Cisco Systems SA-ISA, SM-ISM User Manual

Download

Integrated Services Adapter and Integrat ed Services Modul e Installation and Configuration

Product Numbers: SA-ISA(=) and SM-ISM(=) Platforms Supported: Cisco 7100 series routers and Cisco 7200 series routers

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Text Part Number: OL-3575-01 B0

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMEN TS , INF O RMA TION, AND RE C OM ME ND AT IO NS IN TH IS MA NU AL ARE B ELI EV ED TO BE ACCURAT E B U T ARE PRE S EN TED W ITH O UT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Clas s A d igi tal d evi ce, pursua n t to part 15 of the FCC rules. These limi ts are designe d to provide r easonable prot ection a gainst harmful interfe rence when the e quipme nt is operate d in a comm er cial environment. This equi pment gener ates, us es , and can ra diate radi o-fr equ ency energy a nd, i f not install ed and us ed in a ccorda nce wit h the ins tructi on ma nual, ma y caus e harmful interference to radio communi c ations . Operati on of thi s equipme nt in a reside ntial a rea is likel y to ca use harmfu l inter f erenc e, i n which case users wi ll be require d to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-fre q ue ncy ene rgy. If it is not installed in accordance with C isco’s i nst allation instruc tions, i t may c ause inte rferen ce with radio a nd televis ion recep tion. T hi s eq uip ment has been teste d and found t o comply with the limits for a Class B digital de vice in accorda n ce with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

Modifying the equipment wit hout C isco’s w ritten authoriza tion may r esult in the e quipme nt no longer c omplyi ng with F CC requ irements for Class A or Class B digital devices. In that event, your r ight to use t he equipme nt may be limi ted by FCC regul ati ons, and yo u may be re qui red to corre ct any interference to radio or television communications at your own expe nse .

You can determine whether your equipme nt is causing i nterfe rence by t urning i t off. If the inter ferenc e stops, it was proba bly c a used by the Cisc o eq uipment or one of it s peripheral devices. If the equi pme nt cause s inte rfere nce to radio or t ele vision rece ptio n, try to correct t he int erferenc e by using one or mor e of the followi ng measure s:

• Turn the television or radio ant enna unt il the int erferenc e st ops.

• Move the equipment to one side or the ot her of the tel evisi on or radi o.

• Move the equipment farther awa y fr om the televi sion or ra dio.

• Plug the equipment into an ou tlet that i s on a diffe rent c ircuit from the televi sion or ra dio. ( That is, make cert ain the e quipmen t and th e telev ision or ra dio ar e on cir cuits controlled by different cir cuit brea kers or fuse s.)

Modifications to this produc t not aut horized by C is co Systems, Inc. cou ld void t he FCC approva l and ne gate your a uth ority to operate the product. The Cisco implementatio n of TCP he ader co mpres sion is an adap tat ion of a pro gram developed by the Unive rsi ty of California , Berke ley (U CB) a s part of UC B’s publi c

domain version of the UNIX oper ati ng system. All ri ghts rese rved . Copyri ght © 198 1, Rege nts of the Unive rsi ty of C alifornia . NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USA GE, OR TRADE P R AC T I CE .

IN NO EVENT SHALL CIS CO OR ITS SUPPLIERS BE LI ABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INC LUDING, WITHOU T LI MIT ATI ON, LO ST P ROF ITS O R L OSS OR DAM AG E TO DAT A AR ISI NG OU T OF T HE US E OR INA BIL ITY T O USE TH IS M ANU AL , EVE N I F CIS CO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES

This docu ment is to be used in conjunction with the a ppropria te docum e ntation that shipped with you r router. CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Breakthrough,

iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Pl ay, and Le arn, The Fast est Wa y to Increa se Your Inter net Quotie nt, and i Quic k Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, C ata lyst, CCDA , CCDP, CCIE, CCN A, CCN P, Cis co, the Cisco Cert ified In terne twork Expert logo, Cis co IOS, th e Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IO S, IP/TV , iQ Expert ise, LightS trea m, MGX, MI CA, the N etworke rs lo go, Network Regi strar, Packet, PIX, Post- Rout ing, Pre-Rou ting, Rate MUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/o r it s a ffil ia tes i n th e U.S. and ce r tai n other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0301R)

Integrated Services Adapter and Int egrated Services Mod ule Instal lation and C onfigu ration

Preface iii

Objectives iii Audience iv Installation Warning iv Document Organization v Document Conventions v Terms and Acronym s vii Related Documentation viii Obtaining Documentation x

Cisco.com x Document ation C D-R OM xi Ordering Documentation xi Document ation Fe edb ack xi

Obtaining Technical Assistance xii

Cisco.com xii Technical Assistance Center xii

Cisco TAC Website xii Cisco TAC Escalation Center xiii

CHAPTER

OL-3575-01 B0

Obtaining Additional Publications and Information xiii

1 Overview 1-1

ISA and ISM Overview 1-1 Data Encryption Overview 1-2 Features 1-3 Port Adapter Slot Locations on the Supported Platforms 1-4

Cisco 7100 Series Routers Slot Numbering 1-4 Cisco 7200 Series Routers Slot Numbering 1-5

LEDs 1-6

2 Preparing for Installation 2-1

Required Tools and Equipment 2-1 Software and Hardw ar e Requi re me nts and Compat ibil ity 2-1

Software Comp at ibili ty 2-2

Integrated Services Adapter and Integrated Services Module Installation and Configuration

Contents

(DRAFT LABEL) ALPHA DRAFT - CISCO CONFIDENTIAL

Interoperability Between ISA/ISM and VAM 2-2

Safety Guidelines 2-3

Safety Warnings 2-3 Electrical Equipment Guidelines 2-5 Preventing Electrostatic Discharge Damage 2-5

Compliance with U.S. Export Laws and Regulations Regarding Encryption 2-6

CHAPTER

3 Removing and Installing the ISA and the ISM 3-1

Handling the ISA or the ISM 3-1 Online Insertion and Removal 3-2 Warnings and Cautions 3-3 ISA or ISM Removal and Installation 3-4

Cisco 7100 Series—Removing and Installing the ISM 3-5 Cisco 7200 Series—Removing and Installing the ISA 3-6

4 Configuring the ISA and ISM 4-1

Overview 4-1 Using the EXEC Command Interpreter 4-2 Enabling MPPE 4-2 Configuring IK E 4-3 Configuring IPS ec 4-4

Creating Crypto Access Lists 4-4

Defining a Transform Set 4-5 Creating Crypto Maps 4-7 Applying Crypto Maps to Interfaces 4-9 Verifying Configuration 4-9 IPSec Example 4-12

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Objectives

Preface

This prefa ce de s cr ibe s t he o bj ect ives an d organ ization o f th is d o cu ment and ex plains how to fi nd additional information on related products and services. This preface contains the following sections:

• Objectives, page iii

• Audience, page iv

• Installation Warning, page iv

• Document Organization, pagev

• Document Conventions, page v

• Obtaining Documentation, page x

• Obtaini ng Technical A ssistance, p ag e xii

• Obtaining Additional Publications and Information, page xiii

This docu m en t co nt ain s instruct io n s an d pr o ced u re s f or i ns t al lin g an d co nfigu r in g th e I n tegrat ed Services Adapter (ISA) in Cisco 7200 series routers and the Integrated Services Module (ISM) in Cisco 7100 series routers. Also contained in this document are basic configuration steps and examples of router commands and displays.

OL-3575-01 B0

Although both the ISA and the ISM provide the same functionality, they are physically unique cards designed for different router platforms, with their own part numbers:

• SM-ISM(=)—Cisco 7100 series routers

• SA-ISA(=)—Cisco 7200 series routers

Note The infor matio n prov ided in th is docu ment ap plies to both th e ISA and t he ISM unl ess spec ifi call y stated

other wise.

Integrated Services Adapter and Integrated Services Module Installation and Configuration

iii

Audience

Note To ensure compliance with U.S. export laws and regulations, and to prevent problems later on, see the

“Compliance with U.S. Export Laws and Regulations Regarding Encryption” section on page 2-6 for

specific and important information.

Audience

To use this publication, you should be familia r not only with Cisco router har dware and cabling but also with electronic circuitry and wiring practices. You should also have experience as an electronic or electromec ha ni cal t ech n ici an .

Installati on Warning

Preface

Warning

Waarschuwing

Varoitus

Attention

Warnung

Figyelem!

Avvertenza

Advarsel

Aviso

Only trained and qualified personnel should be allowed to install, replace, or service this equipment.

Deze apparatuur mag alleen worden geïnstalleerd, vervangen of hersteld door bevoegd geschoold personeel.

Tämän laitteen saa asentaa, vaihtaa tai huoltaa ainoastaan koulutettu ja laitteen tunteva henkilökunta.

Il est vivement recommandé de confier l'installation, le rem placement et la m aintenance de ces équipements à des personnels qualifiés et expérimentés.

Das Installieren, Ersetzen oder Bedienen dieser Ausrüstung sollte nur geschultem, qualifiziertem Personal gestattet werden.

A berendezést csak szakképzett személyek helyezhetik üzembe, cserélhetik és tarthatják karban.

Questo apparato può essere installato, sostituito o mantenuto unicamente da un personale competente.

Bare opplært og kvalifisert personell skal foreta installasjoner, utskiftninger eller service på dette utstyret .

Apenas pessoal treinado e qualificado deve ser autorizado a i nstalar, substituir ou fazer a revisão deste equipamento.

¡Advertencia!

Varning!

Solamente el personal calificado debe instalar, reemplazar o utilizar este equipo.

Endast utbildad och kvalificerad personal bör få ti llåtelse att i nstall era, byta ut eller reparera denna utrustning.

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Preface

Document Organ ization

This docu m en t co nt ain s t he f ollow in g ch ap ter s:

Section Title Description

Chapter 1 Overview Describe s the ISA an d t h e IS M an d th ei r L ED

Chapter 2 Preparing fo r I nst allation Describes safety considerations, tools required,

Chapter 3 Removi ng an d I nstal li ng the ISA a nd

the ISM

Chapter 4 Configuring the ISA and ISM Provides instructions for configuring your port

Document Organization

displays.

and procedures you should perform before the actual in stallati on .

Describes the procedures for installing and removing the ISA and the ISM in the supported platforms.

adapter on the supported platforms.

Document Conventions

Command descriptions use the following conventions:

boldface font Comma nds and ke y wo r ds a r e i n boldface. italic font Arguments for which you supply values are in italics. [ ] Elements in s q uare b ra c kets are optional. { x | y | z } Alternative keywords are grouped in braces and separated by vertical bars. [ x | y | z ] Optional alternative keywords are grouped in brackets and separated by vertical

bars.

string A nonquoted set of characters. Do not use quotation marks around the string, or

the strin g w i ll in cl ud e t h e q uo t ation mark s.

Screen examp le s u se t he f ol lowin g conventio n s:

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Document Conventio ns

Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in

Preface

screen font Termina l session s an d in fo rm at io n th e s y st em d isp la ys are in screen font.

boldface s cre en

Information you must enter is in boldface screen font.

font italic s creen font Arguments for which you supply values are in italic screen font. ^ The sy m b ol ^ re prese nt s t he key labeled Control—for exam pl e, t he key

combination ^D in a screen display means hold down the Control key while you press the D key.

< > Nonprint ing ch ar act er s, s u ch a s p as swor ds, are in an gle b r ack ets . [ ] Default responses to system prompt s are in square brackets. !, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code

indicates a co mment l ine .

Notes, cau tionary s ta tements, an d sa f ety w ar ni ngs u se these co nvention s:

this man ual.

Caution Means reader be c aref ul . You are cap able of doing somethi ng that might result in equipm ent damage or

loss of data.

Warning

This warning symbol means danger. Y ou are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with elect rical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the Regulatory Compliance and Safety Information document that accompanied this device.

Waarschuwing

Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk let sel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het document Regulatory Compliance and Safety Information (Informatie over naleving van veiligheids- en andere voorschriften) raadplegen dat bij dit toes tel is ingesloten.

