Guest

Cisco Security Modules for Routers and Switches

IPSec VPN Services Module for the 6500 Switch and 7600 Router

Hierarchical Navigation

Downloads

DATA SHEET

Critical high-bandwidth business applications have created a need for ubiquitous connectivity and increased performance. Enterprises and service providers require high performance and secure connectivity. Many enterprises augment or replace their traditional WANs with site-to-site and remote-access VPNs to better accommodate these new connectivity requirements. Service providers are also offering managed VPN services, including virtualized network-based VPNs.

Figure 1. Cisco IPSec VPN Services Module for the Cisco Catalyst 6500 Series and Cisco 7600 Series

The Cisco® IPSec VPN Services Module (VPNSM) delivers cost-effective VPN performance for Cisco Catalyst® 6500 Series switches and Cisco 7600 Series routers. Primary VPN features delivered by the Cisco IPSec VPNSM include:

Security integrated into network infrastructure-The Cisco IPSec VPNSM supports Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers. By integrating VPNs into these infrastructure platforms, the network can be secured without extra overlay equipment or network alterations. Furthermore, the broad range of LAN and WAN interfaces, as well as the entire line of security services modules (VPN, firewall, network anomaly detection, intrusion detection and prevention, content services, Secure Sockets Layer [SSL], and wireless LAN), can now be used within the same platform.

High performance-Using the latest in encryption hardware acceleration technology, each Cisco IPSec VPNSM can deliver up to 1.9 Gbps of Triple Data Encryption Standard (3DES) traffic at large packet sizes (more than 500 bytes) and 1.6 Gbps of 3DES traffic at average packet sizes as defined by internet mix traffic (IMIX).

Scalability-The Cisco IPSec VPNSM can terminate up to 8000 site-to-site or remote-access IPSec tunnels simultaneously and can establish those tunnels at up to 65 new tunnels per second. Furthermore, Dynamic Multipoint VPN (DMVPN) enables a zero-touch, fully dynamic deployment of partial or full-mesh IPSec VPNs over a hub-and-spoke topology.

VPN resiliency and high availability-Using innovative features such as stateful failover for IPSec and generic routing encapsulation (GRE), Hot Standby Router Protocol with Reverse Route Injection (HSRP+RRI), Dead Peer Detection (DPD), and support of dynamic routing updates over site-to-site tunnels, the Cisco IPSec VPNSM provides superior VPN resiliency and high availability.

Provides advanced security services-Adding strong encryption, authentication, and integrity to network services is easy with the Cisco IPSec VPNSM. Secured campus and provider-edge VPN applications, including integrated data, voice, and video-enabled VPN; storage area networks; and integration of IPSec and MPLS VPNs, are now easily deployable. The Cisco IPSec VPNSM provides advanced site-to-site and remote-access IPSec services over both LAN and WAN interfaces.

CISCO IPSEC VPNSM OVERVIEW

The Cisco IPSec VPNSM is a full-slot card that fits into Cisco Catalyst 6500 Series and Cisco 7600 Series chassis. It does not have physical WAN or LAN interfaces; instead, it takes advantage of the LAN and WAN interfaces of the platform. Cisco IPSec VPNSM features are detailed in Table 1, and part numbers are listed in Table 2.

Table 1. Cisco IPSec VPNSM Features

Feature

Description

High-Speed VPN Performance
High-speed VPN performance provides up to 1.9 Gbps of 3DES IPSec throughput with large packets and 1.6 Gbps with IMIX traffic.

Scalability
Up to 10 Cisco IPSec VPNSMs can be installed in a system to provide up to 19 Gbps of total throughput, enabling wire-speed secured transport for native 10 Gigabit Ethernet interfaces.

Full Integration of the VPN into the Network Infrastructure
The Cisco IPSec VPNSM supports Cisco Catalyst 6500 Series and Cisco 7600 Series chassis and LAN and WAN interfaces, enabling an integrated security approach to building a VPN in your infrastructure. No separate VPN devices are needed within your campus, intranet, Internet data center, or point of presence (POP).

Comprehensive VPN Features
The Cisco IPSec VPNSM provides hardware acceleration for both IPSec and GRE, comprehensive support of site-to-site IPSec, remote-access IPSec, and Certificate Authority/Public Key Infrastructure (CA/PKI).

Diverse Network Traffic Types and Topologies
Cisco IOS® Software supports secure, reliable transport of virtually any type of network traffic, including multiprotocol, multicast, and IP telephony across the IPSec VPN. Rich routing capabilities enable meshed and hierarchical network topologies.

VPN Resiliency and High Availability
Routing over IPSec tunnels, DPD, HSRP+RRI, and intrachassis and interchassis stateful failover for both IPSec and GRE provide superior VPN resiliency and high availability.

