Cisco 7606 User Guide

Cisco 7606 Manual

Get Cisco 7606 PDF manuals and user guides View all Cisco 7606 manuals
Add to My Manuals
Save this manual to your list of manuals

Cisco 7606 manual content summary:

  • Cisco 7606 | User Guide - Page 1
    routers with the VPN Services Module: • Hardware Version - Catalyst 6509 switch - Cisco 7606 router - Cisco 7609 router • Backplane chassis - Hardware Version 3.0 (Catalyst 6509 switch) - Hardware Version 1.0 (Cisco 7606 router) - Hardware Version 1.0 (Cisco 7609 router) • Supervisor Engine-Hardware
  • Cisco 7606 | User Guide - Page 2
    is part of the FIPS 140-2 Submission Package. The Submission Package also contains the following documents: • Vendor Evidence • Finite State Machine • Module Software Listing Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note 2 OL-6334-01
  • Cisco 7606 | User Guide - Page 3
    general features and functionality of the Catalyst 6509 switch and Cisco 7606 and Cisco 7609 routers. The "Secure Operation of the Catalyst 6509 Switch and the Cisco 7606 and Cisco 7609 Routers" section specifically addresses the required configuration for the FIPS-approved mode of operation. With
  • Cisco 7606 | User Guide - Page 4
    LINK 22 LINK 23 LINK 24 LINK o o INPUT OK FAN OUTPUT OK FAIL INPUT OK FAN OUTPUT OK FAIL Power supply 1 Power supply 2 ESD ground strap (redundant) connector 16076 Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note 4 OL-6334-01
  • Cisco 7606 | User Guide - Page 5
    TX PORT 3 ACTIVE TX RX CARRAILEARRM RX TX PORT4 ACTIVE TX RX CARRAILEARRM RX TX PORT 3 ACTIVE TX RX CARRAILEARRM RX TX PORT4 Fan assembly Slots 1-6 (top to bottom) 63892 OL-6334-01 Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification
  • Cisco 7606 | User Guide - Page 6
    , or any installed power supply. • The connection apparatus between the network module or service module and the motherboard and daughterboard that hosts the network module or service module. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note
  • Cisco 7606 | User Guide - Page 7
    publication. The Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers incorporate a single VPN Services Module cryptographic accelerator card. The VPN Services Module is installed in a chassis module slot. Cisco IOS features such as tunneling, data encryption, and termination of remote
  • Cisco 7606 | User Guide - Page 8
    is operational. Orange The link has been disabled by software. Flashing The link is bad and has been disabled due to a hardware failure. Orange Off No signal is detected. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note 8 OL-6334-01
  • Cisco 7606 | User Guide - Page 9
    ) slot Ethernet ports Network and service module interfaces Console port Reset button FIPS 140-2 Logical Interface Data input interface Data output interface Control input interface OL-6334-01 Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification
  • Cisco 7606 | User Guide - Page 10
    Interfaces Ethernet ports Network and service module interfaces STATUS LED (Supervisor Engine 2) SYSTEM LED ACTIVE LED PWR MGMT LED PCMCIA LED Switch Load LED Network Port LINK LEDs STATUS LED (VPN Services module) CONSOLE Port Backplane FIPS 140-2 Logical Interface Status output interface Power
  • Cisco 7606 | User Guide - Page 11
    packets to be set from a specified IP address. • Changing port adapters-Inserts and removes adapters in a port adapter slot. User Services A user enters the system by accessing the console port with a terminal program. Cisco IOS prompts the user for their password. If the password is correct, the
  • Cisco 7606 | User Guide - Page 12
    L-bracket screw holes on the chassis. Press the opacity shield firmly against the side of the chassis and secure the opacity shield to the chassis with the two thumbscrews. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note 12 OL-6334-01
  • Cisco 7606 | User Guide - Page 13
    to remove the Catalyst 6509 chassis from the rack, you must first remove the opacity shield. With the opacity shield installed, the chassis is too wide to slide out of the rack. OL-6334-01 Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note 13
  • Cisco 7606 | User Guide - Page 14
    Load 100% 1% PORT 1 LINK PORT 2 LINK o o INPUT OK FAN OUTPUT OK FAIL INPUT OK FAN OUTPUT OK FAIL Chassis shown removed from rack for clarity M-4 snap rivet pin M-4 snap rivet sleeve Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note
  • Cisco 7606 | User Guide - Page 15
    L-bracket screw holes on the chassis. Press the opacity shield firmly against the side of the chassis and secure the opacity shield to the chassis with the two thumbscrews. OL-6334-01 Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note 15
  • Cisco 7606 | User Guide - Page 16
    to remove the Catalyst 6509 chassis from the rack, you must first remove the opacity shield. With the opacity shield installed, the chassis is too wide to slide out of the rack. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note 16 OL-6334