Varoitus

Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet mi nkään laitteiston parissa, ota selvä ä sähkökyt kentöihin liittyvistä vaarois ta ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät laitteen mukana olevasta Regulatory Compliance and Safety Information

-kirjasesta (määräysten noudattaminen ja tietoa turvallisuudesta).

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Preface

Terms and Acronyms

Attention

Warnung

Avvertenza

Advarsel

Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant causer des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions d’avertissements figurant dans cette publication, consultez le document Regulatory Compliance and Safety Information (Conformité aux règlements et consignes de sécurité) qui accompagne cet appareil.

Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Dokument Regulatory Compliance and Safety Information (Informationen zu behördlichen Vorschriften und Sicherheit), das zusammen mit diesem Gerät geliefert wurde.

Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle persone. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di inci denti. La traduzione delle avvertenze riportate in questa pubblicazione si trova nel documento R egulatory Compliance and Safety Information (Conformità alle norme e informazioni sulla sicurezza) che accompagna questo dispositivo.

Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du vare oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. Hvis du vil se oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i dokumentet Regulatory Compliance and Safety Information (Overholdelse av forskrifter og sikkerhetsinformasjon) som ble levert med denne enheten.

Aviso

¡Advertencia!

Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos físicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. Para ver as traduções dos avisos que constam desta publicação, consulte o documento Regulatory Compliance and Safety Information (Informação de Segurança e Disposições Reguladoras) que acompanha este dispositivo.

Este símbolo de avis o significa peligro. Existe ri esgo para su int egridad f ísica. Antes de manipul ar cualquier equipo, considerar los ries gos que entraña la corriente eléctrica y famil iarizarse con los procedimientos estándar de prevención de accidentes. Para ver una traducción de las advertencias que aparecen en esta publicación, consultar el documento titulado Regulatory Compliance and Safety Information (Información sobre seguridad y conformidad con las disposiciones reglamentarias) que se acompaña con este dispositivo.

Terms and Acronyms

To fully understand the content of this user guide, you should be familiar with the following terms and acronyms:

• DCE—data communications equipment

• DMA—d irect m e mor y ac cess

OL-3575-01 B0

Integrated Services Adapter and Integrated Services Module Installation and Configuration

vii

Related D ocumentation

Preface

• DTE—data terminal equipment

• EPROM—erasable programmable read-only memory

• EEPROM—ele ctrically er asab l e p ro g ra mm a bl e read-only m emo r y

• GB—gigabit

• GBIC—Gigabit Interface Converter

• Gbps—gigabits per second

• MB—megabyt e

• Mbps—megabits per second

• NVRAM—n onvolatile rando m-acc ess memo ry

• OIR—online insertion and removal

• PCI—Peripheral Component Interconnect

• PXF—Par all el eX p re ss For ward in g— A s ec on d ar y pro ces so r u sed to accelerat e C isco IOS s e rv ic es

• RFI—radio frequency interference

• RISC—red uced instru ctio n set compu tin g

• ROM—read-only memory

• SDRAM—synchronous dynamic random-access memory

• SDRAM-fixed—SDRAM of a fixed size or quantity; can be replaced, but not upgraded

• SIMM—single in-line memory module

• SNMP—Simple Network Management Protocol

• SRAM— stat ic ra nd o m- access mem o ry

• TFTP—Trivial File Transfer Protocol

• VAM—Virtual Private Network (VPN) Acceleration Module (VAM)

• Cache—Memory w it h fast ac cess an d s mal l capacity u sed to temporarily stor e recently a ccessed

data; fou n d eit h er in co r po r ate d i n to th e processo r or n ear it.

• Primary, seconda ry, tertiar y cac he —H i er ar ch ica l cache m emo r y sto ra ge ba s ed o n th e p r oximity of

the cache to the co re of t he p rocessor. Primar y cac he is c lo s est to t he pr o cessor cor e a nd h as the fastest access. Secondary cache has slower access than primary cache, but faster access than tertiary cache.

• Instruct io n an d dat a c ach e—Instru ct io n s to the proces so r an d d ata on which the i nstruction s wor k.

• Unified cache—Instruction cache and data cache are combined. For example, a processor may have

primary cac he w it h sep a rate instru cti o n a nd d at a cache me mo r y, but unified secondary cache.

• Integrated cache—Cach e t h at is built i nt o th e p r oce ss o r; s o met imes refer re d t o as i nt er n al cach e.

Cache memory that is physically located outside the processor is not integrated, and is sometimes referred t o as ex ter n al cac he .

Obtai n i n g D o cumentation

–

Cisco IOS R el e a s e 1 2.0 Se cu r ity Con fig ur at io n Guide

–

Cisco IOS Release 12.0 Security Command Reference

–

Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2

–

Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.1

–

Cisco IOS Release 12.0 Quality of Service Solutions Configuration Guide

–

Cisco IOS Interface Configuration Guide, Release 12.1

–

FIPS 140 Security documents

–

VPN Device Manager documents

• If you ar e a reg ist er ed C is co D i re ct Cu sto m er, you c an access the f ol lowin g to ol s:

–

Tools, Maintenance, and Troubleshooting Tips for Cisco IOS Software for Cisco IOS

Release 12.0

–

Tools, Maintenance, and Troubleshooting Tips for Cisco IOS Software for Cisco IOS

Release 12.1

–

Tools, Maintenance, and Troubleshooting Tips for Cisco IOS Software for Cisco IOS

Release 12.2

Preface

–

Software Advisor

–

Bug Toolkit

–

Bug Navigator

–

Feature Navigator

–

Output Interpreter

–

Cisco IOS Error Message Decoder

–

Cisco Dynamic Configuration Tool

–

MIB Locator

• Additio nal to ols includ e:

–

Tools Index

–

Cisco IOS Software Selector Tool

Obtaining D ocumentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources . Th es e s ec tio n s expla in h ow t o obtain tech ni ca l information from Cisco S y stems.

Cisco.com

You can a ccess the m ost current C is co d o cu men tation o n t h e World Wide Web at this U R L:

http:/ /w w w.cisco.com/u nivercd/home/hom e.htm

You can access the C isc o w eb s ite at th is U RL:

http:/ /w w w.cisco.com

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Preface

International Cisco web sites can be accessed from this URL:

http://w w w.cisco.c om/publi c/ cou n tr ie s _l an gu ag es.shtml

Documen t at i on CD-ROM

Cisco docum en tatio n and addi tional li terat ure ar e available in a Cisco Do cume ntati on CD- ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store:

http:/ /w w w.cisco.com/g o/subscr i ption

Orderi ng D ocum entation

You can find instructions for ordering documentation at this URL:

Obtaining Documentation

http:/ /www.cisco.com/u nive r c d /c c/td/ do c /es_in pck/pd i . htm

Yo u can o r de r C isco docum e nt ati on i n th ese ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from

the Networking Products MarketPlace:

http://www.cisco.com/en/US /partne r/ ordering/index.s h tml

• Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number

DOC-CONDOCCD=) through the online Subscription Store:

http:/ /w w w.cisco.com/g o/subscr i ption

• Nonregist er ed C isco.com us er s can orde r do cu m e nt ati on t hr o ugh a local ac co unt r epresent ative by

calling C isco Syst ems C o rpo ra te H ead q ua rt er s ( Ca lif o rn i a, U .S.A.) at 408 526- 72 0 8 or, elsewhe re in No rt h A m e r ic a , by callin g 800 553- N E TS ( 6 387).

Documentat i on Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of th e page.

You can e-mail your c o m ments to bug-d oc@ci s co . co m . You can submit your comments by mail by using the response card behind the front cover of your

docum e nt or by writing to the fo l l owi n g addr es s : Cisco Systems

Attn: Cu s t om er Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

OL-3575-01 B0

Integrated Services Adapter and Integrated Services Module Installation and Configuration

Obtaining Technical Assistance

Obtaining Technical Assist ance

Cisco p rovi des Cisco.com , w hi ch in cl ud es the Cisco Technical As s ista nc e Center (TAC) Website, as a starting po int for all technica l assist ance. Custom ers an d partne rs can obtai n onli ne docum ent ation, troubl eshoot ing tip s, and sa mple c onfigu rati ons fr om the Cis co TAC websit e. Cisc o.com r egis tered us ers have complete access to the technical support resources on the Cisco TA C website, including TAC tools and utiliti es.

Cisco.com

Cisco.co m off ers a su ite of in t er act ive, ne twor ke d s er vices th at let you a ccess Cisco i nf o rma ti on , networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com provides a broad range of features and services to help you with these tasks:

• Strea m li ne business p ro cesses and i m p rove pr oduct ivit y

• Resolve technical issues with online support

• Download and test software packages

Preface

• Order Cisco learning materials and merchandise

• Register for online skill assessment, training, and certification programs

To obta in cu sto m i zed i nformation a nd s e rv ic e, y o u can s e lf -regi s te r on C isco .com at th is UR L:

http:/ /w w w.cisco.com

Technical A ssi stance Cen ter

The Cisc o TAC is availab le to a ll customer s wh o need tech ni cal ass i stance wit h a C isco produ ct , technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escala ti on Cen ter. The avenu e of supp ort th at you cho ose depe nds o n th e pr iori ty of th e p rob lem an d th e conditio n s stated in ser vi ce co nt ra cts, when ap pl ica bl e.

We categorize Cisco TAC inquiries according to urgency:

• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities,

product installation, or basic product configuration.

• Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably

impaired, but most business operations continue.

• Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects

of business operations. No workaround is available.

• Priorit y l e v el 1 (P1) —Your produ cti on n etw ork is d o wn , and a crit i cal impa ct to b usi nes s op erat io ns

will occur if service is not restored quickly. No workaround is available.

Cisco TAC Website

You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this U RL:

http:/ /w w w.cisco.com/tac

Integrated Services Adapter and Integrated Services Module Installation and Configuration

xii

OL-3575-01 B0

Preface

All cu s to m er s , part ners, a n d resel ler s w h o have a va li d Cisco s ervice contra ct have co m p le t e a c cess to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http:/ /t ools.cis co.com /RPF/re gi s ter /r egister.do

If you are a Ci sco .co m regi s tered user, and you canno t re sol ve y ou r tech n ic al is sues by using th e C is co TAC website, you ca n op en a case o nlin e a t t hi s U R L:

http://www.cisco.com/en/US/support/index.html

If you have In ter n et acc es s, we recom mend that you open P 3 an d P4 cases thro ug h th e C isco TAC website so that you can describe the situation in your own words and attach any necessary files.

Cisco TAC Escalation Center

The Cisco TAC Esc alation Center a dd r es s es prior it y leve l 1 o r pr i or it y leve l 2 issue s . These classifications are assigned when severe network degradation significantly impacts business operations. When you co n tac t the TAC Escalation Cen t er w ith a P1 or P2 p r ob le m , a C is co TAC engineer automat icall y opens a case .

Obtaining Additional Publications and Inform ati on

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http:/ /w w w.cisco .com/wa rp /public/687/D irect or y /D irTAC.shtml

Before c all ing , pl eas e ch eck wit h your ne tw ork oper at ions center to dete rmi ne th e l e v el of Ci sco supp ort services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supporte d A cco u nts ( NS A). When you cal l the cent er, pleas e h ave availab le y our s erv ice agreement number and your product serial number.

Obtaining Additional Publications and Informati on

Information about Cisco prod ucts, tec hnologies, and network solutions is available from various online and prin ted s our ces.