DMVPN
DMVPN enables a dynamic partial-mesh or full-mesh site-to-site VPN while greatly simplifying the management of large VPN deployments. DMVPN enables dynamic spoke-to-spoke tunnel establishment without preconfiguration in the spoke routers, and enables the VPN to dynamically add or remove spoke routers without any change to other spoke configurations. This improves network performance by reducing latency and jitter while optimizing main office bandwidth utilization.

Virtual Routing and Forwarding (VRF)-Aware IPSec VPN
VRF-aware IPSec features enable mapping of IPSec tunnels to VRF instances to provide network-based IPSec VPNs, and the integration of IPSec with MPLS VPNs. This feature enables service providers, large enterprises, and educational institutions to build secure, scalable, and virtualized VPN services across their network infrastructures.

VPN and Network Infrastructure Management
Comprehensive systems help manage solutions, from a single platform to hundreds or even thousands of platforms. Element management uses the Cisco Router Management Center (Router MC) and VPN monitor components of the CiscoWorks VPN/Security Management Solution (VMS). These features allow comprehensive end-to-end VPN management of numerous platforms throughout your network using the Cisco IP Solution Center (ISC) for service provider and large enterprise VPN, security, and quality of service (QoS).

Table 2. Part Numbers and Ordering Information

Cisco Part Number

Description

WS-SVC-IPSEC-1
Cisco IPSec VPN Services Module for the Cisco Catalyst 6500 Series and Cisco 7600 Series

WS-C6503-E-VPN-K9
Cisco Catalyst 6503 VPN system: Cisco Catalyst 6503E chassis, Supervisor Engine 720-3B, integrated dual gigabit interface converter (GBIC), IPSec VPNSM, with one open slot for expansion

WS-C6506-E-VPN-K9
Cisco Catalyst 6506 VPN system: Cisco Catalyst 6506E chassis, Supervisor Engine 720, integrated dual GBIC, IPSec VPNSM, with four open slots for expansion

WS-C6509-FW-VPN-K9
Cisco Catalyst 6509 Firewall and VPN security system: Cisco Catalyst 6509 chassis, Supervisor Engine 720, integrated dual GBIC, firewall services module, IPSec VPNSM, and CiscoWorks VMS 2.2 Basic 5 user license

TECHNICAL SUMMARY

VPN Tunneling

• IPSec (RFC 2401-2411, 2451)

Encryption

• Extended Services Processor (ESP), DES, and 3DES (RFC 2406, 2451)

Authentication

• X.509 digital certificates (RSA signatures)

• Preshared keys

• Simple Certificate Enrollment Protocol (SCEP)

• RADIUS (RFC 2138)

• TACACS+

• Challenge Handshake Authentication Protocol/Password Authentication Protocol (RFC 1994)

Integrity

• Hashed Message Authentication Code with Message Digest 5 (HMAC-MD5) and with Secure Hash Algorithm-1 (HMAC-SHA-1) (RFC 2403-2404)

Key Management

• Internet Key Exchange (RFC 2407-2409)

• IKE-XAUTH

• IKE-CFG-MODE

CA/PKI Support

• Entrust

• VeriSign

• Microsoft

• Netscape

• IPlanet

• Baltimore Technologies

Resiliency and High Availability

• HSRP+RRI

• Intrachassis (blade-to-blade) Active/Active IPSec stateful failover

• Interchassis (chassis-to-chassis) Active/Standby IPSec stateful failover

• DPD

• Dynamic routing across IPSec

Management Options

• CiscoWorks VMS and Router MC

• Cisco ISC

• Secure command-line interface (CLI) using Secure Shell (SSH) Protocol or Kerberized Telnet

Routing Protocols

• Border Gateway Protocol (BGP) Version 4

• Routing Initiation Protocol (RIP) and RIP Version 2 (RIPv2)

• Open Shortest Path First (OSPF)

• Enhanced Interior Gateway Routing Protocol (EIGRP) and IGRP

• Intermediate System-to-Intermediate System (ISIS)

Embedded Interfaces

• None

Supported SUpervisor Engines

• Cisco Catalyst 6500 Series Supervisor Engine 2 with Multilayer Switch Feature Card 2 (MSFC2)

• Cisco Catalyst 6500 Series Supervisor Engine 720 with Policy Feature Card (PFC)-3A, PFC-3B, or PFC-3BXL

Supported Modules and Interfaces

• LAN interfaces

– Multiport Fast Ethernet

– Multiport Fast Ethernet with inline power

– Multiport Gigabit Ethernet

– 10 Gigabit Ethernet

• WAN interfaces

– FlexWAN and Enhanced FlexWAN

– Optical Services Module (OSM) and Enhanced OSM

– Gigabit Ethernet WAN (GE-WAN) and Enhanced GE-WAN

– Single and dual-port T3/E3

– Single and dual-port High-Speed Serial Interface (HSSI)

