Message Digest 5 (MD5)

VPN tunneling IPsec tunnel mode; Generic Routing Encapsulation (GRE) and

Layer 2 Tunneling Protocol (L2TP) protected by IPSec

Hardware-based compression Layer 3 IPPCP LZS

Standards supported IPSec/IKE: RFCs 2401-2411, 2451

IPPCP: RFC 2393, 2395

(Optional) Port Adapter Jacket Card The Port Adapter Jacket Card is available on the

Cisco 7200VXR router with the NPE-G1 or NPE-G2

4

processor.

Note The Port Adapter Jacket Card supported on the

Cisco 7200VXR router with the NPE-G2 is available
on Cisco IOS Release 12.4(4)XD1 or later.

The Port Adapter Jacket Card supported on the
Cisco 7200VXR router with the NPE-G2 is available
on Cisco IOS Release 12.4(4)XD or later.

1-5

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Chapter 1 Overview

Features

Performance

Table 1 -2 lists the performance information for the SA-VAM2+.

3. To support 5000 tunnels, 512 MB of memory is required.

4. The Cisco 7200VXR with the NPE-G2 is only available with Cisco IOS software version 12.4(4)XD.

Table 1-2 Performance for SA-VAM2+

Cisco Router Throughput1

2

Description

Cisco 7301 Up to 392 Mbps Cisco IOS release: c7301-jk9o3s-mz.123-10

2

7301/single SA-VAM2+, 1GB system memory
3DES/SHA, preshared with no IKE-keepalive configured

Up to 396 Mbps Cisco IOS release: c7301-jk9o3s-mz.123-10

2

7301/single SA-VAM2+, 1GB system memory
AES/SHA, preshared with no IKE-keepalive configured

Cisco 7200VXR
with NPE-G1 or
NPE-G2

Up to 263 Mbps Cisco IOS release: NPE-G1 c7200-jk9o3s-mz.124-4.T1

7200VXR (700Mhz) /single SA-VAM2+, 512MB system
memory

Cisco IOS release: NPE-G2 c7200p-adventerprisek9-mz.
124-4.XD1
7200VXR (1.6 GHz)/single VAM2+, 1024 MB system
memory

3DES/SHA, preshared with no IKE-keepalive configured

Up to 222 Mbps Cisco IOS release: NPE-G1 c7200-jk9o3s-mz.124-4.T1

7200VXR(700Mhz) /single SA-VAM2+, 512MB system
memory

Cisco IOS release: NPE-G2: c7200p-adventerprisek9-mz.
124-4.XD1
7200VXR (1.6 GHz)/single VAM2+, 1024 MB system
memory
AES/SHA, preshared with no IKE-keepalive configured

Up to 391 Mbps Cisco IOS release: NPE-G1 c7200-jk9o3s-mz.124-4.T1

7200VXR (700Mhz) /dual SA-VAM2+, 512MB system
memory

Cisco IOS release: NPE-G2: c7200p-adventerprisek9-mz.
124-4.XD1
7200VXR (1.6 GHz)/dual VAM2+, 1024 MB system memory

3DES/SHA, preshared with no IKE-keepalive configured

Up to 391 Mbps Cisco IOS release: NPE-G1 c7200-jk9o3s-mz.124-4.T1

7200VXR/NPE-G1(700Mhz) /dual SA-VAM2+, 512MB
system memory

Cisco IOS release: NPE-G2: c7200p-adventerprisek9-mz.
124-4.XD1
7200VXR (1.6 GHz)/dual VAM2+, 1024 MB system memory
AES/SHA/IPSec/Tunnel Mode, preshared