• The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as

ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

• Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new

and experience d users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopre s s.com

• Packet magazine is th e Cisc o mont hly pe ri odic al tha t provi de s ind ust ry pr ofes sio nals with the late st

information about the field of networking. You can access Pa cket magazine at this URL:

OL-3575-01 B0

http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html

• iQ Magazine is the Cisco m ont hly pe ri odic al th at prov ide s busin ess leade rs a nd de cisi on m aker s

with the latest information about the networking industry. You can access iQ Magazine at this URL:

http:/ /bu s in es s .cisco.com/p ro d/tree.taf%3 fass et_id= 4 4699& pu b lic_view= tr ue&kb ns=1.ht m l

Integrated Services Adapter and Integrated Services Module Installation and Configuration

xiii

Obtaining Ad di tio n al Pub lic a tio ns an d Infor ma tio n

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

profess iona l s in v ol v ed in the des ign, dev e l opment , a nd ope ra tion of publ i c and pr i v at e int erne ts a nd intranet s. You can acces s t he Internet Protocol Journal at this URL :

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

• Training—Cisco offers world-class networking training, with current offerings in network training

listed at this URL:

http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html

Preface

xiv

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Overview

This chapter describes the ISA and the ISM and contains the following sections:

• ISA and ISM Overview, page 1-1

• Data En cry ptio n Ove rvi ew, page 1-2

• Features, page 1-3

• Port A dapter S lo t Locatio ns on the S u pporte d P latform s , page 1 -4

• LEDs, page 1 -6

Note The ISA an d th e ISM are the s ame bo ar d , bu t d iffer in their o ut sid e appear an ce.

ISA and ISM Overview

CHAPTER

The ISA is a s in gle- w id th se rvi ce ad ap t er and th e I SM i s a sin gl e-w id th s ervi ce m o d ul e. Ea ch prov id es high-performance, hardware-assisted tunneling and encryption services suitable for virtual private network ( V PN) r emote acce s s, s i te- to- s it e i nt ra ne t, an d extr an et ap pl ications, as w el l a s p latf or m scalabil ity a nd security w h ile wo r ki n g wi th all servi ces n ec e ssary for su ccessful V PN deployments—security, quality of service (QoS), firewall and intrusion detection, and service-level validation an d m a nagem en t. The ISA and th e I S M off -l oad IPS ec and M P P E p r ocessin g from th e main proces s o r o f the C is co 7200 ser i es or Cisc o 7 1 00 series ro uter, thus fr e e ing re s ou r ce s on the pr o ce ssor engines ( that is, t he netw ork pr ocesso r engine [NPE] on t he Cis co 7200 series, a nd the ne twork p roce ssor [NP] on the Cisco 7100 series routers) for other tasks.

The ISA an d th e ISM pr ovid e h a rdw ar e- ac cel er ated supp or t for m u lt ip le en cr yp ti o n fu nctions:

• 56-bi t Data Encryp ti on S tanda rd (DE S ) s t andard m o d e : Cipher B lock C hainin g (CBC)

• 3-Key Triple DES (1 68- bit)

• Secure Hash Algorithm (SHA)-1 and Message Digest 5 (MD5) hash algorithms

• Rivest, Shamir, Adelman (RSA) public-key algorithm

• Diffie-Hellman key exch an ge R C4 - 40

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

1-1

Data Encrypti on Overview

Note The Cisco 7100 series VPN routers do not support ISM and ISA in the sa me cha ssis. Th e Cisc o 71 00

series routers do not support online insertion and removal of the ISM.

The Cisco 7200 series routers do not support the ISM. The Cisco 7200 series routers support online insertion and removal of the ISA.

Data Encryption Overvi ew

The ISA an d th e ISM su p po r t I P S ec , I K E , Mi cr osoft P oi nt to P o in t Encryption ( M P P E) , and Certifi c ation Au th ority ( CA) intero perabi lit y feat ures, providing hi gh l y s calable re m ot e acces s V P N capabilities to Microsoft Windows 95/98/NT systems.

MPPE in conjunction with Microsoft’s Point-to-Point tunneling protocol (PPTP) provides security for remote Micr osoft Windows users b y pro v idin g a tunn el ing c apa bi lit y, user-le ve l auth en tic atio n, and da ta encrypti o n.

Chapter1 Overview

Note For more information on IPSec, IKE, MPPE, and CA interoperability, refer to the “IP Security and

Encry pt ion ” ch apte r in th e Security Configuration Guide and Security Co mmand R efe r e nce publications.

IPSec a c ts at the n etwork level and is a f r a mew o rk of ope n s t andard s d eve lo ped by the In ter net Engineer in g Task Force (IETF) that p r ov id es security for t ra nsmission o f s en sit ive in for mation over unprotect ed network s su ch as t h e I nt ernet. IPSe c s e rv ic es a re similar to th ose provi de d by Cisco Encryption Technology (CET). However, IPSec provides a more robust security solution and is standard s-bas ed. IPSe c also provides da ta auth entic atio n and antir epla y servi ces in additi on to da ta confidential ity servi ces , w he re as C ET provides dat a confidenti ality se rvices only.

Cisco impleme nt s th e fo ll owi ng st an dards wi th data encr y pt io n:

• IPSec—I PSec is a frame work of open st andards t hat pr ovide s data confi dentia lit y , da ta inte grity, and

data authen ticat ion be twee n partici patin g peers . IPSe c provide s these sec urity ser vices at th e IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

IPSec is documented in a series of Internet Drafts. The overall IPSec implementation is documented in RFC 2401 through RFC 2412 and RFC 2451.

• IKE—Inte rnet K ey Exc hange ( IKE) is a hybrid securi ty pr otocol t hat impl ement s Oakle y and Sk eme

key exch an ges i nside th e Inte rn e t S ecurit y Assoc ia t io n and Key Manag e ment P r ot ocol ( I S AK MP) framework. Although IKE can be used with other protocols, its initial implementation is with the IPSec pr otoc ol . I K E p r ovid es au t he nt ica tio n o f th e I P Sec peers, n egotiates IP Sec securit y associations, and establishes IPSec keys. IPSec can be configured without IKE, but IKE enhances IPSec by provid ing additional features, flexibility, and ease of configuration for the IPSec standard.

• Microsoft Point-to-Point Encryption (MPPE) protocol is an encryption technology that provides

encryption across point-to-point links. These links may use Point-to-Point Protocol (PPP) or Point-to-Point Tunnel Protocol (PPTP).

1-2

The ISA and the ISM support MPPE when encapsulation is set to PPP or PPTP.

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Chapter1 Overview

Features

• CA—In addition, Certificate Authority (CA) interoperability is provided in support of the IPSec

standard, using Cer tificate Enrollment Protocol (CEP). CEP permits Cisco IOS devices a nd CAs to commun ica te so that yo u r C isco IOS devi ce c an obtain a nd u se digital ce rt ific at es f r om the CA . Althou gh IP S ec can be i mplemented in your network without the use of a CA, usin g a CA provides managea bi li ty an d scal ab ility fo r IP Sec.

The compo ne nt technol ogie s imp l em en t ed fo r I P Sec includ e:

• DES and Triple DES—The Data Encryption Standard (DES) and Triple DES (3DES) are used to

encrypt packet data. Cisco IOS implements the 3-key triple DES and DES-CBC with Explicit IV. Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet.

• MD5 (HMAC variant)—MD5 is a hash algorithm. HMAC is a keyed hash variant used to

authenti cat e d at a.

• SHA (HMAC variant)—SHA is a hash algorithm. HMAC is a keyed hash variant used to

authenti cat e d at a.

IPSec as implemented in Cisco IOS software supports the following additional standards:

• AH—Au thentication Header is a secu ri ty p ro to co l that prov id es d at a a ut he nticati on a nd o pt io nal

antirepl ay ser v ices. The AH protocol allows f or the u s e o f va ri ous authent ication algor it hms; C is c o IOS has

implemen ted th e mandat ory MD 5 and SH A (HMAC variants ) authen ticat ion algo rith ms. The AH protocol provides antireplay services.

• ESP—Encapsulating Security Payload is a security protocol that provides data privacy services,

optional data authentication, and antireplay services. ESP encapsulates the data to be protected. The ESP prot ocol a l lo ws for th e use of v ari ous c iphe r a lgori t hms an d (o ption al ly) various au then ti cat ion algorithms. Cisco IOS software implements the mandatory 56-bit DES-CBC with Explicit IV or Triple DES as t he en cr y pt ion alg o ri th m, and MD5 o r S H A (HM AC varia nt s) as t he au th en ti cat io n algorithms. The updated ESP protocol provides antireplay services.

Features

This s ecti o n desc ribes t h e ISA/ IS M feat u r e s , as l is ted in Table 1-1.

Table 1-1 Features

Feature Description

Physical

Platform Support Cisco 7100 series

Hardware Prerequisites Throughput

Integrated Service Adapter (ISA) Integrated Ser v ice Module (I SM )

Cisco 7120 series and Cisco 7140 series

•

Cisco 7200 series and Cisco 7200VXR series (ISA only)

• Cisco 7202, Cisco 7204, and Cisco 7206

• Cisco 7204VXR and Cisco 7206VXR

None Up to full duplex D S 3 ( 9 0 Mbps) using 3DES

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

1-3

Port Adapter Slot Locations on the Suppor ted Platfor m s

Table 1-1 Features (continued)

Feature Description

Number of Tunnels

Up to 2000 IPSec protected tunnels Up to 2000 PPTP tunnels protected by MPPE

Encryption

Data protection: IPSec DES and 3 DES, 40 and 128-bit RC4 MPPE (stateful or stateless)

Authen ti cat io n: R S A an d D iffie He llman, MS C h ap Data integrity: SHA-1 and MD5

VPN Tunneling

IPSec tunnel mode, GRE, LT2P, L2F protected by IPSec, PPTP protected by MPPE

Number of ISMs per Router Minimum Cisco IOS Release Supported2 Cisco 7100 series

•

Cisco 7120 series and Cisco 7140 series

One ISM p er chas si s

Cisco IOS Release 12.0(5)XE or a later release of Cisco IOS Release 12.0 XE Cisco IOS Release 12.1(1)E or a later release of Cisco IOS Release 12.1 E Cisco I O S R e l ease 12 .2 ( 2) T or l ate r re lea s e o f C isco IOS Release 12 .1 T

Chapter1 Overview

Cisco IO S R el eas e 12 .2 M o r later releas e of C isc o Releas e 1 2 .2 M.

Cisco 7200 and Cisco 7200VXR series (for ISA only)

Cisco 7202, Cisco 7204, and Cisco 7206

•

Cisco IOS Release 12.0(5)XE or a later release of Cisco IOS Release 12.0 XE Cisco IOS Release 12.1(1)E or a later release of Cisco IOS Release 12.1 E Cisco IOS Release 12.2(2)T or a later release of Cisco IOS Release 12.1 T Cisco I O S R elease 12.2 M o r a l ater relea se o f C is co IOS R elease 12.2 M Cisco I O S R e l ease 12 .2 ( 4) B o r a l ate r re lea s e o f Ci sco IOS Release 12 .2 B

Standards Supported IPSec/IKE: RFCs 2401-2410, 2411, 2451

MPPE: draft-ietf-pppext-mppe-*

1. The Cis co 7 200 se rie s a nd Cis co 720 0V XR s er ie s r ou ter s o nly s upport the ISA, not the IS M.

2. Cisco IOS R ele as e 12.1 Mainli n e is not s upp or ted on I SA or I SM.

Port Adapt er Slot Locatio ns on the Supported Platforms

This section discusses port adapter slot locations on the supported platforms. The illustrations that follow summarize the slot location conventions on the supported platforms:

• Cisco 7100 Series Routers Slot Numbering

• Cisco 7200 Series Routers Slot Numbering

Cisco7100 Series Routers Slot Nu mberi ng

The ISM can be installed in serv ice mod ule slot 5 in C isco 71 20 se ries and C isco 7140 se ries routers.

Figure 1-1 shows a Cisco 7 120 w ith an ISM installed in slot 5. Figure 1-2 shows a Cisco 7140 with an

ISM installed in sl o t 5. A po r t adapt e r can be in s talled in s lo t 3 in the Ci s co 7 120 ser ies rou ters an d in slot 4 in the Cisco 7140 series routers.

Integrated Services Adapter and Integrated Services Module Installation and Configuration

1-4

OL-3575-01 B0

Chapter1 Overview

Note The Cisco 71 0 0 se ri es V P N rou ter s d o no t sup p ort an I S M an d an IS A in th e sam e ch as si s.