– Multiport T1/E1

– Multichannel T1/T3/E3

– OC-3 ATM single and multimode

– OC-3 packet over SONET (POS) single and multimode

– OC-12 ATM single and multimode

– OC-12 POS single and multimode

– OC-48 POS single mode

– OC-48 POS-Dynamic Packet Transport (DPT) single mode

• Additional security and network services modules in the same chassis

– Cisco Catalyst 6500 Series Firewall Services Module (FWSM)

– Cisco Catalyst 6500 Series Intrusion Detection Services Module 2 (IDSM-2)

– Cisco Catalyst 6500 Series Network Analysis Module (NAM-1 and NAM-2)

– Cisco Catalyst 6500 Series SSL Services Module

– Cisco Catalyst 6500 Series Content Switching Module

– Cisco Catalyst 6500 Series Multiprocessor WAN Application Module (MWAM)

– Cisco Catalyst 6500 Series Wireless LAN Services Module (WLSM)

Cisco IOS Software Support (native Cisco IOS Software mode)

• Cisco IOS Software Release 12.2(18)SXD1 (Cisco Catalyst 6500 Series Supervisor Engine 2 and Supervisor Engine 720)

• Cisco IOS Software Release 12.2(18)SXD (Cisco Catalyst 6500 Series Supervisor Engine 2 and Supervisor Engine 720)

• Cisco IOS Software Release 12.2(17d)SXB (Cisco Catalyst 6500 Series Supervisor Engine 2 and Supervisor Engine 720)

• Cisco IOS Software Release 12.2(17b)SXA (Cisco Catalyst 6500 Series Supervisor Engine 720 only)

• Cisco IOS Software Release 12.2(14)SY (Cisco Catalyst 6500 Series Supervisor Engine 2 only)

Text Box: Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 526-4100 European HeadquartersCisco Systems International BVHaarlerbergparkHaarlerbergweg 13-191101 CH AmsterdamThe Netherlandswww-europe.cisco.comTel: 31 0 20 357 1000Fax: 31 0 20 357 1100 Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-7660Fax: 408 527-0883 Asia Pacific HeadquartersCisco Systems, Inc.168 Robinson Road#28-01 Capital TowerSingapore 068912www.cisco.comTel: +65 6317 7777Fax: +65 6317 7799Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed onthe Cisco Website at www.cisco.com/go/offices.Argentina · Australia · Austria · Belgium · Brazil · Bulgaria · Canada · Chile · China PRC · Colombia · Costa Rica · Croatia · Cyprus Czech Republic · Denmark · Dubai, UAE · Finland · France · Germany · Greece · Hong Kong SAR · Hungary · India · Indonesia · Ireland · Israel Italy · Japan · Korea · Luxembourg · Malaysia · Mexico · The Netherlands · New Zealand · Norway · Peru · Philippines · Poland · Portugal Puerto Rico · Romania · Russia · Saudi Arabia · Scotland · Singapore · Slovakia · Slovenia · South Africa · Spain · Sweden · Switzerland · Taiwan Thailand · Turkey · Ukraine · United Kingdom · United States · Venezuela · Vietnam · ZimbabweCopyright 2005 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0501R) 205227.b_ETMG_MH_2.05Printed in the USA Text Box: Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 526-4100 European HeadquartersCisco Systems International BVHaarlerbergparkHaarlerbergweg 13-191101 CH AmsterdamThe Netherlandswww-europe.cisco.comTel: 31 0 20 357 1000Fax: 31 0 20 357 1100 Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-7660Fax: 408 527-0883 Asia Pacific HeadquartersCisco Systems, Inc.168 Robinson Road#28-01 Capital TowerSingapore 068912www.cisco.comTel: +65 6317 7777Fax: +65 6317 7799Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed onthe Cisco Website at www.cisco.com/go/offices.Argentina · Australia · Austria · Belgium · Brazil · Bulgaria · Canada · Chile · China PRC · Colombia · Costa Rica · Croatia · Cyprus Czech Republic · Denmark · Dubai, UAE · Finland · France · Germany · Greece · Hong Kong SAR · Hungary · India · Indonesia · Ireland · Israel Italy · Japan · Korea · Luxembourg · Malaysia · Mexico · The Netherlands · New Zealand · Norway · Peru · Philippines · Poland · Portugal Puerto Rico · Romania · Russia · Saudi Arabia · Scotland · Singapore · Slovakia · Slovenia · South Africa · Spain · Sweden · Switzerland · Taiwan Thailand · Turkey · Ukraine · United Kingdom · United States · Venezuela · Vietnam · ZimbabweCopyright 2005 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0501R) 205227.b_ETMG_MH_2.05Printed in the USA