  • Cisco 7606 | User Guide - Page 17
    % Load 1% PORT 1 LINK PORT 2 LINK WS-SVC-IPSEC-1 4 STATUS IPSec VPN Acceleration Services Module 5 6 Chassis shown removed from rack for clarity Snap rivet Snap rivet sleeve pin 130882 OL-6334-01 Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module
  • Cisco 7606 | User Guide - Page 18
    steel chassis. Nine module slots are provided on the Catalyst 6509 switch and the Cisco 7609 router; six module slots are provided on the Cisco 7606 router. On-board LAN connectors and console connectors are provided on the supervisor engines, and the power cable connection and a power switch are
  • Cisco 7606 | User Guide - Page 19
    3 Place labels on each supervisor engine installed in the chassis as shown in either Figure 7 (Catalyst 6509 switch), Figure 8 (Cisco 7606 router), or Figure 9 (Cisco 7609 router). a. Place a tamper evidence label so that one half of the label adheres to the PCMCIA slot and the other half adheres
  • Cisco 7606 | User Guide - Page 20
    STATUS IPSec VPN Acceleration Services Module CONSOLE CONSOLE PORT MODE PCMCIA EJECT Switch Load 100% 1% PORT 1 LINK PORT 2 LINK POWER SUPPLY 1 POWER SUPPLY 2 o INPUT OK FAN OUTPUT OK FAIL o INPUT OK FAN OUTPUT OK FAIL 130880 Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609
  • Cisco 7606 | User Guide - Page 21
    zeroized when DRAM an IKE session is terminated. (plaintext) 9 crypto_private_key The RSA private key. The crypto key zeroize command NVRAM zeroizes this key. (plaintext) OL-6334-01 Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note 21
  • Cisco 7606 | User Guide - Page 22
    (plaintext) authentication. The key used to encrypt values of the configuration file. NVRAM This key is zeroized when the command no key (plaintext) config-key is issued. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note 22 OL-6334-01
  • Cisco 7606 | User Guide - Page 23
    of the TACACS+ (plaintext) shared-secret set command. DRAM (plaintext) Table 4 lists the services accessing the CSPs, the type of access and which role accesses the CSPs. OL-6334-01 Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note 23
  • Cisco 7606 | User Guide - Page 24
    -1 • MD-5 • MD-4 • SHA-1 • HMAC • DES MAC • Triple-DES MAC • MD5 HMAC • Diffie-Hellman • RSA [for digital signatures and encryption/decryption (for IKE authentication)] Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note 24 OL-6334-01
  • Cisco 7606 | User Guide - Page 25
    failure. Cisco IOS Software Self-Tests • Power-up tests - Firmware integrity test - RSA signature Known Answer Test (KAT) (both signature and verification) - DES KAT - TDES KAT - AES KAT - SHA-1 KAT OL-6334-01 Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module
  • Cisco 7606 | User Guide - Page 26
    Secure Operation of the Catalyst 6509 Switch and the Cisco 7606 and Cisco 7609 Routers The Catalyst 6509 switch and the Cisco 7606 router and the Cisco 7609 router with the VPN Services Module meets all the Level 2 requirements for FIPS 140-2. Follow the setting guidelines provided in the following
  • Cisco 7606 | User Guide - Page 27
    configuration: • ah-sha-hmac • esp-des • esp-sha-hmac • esp-3des • esp-aes The following algorithms are not FIPS approved and should be disabled: • MD-4 and MD-5 for signing • MD-5 HMAC OL-6334-01 Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification
  • Cisco 7606 | User Guide - Page 28
    use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R) © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note 28 OL-6334-01
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
Corporate Headquarters:
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706
USA
Catalyst 6509 Switch, Cisco 7606 Router, and
Cisco 7609 Router with VPN Services Module
Certification Note
This is the non-proprietary Cryptographic Module Security Policy for the Catalyst 6509 switch and the
Cisco 7606 and Cisco 7609 routers with the VPN Services Module:
Hardware Version
Catalyst 6509 switch
Cisco 7606 router
Cisco 7609 router
Backplane chassis
Hardware Version 3.0 (Catalyst 6509 switch)
Hardware Version 1.0 (Cisco 7606 router)
Hardware Version 1.0 (Cisco 7609 router)
Supervisor Engine—Hardware Version 3.2
VPN Services Module—Hardware Version 1.2; Firmware Version; 12.2(14)SY3
This security policy describes how the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers
with the VPN Services Module meet the security requirements of FIPS 140-2, and describes how to
operate the hardware devices in a secure FIPS 140-2 mode. This policy was prepared as part of the
Level 2 FIPS 140-2 validation of the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers
with the VPN Services Module.
FIPS 140-2 (
Federal Information Processing Standards Publication 140-2—Security Requirements for
Cryptographic Modules
) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST website at