Port Adapter Slot Locations on the Supported Plat forms

Figure 1-1 Service Module Slot 5 in the Cisco 7100 Series Router—Cisco 7120 Seri es

Port adapter in slot 3

ISM in slot 5

BOOT

ERROR

CEL CAR ALM

RXTX

RESETSM-ISM

FE 0 / 0 FE

ACT

LNK0LNK

0 / 1

Figure 1-2 Service Module Slot 5 in the Cisco 7100 Series Router—Cisco 7140 Seri es

BOOT

ERROR

155 - MM

CEL CAR ALM

RESETSM-ISM

Slot 1

FE 0 / 0 FE

CEL CAR ALM

ACT

LNK0LNK

0 / 1

155 - MM

Slot 0

Cisco7200 Series Routers Slot Nu mberi ng

The ISA can be installed in the Cisco 7200 series routers in any available port adapter slot. Figure 1-3 shows a Cisco 7206 with port adapters installed, and a port adapter filler installed in slot 5. (The Cisco 7202 and Cisco 7204 are not shown; however, the ISA can b e in s tal le d i n any availa ble port adapter slot.)

Slot 4Slot 5 Slot 3

SLOT 0 SLOT 1

Slot 2

CONS

7120 - AE3

CONS

7140 - 2MM3

PWR

SYS RDY

AUX

AC OK DC OK

OTF

PWR

AC OK

SYS RDY

DC OK

AUX

OTF

3775

18499

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

1-5

LEDs

Figure 1-3 Port Adapter Slots in the Cisco 72 06

Cisco 7200

Series

ENABLED

LINK

PCMCIA

SLOT 1

EJECT

SLOT 0

ETHERNET 10BT

SERIAL-V.35

FE MII

Chapter1 Overview

TOKEN RING

FAST ETHERNET

ETHERNET-10BFL

28329

RJ45

LINK

MII

FAST ETHERNET INPUT/OUTPUT CONTROLLER

ENABLED

RJ-45

MII

RJ-45

1O PWR

LINK

LEDs

Port adapter slot 5

Port adapter slot 3

Port adapter slot 1

Port adapter slot 2

Port adapter slot 6

Port adapter slot 4

Port adapter slot 0

The IS A has three LEDs , as s how n in Figure 1-4. Table 1-2 lists the co lors and functi o ns o f th e ISA LEDs.

Note The Boot LED remains lit when the ISA/ISM is configured for MPPE, and it starts to pulsate after

bootin g when the ISA/ISM is configured for IPSec. Th e ISA/ISM functi ons normally whether the Boot LED is pulsating or is solid. See Chapter 4, “Configuring the ISA and ISM” for more information on configu rin g the IS A/I SM .

1-6

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Chapter1 Overview

Figure 1-4 ISA Front Panel LEDs (SA-ISA shown)

ENCRYPT/COMP

ENABLE

BOOT

ERROR

SA-ISA

17607

Table 1-2 ISA LEDs

LED Label Color State Function

ENABLE G reen On Indicates th e ISA is powered up an d enabled for

operatio n.

Indicates th e I S A is operat in g . Indicates the ISA is booting or a packet is being

BOOT Amber Pulses

encrypted or decrypted.

ERROR Amber O n Indica tes an en cr ypt io n er ror ha s o ccu r red.

This LED is nor mall y off.

1. After successfully booting, the bo ot LE D puls es in a “heart beat” pattern to indicate that the ISA is operating. As crypto traffic increases, the nominal level of this LED increases in proportion to the traffic level.

LEDs

The following conditions must all be met before the enabled LED goes on:

• The ISA i s co rr e ctl y co nn ect ed t o the b ack p lan e an d re ceivi ng p owe r.

• The system bus r eco gni zes th e I SA .

If either o f t he s e c on di ti on s is not me t, o r if th e r o ut er in itializ ati on fa ils, the e na bl ed LED d oe s not go on.

The IS M has three L EDs, as s how n in Figure 1-5. Table 1-3 list s t he color s and fun cti o ns o f th e LE D s.

Figure 1-5 ISM LEDs

BOOT

RESETSM-ISM

Note The physic al or i en tat io n of t he I S M LEDs i s r eversed fr om that o f th e IS A ( see Figure 1-5).

ERROR

23774

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

1-7

LEDs

Chapter1 Overview

Table 1- 3 IS M LE Ds

LED Label Color State Function

EN Green On Indicates the ISM is powered up and enab led for

operatio n.

BOOT Amber Pulses

Indicates the ISM is op er at in g.

Indicates the ISM is booting or a packet is being encrypted or decrypted.

ERROR Amber O n Ind ica tes an en cr yption error ha s o ccu r re d. Th is

LED is normally off.

1. After s ucc es sfully boot ing, t he boot LED pul s es in a “heartbe at ” pattern to indicate that the ISM is operating. As crypto traffic increases, the nominal level of this LED increases in proportion to the traffic level.

The following conditions must all be met before the enabled LED goes on:

• The ISM is correc tl y con nected to t he b ack p lan e an d re c eivi ng p owe r.

• The system bus r eco gni zes th e I SM .

If either o f th ese condit io ns i s n ot met, or if th e r o ut er in it ializati on f a il s f or o th er r easo ns, the e na bl ed LED does not go on.

1-8

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Preparing for Installation

This chapter describes the general equipment, safety, and site preparation requirements for installing the ISA and t he I S M .

This chapter contains the following sections:

• Required Tools and Equipment, page 2-1

• Software an d Hardw are Req uirem ents an d Comp atib ility, page 2-1

• Softwar e Comp ati bili ty, page 2-2

• Safety G u id el in es , page 2-3

• Compli an ce with U.S. Expo rt L aws an d Regul ati ons Re gard ing E ncr ypti on, pa ge 2-6

Required Tools and Equipment

CHAPTER

You need th e f o ll owing t oo ls an d p ar t s to i nst all an I S A o r ISM . If y ou need ad di ti on al eq u ip men t, contact a servi ce represe ntat ive for ordering informa tion .

• SA-ISA(=) service adapter or SM-ISM(=) service module

• Numbe r 2 Phil lips screwdriver

• Your own electrostatic discharge (ESD)-prevention equipment or the disposable grounding wrist

strap included with all upgrade kits, field-replaceable units (FRUs), and spares

• Antistatic mat

• Antistatic container

Software and Hardware Requi remen ts and Compatibi lity

Table 2-1 lists the recommended minimum Cisco IOS software release required to use the ISA/ISM in

supported router or switch platforms.

Note The Cisco 71 0 0 se ri es V P N routers d o no t sup p ort an I SM an d an I S A in th e same ch ass i s. Th e

Cisco 7200 series routers do not support the ISM.

The ISA an d th e ISM are the s ame bo ar d , bu t d iffer in their o ut sid e appear an ce.

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

2-1

Software and Hardware Requirements and Compatibility

Note The Cisco IOS Rel ease 12.1 Main line do es not supp ort th e ISA/IS M.

Table 2 -1 Minimum Cisco IOS Software Releases

Platform Recommended Minimum Cisco IOS Release

Cisco 7100 series

Cisco 7120 series and

•

Cisco 7140 series

Cisco IOS Rel ease 12.0( 5 )XE or a la ter r el ease of Ci sco IOS Re lea s e 1 2 .0 X E Cisco IOS Rel ease 12.1( 1 )E o r a la ter r el ease of Ci s co IOS Re lease 12.1 E Cisco IOS Rel eas e 1 2. 2( 2 )T o r lat er r ele as e of C isc o IOS Rel eas e 1 2.1 T Cisco IOS Rel ease 12.2M o r later rel ease of Ci sco Rele ase 12.2M.

Cisco 7200 series (for ISA only)

Cisco 7202, Cisco 7204, and

•

Cisco 7206

Cisco IOS Rel ease 12.0( 5 )XE or a la ter r el ease of Ci sco IOS Re lea s e 1 2 .0 X E Cisco IOS Rel ease 12.1( 1 )E o r a la ter r el ease of Ci s co IOS Re lease 12.1 E Cisco IOS Rel ease 12.2( 2 )T o r a la ter r el ease of Ci s co IOS Re lease 12.1 T Cisco IOS Rel eas e 1 2. 2M o r a lat er r ele as e of Cisco IOS Releas e 1 2. 2M Cisco IOS Rel eas e 1 2. 2( 4 )B o r a l at er re le as e o f C isco IOS R el eas e 12 .2 B

Chapt er 2 Prepar i ng fo r In s t allatio n

Software Compatibility

To check the minimum software requirements of Cisco IOS software with the hardware installed on your router, Cisco maintains the Software Advisor tool on Cisco.com. Registered Cisco Direct users can access the So ft wa re A dv iso r at :http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl. Thi s tool d oes not verify whether modules within a system are compatible, but it does provide the minimum Cisco IOS software requirements for individual hardware modules or components.

Note Access to this tool is limited to users with Cisco.com login accounts.

Interoperability Between ISA/ISM and VAM

Note The Cisco 7100 series routers support ISM and the SA-VAM; the Cisco 7200 series routers support ISA

and SA-VAM; and the Cisco 7200 series routers support two ISAs in the same chassis.

Table 2-2 describes the interoperability between ISA and VAM. You can use ISA with VAM, provided

you observe the following conditions:

• The syst em support s two ISAs in the same Cisco7200 series router chassis. If one ISA is enabled at

system bo o tu p, an d a se co nd I SA is added lat er, th e second IS A b eco mes active imm ed iat el y, and depend in g o n the config ur at io n , th e system attemp ts to lo ad - ba lan ce between the two ISA s .

2-2

• If ISA and V AM are in the chassis at system bootup, the Cisco 7200 series router supports the newer

version, in t hi s case, VAM, p rovide d t he Cisc o I O S Releas e supp or ts VAM; and th e I S A r e m ai ns inactive.

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Chapter 2 Preparing for Installation

• If ISA and VAM are in the chassis at system bootup, and the encryptio n mppe com mand is i n th e

router’s runn ing co nf i gurat i on, th en both ISA and VAM are ena bled a t sy ste m boo tu p. Th e ISA ca rd supports MPPE, and the VAM supports ISAKMP/IPSec. You can enable encryption mppe by following the steps in “Configu r ing IPS ec” section on page 4-4. To disable MPPE on an ISA c ar d, use the no encryption mppe comman d. Th is d isables th e IS A .

• To disable a card, use the no cry p to e n gi ne a cc ele rator type slot/port (port-adapter-slot-number/

interface-port-number) command.

Table 2-2 Interoperability Between ISA and VAM

ISA and ISA ISA with VAM

• Supports MPPE • Supports MPPE

• Supports ISAKMP/IPSec • Supports ISAKMP/IPSec

• If two ISAs are enable d in the chassis at

power up, then both modules support both MPPE and ISAKMP/IPSec.

• If ISA is enabled in the chassis at bootup, and

anothe r I S A is ad ded late r, the s econd I S A immedi ately becomes act ive and dependin g on the configuration, the system attempts to load-b ala nc e between th e tw o ISA s .

Safety Guideline s

• If ISA and VAM are enabled in the chassis at

power up, ISA is used f or M PPE, and VAM is used for ISAKMP/IPSec, provided the router’s running configuration includes the encryption mppe command.

• If ISA is en able d i n the cha ss is at b oot up , an d

VAM i s ad d ed later, the VAM rem ai n s inactive u n til th e next rebo ot , o r un til the configuration is changed to enable the VAM.

Safety G u idelines

This se cti on provi d es s a fe ty guidelin es that you s h ou ld f o llow when wo r ki ng w ith any equipment that connects to electrical power or telephone wiring.

Safety Warnings

Safety warnings appear throughout this publication in procedures that, if performed incorrectly, might harm you . A war n in g sym bo l pr ec ed es ea ch wa r ni ng s t ate m en t.

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

2-3

Safety Guidelines

Chapt er 2 Prepar i ng fo r In s t allatio n

Warning

Waarschuwing

Varoitus

Attention

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circui try and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the Regulatory Compliance and Safety Information document that accompanied this device.

Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het document Regulatory Compliance and Safety Information (Informatie over naleving van veiligheids- en andere voorschriften) raadplegen dat bij dit toestel is ingesloten.

Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät laitteen mukana olevasta Regulatory Compliance and Safety Information

-kirjasesta (määräysten noudattaminen ja tietoa turvallisuudesta).

Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant causer des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers posés par les ci rcuits él ectriques e t fam iliarisez -vous av ec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions d’avertissements figurant dans cette publication, consultez le document Regulatory Compliance and Safety Information (Conformité aux règlements et consignes de sécurité) qui accompagne cet appareil.

Warnung

Avvertenza

Advarsel

Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle persone. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relati vi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di inci denti. L a traduzione delle avvertenze riportate in questa pubblicazione si trova nel documento Regulatory Compliance and Safety Information (Conformità alle norme e informazioni sulla sicurezza) che accompagna questo dispositivo.

Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du vare oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ul ykker. Hvis du vil se oversettelser av de advarslene som finnes i denne pu blikasjonen, kan du se i dokumentet Regulatory Compliance and Safety Information (Overholdelse av forskrifter og sikkerhetsinformasjon) som ble levert med denne enheten.

2-4

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Chapter 2 Preparing for Installation

Safety Guideline s

Aviso

¡Advertencia!

Varning!

Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos físicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. Para ver as traduções dos avisos que constam desta publicação, consulte o documento Regulatory Compliance and Safety Information ( Informação de Segurança e Disposições Reguladoras) que acompanha este dispositivo.

Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. Para ver una traducción de las advertencias que aparecen en esta publicación, consultar el documento titulado Regulatory Compliance and Safety Information (Información sobre seguridad y conformidad con las disposiciones reglamentarias) que se acompaña con este dispositivo.

Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan l eda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanligt förfarande för att f örebygga skador. Se förklaringar av de varningar som förkommer i denna publikation i dokumentet Regulatory Compliance and Safety Information (Efterrättelse av föreskrifter och säkerhetsinformation), vilket medföljer denna anordning.

Electric al Equipment Guidelines

Follow these basic guidelines when working with any electrical equipment:

• Before b egi nnin g any p r oc ed ur es re qu ir in g ac ces s to the ch ass is interior, locat e t he emergency

power-off switch for the room in which you are working.

• Disconne ct all power an d ex te rn al cab l es b ef ore moving a c ha s sis.

• Do not work a lone when potentia lly h a z ar do us cond i tio ns exist.

• Never assum e t hat p ower ha s b een d isco n ne cted from a ci rc ui t; alw ays check.

• Do not perform any action that creates a potential hazard to people or makes the equipment unsafe;

carefully examine your work area for possible hazards such as moist floors, ungrounded power extension cables, and missing safety grounds.

Preventi ng Electrostat i c Discharge Damage

Electrostatic discharge (ESD) damage, which can occur when electronic cards or components are improper l y h an d led , re s ults i n co mplete or in te rmittent f ai lu re s. P o rt ad ap te r s an d pro ces so r m o d ul es comprise printed circuit boards that are fixed in metal carriers. Electromagnetic interference (EMI) shielding and connectors are integral components of the carrier. Although the metal carrier helps to prote ct the b oa rd from ESD , us e a preven tive antistatic s t r a p du ring handli ng .

Following are gu id el in es f o r pr eventin g ES D d amage:

OL-3575-01 B0

• Always use an ESD w r ist o r an kl e st ra p an d e nsu re t ha t i t m ake s g oo d ski n co ntact .

• Connect the equipment end of the strap to an unfinished chassis surface.

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

2-5

Compliance with U.S. Export Laws and Regulations Regarding Encryption

• When in sta lling a co mp o nen t , u s e a ny availab le eje ctor levers or cap tive i n s tal lat io n scr ews t o

properly seat t he bus connect o rs i n th e b ackplane o r mid p lan e. Th ese devices prevent acc id en tal removal, provid e proper gr o un din g f o r th e sy s t em, and hel p to en su re th at bu s co nnectors ar e properly seat ed .

• When re mov in g a c omp o ne nt , u s e any available ejector l evers o r captive insta llation scr ews to

release t h e bus co nnectors f rom t he b ack p lan e or m i dp l an e.

• Handle carriers by available handles or edges only; avoid touching the printed circuit boards or

connecto rs .

• Place a removed board component-side-up on an antistatic surface or in a static shielding container.

If you pl an to r et ur n th e co m pon en t t o th e f act or y, imme diately plac e i t i n a s t ati c s h i eld in g container.

• Avoid contact between the printed circuit boards and clothing. The wrist strap only protects

componen ts from ESD volt ag es o n th e body; ES D voltages on clo t hi ng c an s ti ll cau se damage.

• Never atte mp t t o remove t h e p ri n ted ci r cu it board f rom t he metal ca rr ie r.

Caution For safet y, periodi cal ly ch eck the r esistance value of the an ti stat ic strap. The me asu re m en t sh o ul d be

between 1 and 10 megohms (Mohm).

Chapt er 2 Prepar i ng fo r In s t allatio n

Compliance with U.S. Export Laws and Regulati ons Regardi ng Encryption

This produc t perfor ms e ncry pti on an d is regulate d for e x port b y t he U.S. go ve rnme nt . Perso ns e xp orti ng any item out of the U nited States by ei th er p hys ic al or elec tr on ic m e an s m u st comply w ith t he Export Administration Regulations as administered by the U.S. Department of Commerce, Bureau of Export Administration. See http://www.bxa.doc.gov/ for more information.

Certain “strong” encryption items can be exported outside the United States depending upon the destination, end user, and end use. See http://www.cisco.com/wwl/export/crypto/ for more information about Cisco-eligible products, destinations, end users, and end uses.

Check local co untry laws prio r to export to determine import and usage requ ir em ents as ne c es s a ry. See

http://www.kub.nl/facult ei ten/frw /o ut dated.html as one possible, un official so ur ce o f in ter n at io na l

encrypti o n laws.

2-6

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

CHAPTER

Removing and Installing the ISA and the ISM

This chapter describes how to remove the ISA or ISM from supported platforms and also how to install a new or rep lac em e nt I S A or I SM . This chap ter cont ain s t he f ol lowin g s ect io ns :

• Handling the ISA or the ISM, page 3-1

• Online Insertion and Removal, page 3-2

• Warnings and Cautions, page 3-3

• ISA or ISM Removal and In st a llation , page 3- 4

The ISA an d th e IS M c ir cu it b oa rds ar e mo un ted to met al carrie rs an d a r e sen s i tive to e lectrostat ic discharge (ESD) damage.

Note When a por t a dapt er s lot or ser vi ce mod ul e sl ot i s not i n use , a blank po rt ada pter or serv ice modu le must

fill the em p ty slot to allow the r ou te r to conform to electro m ag ne tic inter fe re nc e ( EM I ) em i ss io ns requirements an d to al low pr o per airfl ow. If you pla n to in s ta ll a new ISA or ISM in a slot th at is not in use, you must first remove the blank port adapter or blank service module.

Caution When powering off the router, wait a minimum of 30 seconds before powering it on again.

Handling the ISA or the ISM

Caution Always handle the ISA or the ISM by the carrier edges and handle; never touch the components or

connecto r pins. (See Figure 3-1 and Figure 3-2.)

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

OL-3575-01 B0

3-1

Online Insertion and Removal

Figure 3-1 Handling the ISM

Figure 3-2 Handling the ISA

Chapt e r 3 Removi ng and Installin g the ISA and the IS M

Printed circuit board

Metal carrier

23778

Metal carrier

Printed circuit board

Online Insertion and Removal

Sev era l pla t forms s uppo rt onli ne ins erti on and re mo v al (OIR ); th er efore , you do not h av e to power do wn the router when removing and replacing an ISA on Cisco 7200 series routers.

Warning

Note As you disengage the module from the router or switch, online insertion and removal (OIR)

Cisco 7100 series routers do not support OIR for the service module slot ( s lot 5); therefore, you must power down the router when removing or replacing an ISM in Cisco 7100 s eries routers .

It is wise to gracefully shut down the system before removing a port adapter that has active traffic moving through it. Removing a module while traffic is flowing through the ports can cause system disruption. Once the module is inserted, the ports can be brought back up.

administ r atively shuts d ow n a ll active inte rfaces in t he m o du le.

H6420

3-2

OIR allows you to install and replace modules while the router is operating; you do not need to notify the soft ware or sh ut d own t he syst em po w er , alt hou gh you s houl d not run traf fic through t he modul e you are removi ng w h il e i t i s b ein g r emove d. O IR i s a metho d th at is se am l es s t o en d u s ers o n th e ne tw or k , maintains all routing information, and preserves sessions.

The following is a functional description of OIR for background information only; for specific procedures for installing and replacing a module in a supported platform, refer to the “ISA or ISM

Removal and In sta llati on” section on page 3-4.

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Chapter3 Removing and Installing the ISA and the ISM

Each modul e ha s a bus conn ect or th at co n ne cts it to the rout er. The conne cto r has a s et of tier e d pin s in three lengths that send specific signals to the system as they make contact with the module. The system assesse s the signals it rece ives and the order in which it receives them to determine if a module is being removed from or in trod u ced t o t h e s y ste m . Fr o m th es e s i gn al s, th e system de ter m i ne s w h eth er t o reinitial iz e a new in te rface or to shu t down a disconn ect ed in terface.

Specifically, when you insert a module, the longest pins make contact with the module first, and the shortest pins make contact last. The system recognizes the signals and the sequence in which it receives them.

When you remove or insert a module, the pins send signals to notify the system of changes. The router then performs the following procedure:

1. Rapidly scan s t he s y stem for c onfig urat io n ch an ge s .

2. Initializes n ewl y in ser ted p o rt ad ap te rs or admi n istr at ively sh ut s d own any vaca nt i nt er fac es.

3. Brings all p r evio usly confi gu r ed in terfaces o n the modul e b ac k to thei r pr evio u s ly in stalled s ta te.

Any newly in s er te d i nt er face is put in th e administratively sh u td own s ta te, as i f it wa s pr esent (but not configured) at bo ot t ime . If a sim ila r modu le ty pe i s rei nse rt ed int o a sl ot , i ts po rt s a re c on f igur ed and brought online up to the port count of the originally installed module of that type.

Warnings and Cautions

Note Before you begin installation, read Chapter 2, “Prep ar in g fo r I nst al lation,” f or a l is t of pa r ts a n d tool s

requi re d f o r in s tallati on .

Warnings and Cautions

Observe th e f ol lowin g w ar nin gs an d cau ti on s w h en in stal li ng or r emov in g ser vi ce a dapters an d service modules.

Note If a port adapter lever or other retaining mechanism does not move to the locked position, the service

adapter is not completely seated in the midplane. Carefully pull the service adapter out of the slot, reinser t it, an d move th e p o rt ad ap ter lever or o th er m e ch an is m to th e locked po s it io n.

Caution To pre vent jamming the carrier between the upper and the lower edges of the service module slot, and to

ensure that the edge connector at the rear of the ISM mates with the connection at the rear of the service module sl ot , ma ke cert ai n th at the carrie r is p os i tio n ed c orr ect ly, as shown in th e cut away in the “Cisco

7100 Series—Removing and Installing the ISM” section on page 3-5

Warning

When performing the following proc edures, wear a grounding wrist strap to avoid ESD damage to the card. Some platforms have an ESD connector for attaching the wrist strap. Do not directly touch the midplane or backplane with your hand or any metal tool, or you could shock yourself.

Warning

OL-3575-01 B0

Cisco 7100 series routers do not support OI R of the I SM. F ailure to power dow n the rout er when removing or replacing the ISM could cause serious equipment damage or electrical shock.

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

3-3

ISA or ISM Removal and Installation

ISA or ISM Removal and Installat ion

In this section, the illustrations that follow give step-by-step instructions on how to remove and install the ISA or the I SM . Thi s section c on tains the following illustrations:

• Cisco 7100 Series—Removing and Installing the ISM, page 3-5

• Cisco 7200 Series—Removing and Installing the ISA, page 3-6

Note The Cisco 71 0 0 se ri es V P N rou ter s d o no t sup p ort an I S M an d an IS A in th e sam e ch as si s.

Chapt e r 3 Removi ng and Installin g the ISA and the IS M

3-4

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Chapter3 Removing and Installing the ISA and the ISM

Cisco 7100 S eries —Removing and Installing the ISM

Step 1

To remove the ISM, use a number 2 Phillips screwdriver to loosen the captive installation screws.

Step 2

Grasp the captive installation screws of the ISM to pull it from the router.

Captive installation screws

ISA or ISM Re mo v a l a n d In stallat io n

Note: When inserting the ISM, hold the ISM up at a slight angle to engage the carrier guides. Completely seating the ISM in the slot may require several attempts.

Step 3

To insert the ISM, carefully align the ISM carrier between the upper and the lower edges of the service module slot (slot 5).

Step 4

Carefully slide the ISM all the way into the slot until it is seated in the router midplane.

Step 5

After the ISM is properly seated, tighten the captive installation screws.

SM-ISM

RESET

BOOT

ERROR

ISM in slot 5

29332

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

3-5

Chapt e r 3 Removi ng and Installin g the ISA and the IS M

ISA or ISM Removal and Installation

Cisco 7200 S eries —Removing and Installing the ISA

Step 1

To remove the service adapter, place the port adapter lever in the unlocked position. (See A.) The port adapter lever remains in the unlocked position.

Step 2

Grasp the handle of the service adapter and pull the service adapter from the router. If you are removing a blank port adapter, pull the blank port adapter completely out of the chassis slot.

Step 3

To insert the service adapter, carefully align the service adapter carrier between the upper and the lower edges of the port adapter slot. (See B.)

Step 4

Carefully slide the new service adapter into the port adapter slot until the service adapter is seated in the router midplane.

Step 5

After the service adapter is properly seated, lock the port adapter lever. (See A.)

Note: This adapter removal applies to any port or service adapter.

Slot guide

Cisco 7200

Series

Cisco 7200

Series

Port adapter lever

(locked position)

LINK

ENABLED

PCMCIA

ETHERNET 10BT

FAST SERIAL

SLOT 1

FE MII

EJECT

SLOT 0

ENABLED

CPU RESET

RJ-45

MII

RJ45

1O PWR

LINK

RJ45

LINK

MII

FAST ETHERNET INPUT/OUTPUT CONTROLLER

FAST ETHERNET

TOKEN RING

Port adapter lever

(unlocked position)

TOKEN RING

LINK

ENABLED

PCMCIA

ETHERNET 10BT

FE MII

SLOT 1

EJECT

SLOT 0

ENABLED

CPU RESET

RJ-45

MII

RJ45

1O PWR

LINK

RJ45

LINK

MII

FAST ETHERNET INPUT/OUTPUT CONTROLLER

FAST ETHERNET

29339

3-6

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

CHAPTER

Configuring the ISA and ISM

This cha pt er co n tai ns th e i nf o r mati o n a nd p r oc ed ur es needed to co n figur e th e I S A o r th e I S M in t he Cisco 7100 series VPN routers and Cisco 7200 series routers. This chapter contains the following section s:

• Overvi ew, page 4-1

• Using th e EXEC Command Inter p re ter, p ag e 4 - 2

• Enabling M PP E , page 4 -2

• Configuring IKE, page 4-3

• Configuring IPSec, page 4-4

• Creating Crypto Maps, page 4-7

• Applying Crypto Maps to Interfaces, page 4-9

• Verifying Configuration, page 4-9

Overview

Note There are n o i n terfa ces to configu re o n th e I S A o r th e ISM.

• IPSec Exam pl e , page 4 -1 2

On powe r u p if the en a b led LED is on, the I S A or the I S M is fu lly function al and d oes not r e qu i re any configuration commands. However, for the ISA or the ISM to provide encryption services, you must complet e t he s te ps in the fo ll owi ng s e ctions:

• Enabling M PP E , page 4 -2 (required)

• Configuring IKE, page 4-3 (required)

• Configuring IPSec, page 4-4 (required)

• Creating Crypto Maps, page 4-7 (required)

Optionally, you can configure Certification Authority (CA) interoperability (refer to the “Configuring Certificat io n Auth ority Inter ope ra bili ty” chapter in the Secur ity Con fig ur at io n Guide publication).

The ISA or the ISM provides encryption services for any interface in Cisco 7100 series and Cisco 7200 series routers. If you have previously configured IPSec on the router and you install an ISA or an ISM, the ISA o r th e I S M automatically p er fo rm s encryp tio n s er v ice s .

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

4-1

Using the EXEC Comma nd Inte rp re ter

Configurin g I P Sec re qu ir es privileged- level acce s s t o t he EX EC com man d in ter p r eter. Also, pri vileged-level access usuall y requires a pas s w ord. (C ontact your system admini strator, if necessary, to obtain p rivileg e d -l evel ac ces s.)

These sections contain basic configuration information only. For detailed configuration information, refe r to the “IP Secur it y and Enc r ypti on” chapt er o f th e Security Configuration Guide publication.

Using the EXEC Command Interpreter

You modify the conf i gura ti on of your route r thr oug h th e sof tw are c omman d int erpr et er ca lle d th e EXEC (also ca ll ed en ab le m o de ) . You must enter th e privileged l evel o f th e EXEC co mm an d interpr et er w ith the enable command before you can use the configure command to configure a new interface or change the existing configuration of an interface. The system prompts you for a password if one has been set.

The system prompt for the privileged level ends with a pound sign (#) instead of an angle bracket (>). At the co n sol e t er m in al , u se t h e f ol low in g pro ced u re to e nt er th e privileged l evel:

Step 1 At the user-level EXEC prompt, enter the enable command. The EXEC prompts you for a

privileged-level passwo r d as fol lows:

Router> enable

Chapter 4 Configuring the ISA and ISM

Password:

Step 2 Enter th e passw ord (t he passw ord is c ase se nsiti ve ). For secur ity purpo ses, t he passw ord is not dis playe d.

When you en ter the c or rect passw ord , th e s yst em di spl ay s th e privil ege d- level syst em pr o mpt ( #):

Router#

Enabling MPPE

Use the e ncryption mppe command in ISA controller configuration mode to enable MPPE on the ISA or the ISM. This off-loads the MPPE function from the route processor to the ISA or the ISM.

Note The boot LED remains lit instead of pulsating when the ISA/ISM is configured for IPSec (default). When

the ISA/IS M is con f ig ured f or MPP E, the Bo ot LED pul sa te s. The ISA/ ISM f uncti on s nor mal ly whet her the Boot LED is pulsating or is solid.

Note To use th e encryption mppe command, PPP encapsulation must be enabled.

Step Command Purpose

Router(config)# controller isa slot/port

Router(config-controller)# encryption mppe

Enter controller configuration mode on the ISA card.

Enables MPPE encrypt io n.

4-2

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Chapter4 Configuring the ISA and ISM

Use the ppp encrypt mppe{auto | 40 | 128} [passive | required] [ stateful] com ma nd i n i n ter fa ce configuration mode to enable MPPE on the virtual template.

Configuring IKE

IKE is enabled by defa ult. IK E does not have t o be en a b led for indivi d ual int er fa c e s but is enabl ed globally for all interfaces at the router. You must create IKE policies at each peer. An IKE policy defines a combination of security parameters to be used during the IKE negotiation.

You can cr eat e mu l tip le IKE po li ci es, each wit h a di fferen t co mbi na ti on o f p ar am e te r value s . I f yo u d o not configure any IKE policies, the router uses the default policy, which is always set to the lowest priority, and which contains each parameter’s default value.

For ea ch policy that you create, you assign a unique priority (1 throu gh 10,000, with 1 being the highest priority). You can configure multiple policies on each peer—but at leas t o n e o f th es e p ol ici es m us t contain ex act ly th e same enc ryption, h ash , au th en tication , an d D iffie-Hellman par am e ter values as o ne of the pol ici es o n th e re mo te peer.

If you do not specify a value for a parameter, the default value is assigned. For information on default values , re fe r to th e “I P Secu r it y an d E ncryption ” chapter of the Security Command Reference publication.

Configuring IKE

Note The default policy and the default values for configured policies do not show up in the configuration

when you issue a show running-config EXEC comman d . I n stea d, to s e e th e default p ol icy an d any default values within con fig u re d policies , u s e t h e sh ow crypto i sa k mp p o li cy EX EC c omm an d.

To configure a policy, use the following commands, starting in global configuration mode:

Step Command Purpose

1. crypto is a k m p pol icy priority Identify the policy to create, and enter

config-isakmp command mode.

1. encryption {d es | 3des} Specify t he en cr y ptio n alg o ri thm .

1. group {1 | 2} Specify the Diffie-Hellman group identifier.

For detai led info r mat ion on cr eating I K E policies, ref er to t he “Configuring Internet Key Exchange Security Protocol” chap te r i n th e Security Configuration Guide publicat ion. Th is cha pter contai ns inform ation on the f ol low ing topics:

• Why Do You Need to Create Thes e Pol ici es?

• What Parameters Do You Define in a P olicy?

• How Do IKE Peers Agree upon a Matching Policy?

• Which Value Sho uld You Select for Each Par am eter?

• Creati ng Policies

• Additional Configuration Required for IKE Policies

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

4-3

Configur ing IPSec

Configuring IPSec

After you have completed IKE configuration, configure IPSec at each participating IPSec peer. This section contains basic steps to configure IPSec and includes the tasks discussed in the following sections:

• Creating Crypto Access Lists, page 4-4

• Defining a Transform Set, page 4-5

For detailed information on configuring IPSec, refer to the “Configuring IPSec Network Security” chapter i n th e Security Configuration Guide publication. Th is cha pter contai ns in form atio n on the following topics:

• Ensure Access Lists Are Co mpatible wi th IPSec

• Set Globa l Lifetim es for IPSec Secu rity Ass oci ations

• Create Cry pto Acce ss Lists

• Define Transform Sets

• Create Cry pto M ap En trie s

• Apply Crypto Map Sets to Interfaces

Chapter 4 Configuring the ISA and ISM

• Monitor and Maintain IPSec

Creatin g Crypto Access Li s t s

Crypto acc ess li sts ar e us ed t o d ef ine wh ich I P tra f f i c wil l be pro te cte d by e nc rypti on a nd whi ch will no t. (These access lists are not the sa me as r egul a r access list s , wh ich d e t er min e w ha t t ra ffic to fo r war d o r block at an interface.) For example, access lists can be created to protect all IP traffic between subnet A and subnet Y or Telnet traffic between host A and host B.

The access lists themselves are not specific to IPSec—they ar e n o different from wh at is use d for Cisco Encrypt ion Technology (CET). It is the cry pto map entr y ref er enci ng the sp eci f ic ac cess lis t tha t def i ne s whether IP S ec or CET pro cessing is ap p lied to th e tr affic ma tc hi n g a permit entr y i n th e access li s t.

Crypto acc es s l is t s as so ci ated with I PS ec crypto map entr ies have fou r primary fu n cti on s:

• Select outbound traffic to be protected by IPSec (permit = protect).

• Indicate the data flow to be protected b y the new security ass ociations (speci fied by a single permit

entry) wh en i ni ti ating negotiations f o r IPS e c security ass o ci at io ns.

• Process inbound traffic in order to filter out and discard traffic that should have been protected by

IPSec.

• Determ in e w h et he r or n ot to accept r eq ue s ts f o r IPS e c s e cu ri ty as so ci at io ns on b eh alf o f th e

requested data flows when processing IKE negotiation from the IPSec peer. (Negotiation is only done for ipsec-isak mp cryp to m ap e nt ri es. ) I n o rd er t o be acc ep ted, if th e pe er in it iates the I P Sec negotiation, it must specify a data flow that is “permitted” by a crypto access list associated with an ipsec-is a k mp c rypto map entry.

4-4

If you wan t cer t ain t ra ffic to r ec eive o ne co m b in at io n of IP S ec protection ( for ex amp le, authen ti cat io n only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that speci fy d iffer en t I PS ec polici es.

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Chapter4 Configuring the ISA and ISM

Later, you wil l a ss oc iate the crypt o acc es s l ists to p ar ti cu lar i nt er fac es w h en y ou configure an d ap ply crypto map sets to the interfaces (following instructions in the section “Creating Crypto Maps” section

on page 4-7).

Note IKE uses UDP port 500. The IPSec Encapsulation Security Protocol (ESP) and Authentication Header

(AH) pr otoc ol s u se p r ot oc ol n umb ers 5 0 an d 5 1. En sur e th at yo u r in ter fa ce acce s s l ists ar e c on figur e d so that protocol numbers 50, 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec. In some ca se s y ou might need to add a statement to your access lists to explicitly per mi t t hi s traffic .

To create crypto access list s , u se the fo llowin g co mm a nd s in global co n figur at io n m od e:

Step Com mand Purpo s e

1. access-list access-list-number {de ny |

permit} protocol so urce s ou rce-wildc a rd destina tio n destin at ion-wild card [log]

or ip acces s- list extended name

2. Add permit and deny statements as

appropriate.

3. end Exit the co nfi gur ati on c ommand m o de.

1. You specify conditions using an IP access list designated by either a number or a name. The access-list command designa t es a n umbered extended a cc es s li s t ; t he ip access-list extended command des ignates a nam ed access li st.

Configuring IPSec

Specify conditi o ns t o de ter m i ne w h ich IP packets are prot ected .

(Enable or disable encrypt ion fo r tr affic th at m a tch es th ese conditions.)

We recommend that you configure “mirror image” crypto a ccess lists f o r use by IPSec and that you avoid using the any keyword.

For detailed information on configuring access lists, refer to the “Configuring IPSec Network Security” chapter i n th e Security Configuration Guide publication. Th is cha pter contai ns in form atio n on the following topics:

• Crypto Access List Tips

• Defining Mir r or I mag e Cr y pt o Ac cess Lists at Ea ch I PS ec P eer

• Using th e a ny Keyword in Crypto Acces s L i s ts

Defining a Transform Set

A transfor m se t repre se nts a ce rtai n co mbin atio n of sec urit y pro to cols an d algo rit hms . Duri ng th e IPSec security as so cia tio n negotia ti on , t h e p eer s agree to u se a parti cu lar t ra nsf o rm s et f or p r ot ect in g a particular d ata flow.

You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto map ent ry. The trans fo rm set defin ed in t he cr y pt o map en t ry i s use d in th e IPS e c s e cu ri ty associ ati o n negotia tio n to p r ot ect the data flows specifi ed by that cryp to map en tr y ’s access list.

During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both pe er s. W h en su ch a transfo r m s e t i s fou n d, it is selecte d an d i s ap p li ed to the pr o tec te d traffic as part of both peers’ IPSec s e cu ri ty a ss oc iat io ns.

With manually established security associations, there is no negotiation with the peer, so both sides must specify the same transform set.

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

4-5

Configur ing IPSec

Chapter 4 Configuring the ISA and ISM

If you change a transform set def inition, the change is only applied to crypto map entries that reference the trans fo r m s et . The chan ge is no t ap pl ied t o existing secu r it y as so cia tions but i s u sed in s u bs equ en t negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all o r p ar t o f the secu rity associat io n da tab as e by u sin g the clear crypto sa comman d .

To define a transform set, use the following commands, starting in global configuration mode:

Step Command Purpose

1. crypto ipsec transform-set

transform-set-name transform1 [tran sf o r m2 [tran s form3]]

Define a t ran s for m set an d en ter crypto transform configuration mode.

Complex rules define which entries you can use for th e t ra nsf o rm argu m en ts. Th es e ru le s are explained in the command description for the crypto ipsec transform-set command, and Table 4-1 on page 4-7 provides a l is t of allowed tr an sf o rm combin ations.

2. mode [tunnel | transport] Cha ng e th e m o d e a s soc iat ed w it h th e

transform set. T he m o de s ett in g is app lic ab le only to tr affic whos e sour ce and destinat ion addresses are the IPSec peer addresses; it is ignored for all other traffic. (All other traffic is in t un n e l mode only.)

3. end Exit the crypto transform configuration mode

to enabled mode.

4. clear cry p to sa

clear cry p to sa p e er { ip-address | peer-name}

clear cry p to sa map map-name

This ste p c lears existin g I P Sec security associat ions so th at any change s to a transform set take effect on subsequently establis he d security a ss oc iat io n s ( S As ). (Manually es tab l is h ed S A s ar e reesta bl ished immediately.)

Using the clear crypto sa command without parame ter s c lears out the fu ll S A d atabase,

clear cry p to sa s pi destination-address protocol spi

which clears out ac ti v e se curi ty s essi ons. You may also spec ify th e peer, map, or entry keyw ords to clear out only a subset of the SA database.

4-6

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Chapter4 Configuring the ISA and ISM

Table 4-1 sh ows allowed transform combinations.

Table 4-1 Allowed Transform Combinations

Creating Crypto Maps

AH Transform1

ESP Encryption Transform

ESP Authentication Transform

Transform Description Transform Description Transfo rm Description

ah-md5-hmacAH with MD5

(HMAC variant) authenti cation algorithm

ah-sha-hmac AH with SHA

(HMAC variant) authenti cation algorithm

esp-3des ESP with 168-bit Triple

DES encryption algorithm

esp-des ESP with 56-bit DES

encryption algorithm

esp-md5-hmacESP with MD5

(HMAC variant) authentication algorithm

esp-sha-hmac ESP with SHA

(HMAC variant) authentication algorithm

esp-nu ll ESP trans f or m wi thout

cipher

1. Pick one tr an sf orm opt ion.

2. Pick one tr an sf orm option, but only if yo u s el e cted esp-nu ll o r ES P encryptio n tr ans f orm.

Creating Crypt o Maps

Crypto map entries created for IPSec pull together the various elements used to set up IPSec security associati ons, in clud ing:

• Which traffic should be protected by IPSec (according to a crypto access list)

• Granularity of the flow to be protected by a set of security associations

• Where IP Sec- p r ot ect ed tr affic s h ould b e s e nt ( w ho the remo te IP Sec peer is)

• Local address to be used for the IPSec traffic (see the “Appl yi ng Cr ypto Ma ps to Inte rf aces ” section

on page 4-9 for more details)

• What IPSe c s ecurity should be applied to this traffi c (selecting from a list of one or more transform

sets)

• Whether s e cu ri ty ass o ci at io ns are ma nual ly es t ab li shed or are es ta bl ished thro ug h IK E

• Other par am e ter s t ha t m ig ht b e n ecessary to d e fine an IPS e c s e cu ri ty associatio n

Crypto map entries with the same crypto map name (but different map sequence numbers) are grouped into a crypto map set. Later, you will apply these crypto map sets to interfaces; then, all IP traffic passing through the inte rface is ev aluate d again st the applied crypto map set. If a cry pto map e ntry sees outbound IP traffic that should be protected and the crypto map specifies the use of IKE, a security association is nego tiate d with the re mote peer accordi ng to the paramete rs incl uded in the crypt o map entr y; other wise, if the cr ypt o map entr y sp eci fies t h e u s e o f ma nu al s ecu rit y as so ciations, a securit y ass o cia ti on sh ou l d have already been established through configuration. (If a dynami c crypto map entry sees outbound traf fi c that shoul d be prot ected and no securi ty assoc iation exists, the packet is dropped.)

The policy described in the crypto map entries is used during the negotiation of security associations. If the local router initiates the negotiation, it uses the policy specified in the static crypto map entries to create the offer to be sent to the specified IPSec peer. If the IPSec peer initiates the negotiation, the local router c he ck s th e policy fr om the s tat ic cr yp to m a p en tries, as w ell as any r ef er en ced d yn amic crypto map entries, to decide whether to accept or reject the peer’s reques t (off er ).

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

4-7

Creating Crypto Ma ps

Chapter 4 Configuring the ISA and ISM

For IPSec to succeed between two IPSec peers, both peers’ crypto map entries must contain compatible configuration st atements .

When two peers try to establish a security association, each must have at least one crypto map entry that is com patibl e w ith one of t he oth er peer’s cryp to m ap entr ies . Fo r tw o cr yp to map en tr ie s to b e compati ble , th ey must mee t t h e f ol lowin g cr it er ia:

• The cryp to m ap e nt ri es must con tai n co mp ati bl e crypto ac ces s lis t s ( f or ex am p le, mi rr o r im a ge

access lists). When the responding peer is using dynamic crypto maps, the entries in the local crypto access list must be “p e r mitted” by th e pee r’s crypto access list.

• The crypto map entries must each identify the other peer (unless the responding peer is using

dynamic crypto maps).

• The crypto map entries must have at least one transform set in common.

When IKE is used to establish security associations, the IPSec peers can negotiate the settings they will use for the new security associations. This means that you can specify lists (such as lists of acceptable transfor m s) w ithin th e crypto m a p entry.

To create crypto m ap e nt ri es t h at use IKE to establis h th e se cu ri ty as so ci at io ns, use the fo l lowin g commands, s t a r ti ng in gl ob al con figu r ation mode:

Step Command Purpose

1. crypto m ap map-name seq-num

ipsec-isa k mp

2. match address access-list-id Specify an extended access list. This

Create th e crypto map and en ter crypto map configuration mode.

access list determines which traffic is protect ed by IPS e c and which is not .

3. set peer {hostname | ip-address} Specify a r em o te I PS ec p ee r. This i s

the peer to w hich IP S e c - pr o te c te d traffic can be f or ward ed .

Repeat f or multipl e r emo te peers.

4. set transform-set transform-set-name1

[transform-set-name2...transform-set-name6]

Specif y which transform s e ts a re allowed for this crypto map entry. List multiple transform sets in order of priority (highest priority first).

5. end Exit crypto map configuration mode.

Repeat thes e steps to creat e addit ional cry pto ma p entries as requir ed. For detailed information on configuring crypto maps, refer to the “Configurin g IPSec Netw ork Sec urity”

chapter i n th e Security Configuration Guide publication. This chapte r co n tai ns in fo r m at io n on the following topics:

• About Crypto Maps

• Load Shar in g

• How Many Crypto Maps Should You Create?

• Creating Crypto Map Entries for Establishing Manual Security Associations

• Creating C ryp to M ap En tr i es Th at U s e IKE to Estab li s h Se cu ri ty As so ci ati on s

• Creati ng D ynamic Crypt o Maps

4-8

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Chapter4 Configuring the ISA and ISM

Applying Crypto Maps to Interf aces

You need to ap p ly a cr yp to map set to ea ch in terface th rou g h w hi ch IPS e c t ra ffic flow s. A p p ly in g th e crypto map set to an interface instructs the router to evaluate all the interface’s traffic against the cr ypto map set and to use the specified policy during connection or security association negotiation on behalf of tra ffic to be p rotected by e ncryption.

To apply a crypto map set to an interface, use the following commands, starting in global configuration mode:

Step Com mand Purpose

1. interface type number Specify an in terface on which to ap ply the

2. crypto map map-name Apply a crypto map s e t t o an in terface.

3. end Exit in t er face configuration m o de.

For re du n dancy, you c o uld ap pl y the same c ry p t o m ap set to more than o ne int e r face. The default behavior is a s f ol lows:

Applying Crypto Maps to Interfaces

crypto map and enter in terface co nfigur ation mode.

• Each interface has its own piece of the security association d atabase.

• The IP a ddr es s o f th e l oc a l in te rf ace is u s ed a s th e lo cal ad d re s s f or IP S ec tr affic or i gi na tin g f ro m

or destined to that interface.

If you apply the same crypto map set to multiple interfaces for redundancy purposes, you need to specify an identifying interface. This has the following effects:

• The per-interface por ti on o f th e I PS ec s ec ur it y ass o ci ati on d at ab as e is e s tab li she d on e time and

shared for traffic throug h all the in terfaces that sha re the sam e cryp to map .

• The IP ad d re s s of t he identify in g in te rf ace is u s ed a s th e l oc al address f o r IP S ec tr affic or i gi na tin g

from or destined to those interfaces sharing the same crypto map set. One suggestion is to use a loopback interface as the identifying interface. To specify redundant interfaces and name an identifying interface, use the following command in global

configuration mode: crypto map map-name local-ad dress inter fa ce- id This command permits redundant interfaces to share the same crypto map, using the same local identity.

Verifying Conf igurat ion

Certain configuration changes only take effect when subsequent security associations are negotiated. If you want the new set ti ng s to take immedia te effect , yo u mu st clear the existi n g secu r it y asso ciations so that they a r e r eest a b li she d wi th t he ch an ged configu r ati on . For m an ua ll y e s ta bl ish ed s ec ur it y associati on s, yo u mus t cl ear and re in itialize the security asso ci ations, or the c ha nges do not tak e effect. If the r ou te r is actively pr o cess i ng I P S ec tr affic, it is desir ab le to clear on ly th e po r tion of th e security associa tion dat abase tha t would be affected by the configuration changes (tha t is, clear only the security associati on s establis h ed by a g iven cr yp to map set). Clearin g th e fu ll se c ur it y association d at ab as e should be reserve d for lar ge-sca le changes or when the ro uter is pr ocessing v ery li ttle ot her IPSec tra ff ic.

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

4-9

Verifyin g Configurat ion

Chapter 4 Configuring the ISA and ISM

To clear ( an d re in iti al ize) IPSe c s e cur i ty ass o ci ati on s , use one of t he f ol lowin g command s in glob al configuration mode:

Command Purpose

clear cry p to sa

Clear IPS ec s ec ur it y ass o cia ti on s ( SA s ).

or clear cry p to sa p e er { ip-address | peer-name} or

clear cry p to sa map map-name

Using th e clear cry p to s a command without parameters clears out the full SA database, which cl ear s o u t ac tive security sess i on s. You may also sp ecify the peer, map, or spi ke ywords to clear out only a subset of the SA database.

clear cry p to sa s pi destination-address protocol spi

To view information about your IPSec configuration, use one or more of the following commands in EXEC mode:

Command Purpose

show crypto ipsec transform-set View your transform set configuration. show cry pt o ma p [in t erf a ce interface | tag

View your crypto map configuration.

map-name] show crypto ipsec sa [map map-name | address

| identity | deta il | in terface]

View information ab o ut I PS ec s e cu ri ty associations.

show crypto dynamic-map [tag map-name] View information about dynamic crypto maps. show crypto ips ec

View global security association lifetime values.

security -associat i on-lifetime

4-10

The fo llow in g is samp le ou tput fo r th e sho w cr ypto ipse c transform-set com mand . This comm and shows the type of transform set configured on the router.

Router# show crypto ipsec transform-set Transform set combined-des-md5: {esp-des esp-md5-hmac} will negotiate = {Tunnel,}, Transform set t1: {esp-des esp-md5-hmac} will negotiate = {Tunnel,}, Transform set t100: {ah-sha-hmac} will negotiate = {Transport,}, Transform set t2: {ah-sha-hmac} will negotiate = {Tunnel,}, {esp-des} will negotiate = {Tunnel,},

The foll owi ng is sa mple out put f or the show crypto map command. Peer 172 .21. 114.67 i s the I P address of the remote IPSec peer. Extended IP access list 141 lists the access list associated with the crypto map. Current pee r in d ic a te s the cur re n t IPS e c peer. Security-a ss oc iat io n lifetim e in d ica tes th e li f eti m e o f th e security association. PFS N indicates that IPSec does not negotiate perfect forward secrecy when establishing new security associations for this crypto map. Transform sets indicates the name of the transform set that can be used with the crypto map.

Router# show crypto map Crypto Map: “router-alice” idb: Ethernet0 local address: 172.21.114.123 Crypto Map “router-alice” 10 ipsec-isakmp

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Chapter4 Configuring the ISA and ISM

Peer = 172.21.114.67 Extended IP access list 141 access-list 141 permit ip source: addr = 172.21.114.123/0.0.0.0 dest: addr = 172.21.114.67/0.0.0.0 Current peer: 172.21.114.67 Security-association lifetime: 4608000 kilobytes/120 seconds PFS (Y/N): N Transform sets={t1,}

The follow in g is s am p le o ut pu t for the show cr ypt o ip sec sa command:

Router# show crypto ipsec sa interface: Ethernet0

Crypto map tag: router-alice, local addr. 172.21.114.123 local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)

current_peer: 172.21.114.67

PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0

local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67

path mtu 1500, media mtu 1500

current outbound spi: 20890A6F

inbound esp sas:

spi: 0x257A1039(628756537)

transform: esp-des esp-md5-hmac, in use settings ={Tunnel,} slot: 0, conn id: 26, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes

replay detection support: Y inbound ah sas: outbound esp sas:

spi: 0x20890A6F(545852015)

transform: esp-des esp-md5-hmac,

in use settings ={Tunnel,}

slot: 0, conn id: 27, crypto map: router-alice

sa timing: remaining key lifetime (k/sec): (4607999/90)

IV size: 8 bytes

replay detection support: Y outbound ah sas:

interface: Tunnel0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0

local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67 path mtu 1500, media mtu 1500 current outbound spi: 20890A6F inbound esp sas:

spi: 0x257A1039(628756537)

transform: esp-des esp-md5-hmac,

in use settings ={Tunnel,}

slot: 0, conn id: 26, crypto map: router-alice

sa timing: remaining key lifetime (k/sec): (4607999/90)

IV size: 8 bytes

replay detection support: Y inbound ah sas:

Verifying Configuration

OL-3575-01 B0

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

4-11

IPSec Example

For a detailed description of the information displayed by the show commands, refer to the “IP Security and Enc ryp tion ” ch ap ter o f th e S ecurity Co m m a nd Reference publication.

IPSec Example

The following is an example of an IPSec configuration in which the security associations are established through I K E. In t his exa mp le an acces s list is us e d to r estr ic t t h e p ack ets that ar e e ncrypted a nd decrypte d. I n th is ex ample, all p ac ket s g oi ng f r om I P ad dres s 12 .1 2 0. 0.2 t o IP ad dr ess 15 .1 .2 .1 are encryp ted an d decr yp ted an d all packets g o i n g fr om IP addre ss 1 5.1.2.1 to IP addr es s 12 . 1 20 . 0 .2 are encryp te d and de cr ypte d. (See Fi gure 4-1.) Also, one IKE policy is created.

Chapter 4 Configuring the ISA and ISM

outbound esp sas:

spi: 0x20890A6F(545852015)

transform: esp-des esp-md5-hmac, in use settings ={Tunnel,} slot: 0, conn id: 27, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y

outbound ah sas:

Rout er A Configurati on

Figure 4-1 Basic IPSec Configuration

Only packets from 10.0.0.2 to 10.2.2.2 are encrypted and authenticated across the network.

Clear text Clear text

Encrypted text

10.0.0.2

10.0.0.3

10.2.2.3

Router A

10.0.0.1

All other packets are not encrypted

Clear text

Specify the parameters to be used during an IKE negotiation.

crypto isakmp policy 15

encryption des hash md5 authentication pre-share group 2 lifetime 5000

10.2.2.2

Router B

10.2.2.1

29728

4-12

crypto isakmp key 1234567890 address 10.0.0.2 crypto isakmp identity address

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

Chapter4 Configuring the ISA and ISM

Note In the above example, the encryption DES of policy 15 would not appear in the written configuration

because th is is the de fau lt valu e fo r th e en cr yp ti on a lg or it hm p ar am et er.

A transform set defines how the traffic will be protected

crypto ipsec transform-set auth1 ah-md5-hmac esp-des esp-md5-hmac

mode tunnel

A crypto m ap jo in s th e tr an s for m s et an d sp eci fies w h er e th e p r ot ect ed traffic is sent (the remote IPSe c peer).

crypto map toRemoteSite 10 ipsec-isakmp set peer 10.0.0.2 set transform-set auth1

The crypto map is applied to an interface.

interface Serial0 ip address 11.0.0.2

crypto map toRemoteSite

An IPSe c ac ces s list defi nes w hi ch tr affic to p r ot ect .

access-list 101 permit ip host 12.120.0.2 host 15.1.2.1 access-list 101 permit ip host 11.0.0.2 host 10.0.0.2

IPSec Exam ple

Rout er B Configurati on

Specify the parameters to be used during an IKE negotiation.

crypto isakmp policy 15

encryption des hash md5 authentication pre-share group 2 lifetime 5000

crypto isakmp key 1234567890 address 11.0.0.2 crypto isakmp identity address

A transform set defines how the traffic will be protected.

crypto ipsec transform-set auth1 ah-md5-hmac esp-des ah-md5-hmac

mode tunnel

A crypto m ap jo in s th e tr an s for m s et an d sp eci fies w h er e th e p r ot ect ed traffic is sent (the remote IPSe c peer).

crypto map toRemoteSite 10 ipsec-isakmp

set peer 11.0.0.2 set transform-set auth1

The crypto map is applied to an interface

interface Serial0

ip address 10.0.0.2 crypto map toRemoteSite

OL-3575-01 B0

An IPSe c ac ces s list defi nes w hi ch tr affic to p r ot ect

access-list 101 permit ip host 15.1.2.1 host 12.120.0.2 access-list 101 permit ip host 10.0.0.2 host 11.0.0.2

Integrated Servi ces Adap ter and Int egr ated Services Module Install ati on and Configuration

4-13

IPSec Example

Chapter 4 Configuring the ISA and ISM

4-14

Integrated Services Adapter and Integrated Services Module Installation and Configuration

OL-3575-01 B0

INDEX

access-li s t (en cr y pt io n) c ommand 4-5 access lists

Cisco Systems SA-ISA, SM-ISM User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Integrated Services Adapter and Integrat ed Services Modul e Installation and Configuration

CONTENTS

Objectives

Preface

Audience

Installati on Warning

Document Organ ization

Document Conventions

Terms and Acronyms

Related D ocumentation

Obtai n i n g D o cumentation

Cisco.com

Documen t at i on CD-ROM

Orderi ng D ocum entation

Documentat i on Feedback

Obtaining Technical Assistance

Cisco.com

Technical A ssi stance Cen ter

Cisco TAC Website

Cisco TAC Escalation Center

Obtaining Additional Publications and Inform ati on

Overview

ISA and ISM Overview

Data Encrypti on Overview

Features

Port Adapter Slot Locations on the Suppor ted Platfor m s

LEDs

Preparing for Installation

Required Tools and Equipment

Software and Hardware Requi remen ts and Compatibi lity

Software Compatibility

Interoperability Between ISA/ISM and VAM

Safety Guideline s

Safety Warnings

Electric al Equipment Guidelines

Preventi ng Electrostat i c Discharge Damage

Compliance with U.S. Export Laws and Regulations Regarding Encryption

Removing and Installing the ISA and the ISM

Handling the ISA or the ISM

Online Insertion and Removal

Warnings and Cautions

ISA or ISM Removal and Installation

Cisco 7100 S eries —Removing and Installing the ISM

Cisco 7200 S eries —Removing and Installing the ISA

Configuring the ISA and ISM

Overview

Using the EXEC Comma nd Inte rp re ter

Enabling MPPE

Configuring IKE

Configur ing IPSec

Creatin g Crypto Access Li s t s

Defining a Transform Set

Creating Crypto Maps

Applying Crypto Maps to Interf aces

Verifying Conf igurat ion

IPSec Example