manualshive.com logo in svg

Cisco 7606, Руководство пользователя

Брошюра Cisco 7606 доступна для скачивания бесплатно на нашем сайте. Полное руководство пользователя можно загрузить на manualshive.com. Cisco 7606 - надежное и мощное решение для вашей сети. Познакомьтесь с функционалом этого продукта, скачав бесплатное руководство с нашего сайта.

Поделиться
Скачать
background image

7

Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note

OL-6334-01

  Catalyst 6509/Cisco 7606/Cisco 7609 Cryptographic Module

The cryptographic boundary does not include the network module or service module itself unless it 
performs approved cryptographic functions. In other words, the cryptographic boundary encompasses 
all hardware components within the chassis except any installed nonapproved cryptographic network 
modules or service modules and the power supply submodules. Service modules that are currently 
available include the Network Access Module (NAM), a Firewall Services Module, and a VPN Services 
Module. All of the functionality described in this publication is provided by components within this 
cryptographic boundary.

The service modules require that a special opacity shield be installed over the intake-side air vents in 
order to operate in FIPS-approved mode. The shield decreases the surface area of the vent holes, 
reducing visibility within the cryptographic boundary to FIPS-approved specifications. Detailed 
installation instructions for the shield are provided in this publication.

The Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers incorporate a single VPN Services 
Module cryptographic accelerator card. The VPN Services Module is installed in a chassis module slot.

Cisco IOS features such as tunneling, data encryption, and termination of remote access WANs using 
IPsec, Layer 2 forwarding and Layer 2 tunneling protocols make the Catalyst 6509 switch and the 
Cisco 7606 and Cisco 7609 routers with VPN Services Module an ideal platform for building virtual 
private networks or outsourced dial solutions. The RISC-based processor provides the power needed for 
the dynamic requirements of the remote branch office.

Module Interfaces

The switch and router chassis physical interfaces are located on the supervisor engine front panel. (See 

Figure 4

.)

Figure 4

Supervisor Engine Physical Interfaces

The Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers provide console ports, fixed 
Ethernet interfaces, nine network and service module slots on the Catalyst 6509 switch and Cisco 7609 
router chassis, and six network and service module slots on the Cisco 7606 router chassis. Network 
modules support a variety of LAN and WAN connectivity interfaces, such as the following: Ethernet, 
ATM, serial, ISDN BRI, and integrated CSU/DSU options for primary and backup WAN connectivity.

An network module or a service module is installed in one of the chassis slots, which are located on the 
front panel of the chassis. The modules interface directly with the supervisor engine, and cannot perform 
cryptographic functions; they only serve as a data input and data output physical interface.

The supervisor engine has two Ethernet uplink ports. The supervisor engine also has an RJ-45 connector 
for a console terminal for local system access. The Ethernet ports have LINK LEDs. Power is supplied 
to the module from the power supply through the backplane. 

Figure 4

 shows the LEDs located on the 

Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers. 

Table 1

 describes the LEDs.

44312

SUPERVISOR2

WS-X6K-SUP2-2GE

STATUS SYSTEMCONSOLE

PWR MGMT

RESET

CONSOLE

CONSOLE

PORT

MODE

PCMCIA

EJECT

PORT 1

PORT 2

Switch    Load   

100%

1%

LIN

K

LIN

K

PCMCIA LED

LINK LEDs

Status
LEDs

RESET button

CONSOLE port

CONSOLE PORT
MODE switch

PCMCIA slot

1000BASE-X GBIC 

Uplink Ports

Switch load

display

Содержание 7606

Страница 1: ...e Hardware Version 3 2 VPN Services Module Hardware Version 1 2 Firmware Version 12 2 14 SY3 This security policy describes how the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers with the VPN Services Module meet the security requirements of FIPS 140 2 and describes how to operate the hardware devices in a secure FIPS 140 2 mode This policy was prepared as part of the Level 2 FIPS ...

Страница 2: ...6509 switch and the Cisco 7606 and Cisco 7609 routers in the technical terms of a FIPS 140 2 Cryptographic Module Security Policy More information is available on the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers and the entire Catalyst 6500 series switches and Cisco 7600 series routers from the following sources The Catalyst 6500 series switch product descriptions can be found at...

Страница 3: ...alyst 6509 Switch and Cisco 7606 and Cisco 7609 Routers section which details the general features and functionality of the Catalyst 6509 switch and Cisco 7606 and Cisco 7609 routers The Secure Operation of the Catalyst 6509 Switch and the Cisco 7606 and Cisco 7609 Routers section specifically addresses the required configuration for the FIPS approved mode of operation With the exception of this N...

Страница 4: ... 8 PORT GIGABIT ETHERNET WS X6408 1 LI N K ST AT U S 2 3 4 5 6 7 8 LI N K LI N K LI N K LI N K LI N K LI N K LI N K 8 PORT GIGABIT ETHERNET WS X6408 1 LI N K ST AT U S 2 3 4 5 6 7 8 LI N K LI N K LI N K LI N K LI N K LI N K LI N K 8 PORT GIGABIT ETHERNET WS X6408 1 LI N K ST AT U S 2 3 4 5 6 7 8 LI N K LI N K LI N K LI N K LI N K LI N K LI N K 24 PORT 100FX WS X6224 ST AT US 24 PORT 100FX WS X6224...

Страница 5: ... E TX RX TX PO RT 1 RX ACTIV E TX RX TX PO RT 2 RX ACTIV E TX RX TX PO RT 3 RX ACTIV E TX RX TX PO RT4 RX OSM 4OC12 POS SI 4 PORT OC 12 POS SM IR STATUS 1 1 2 2 3 3 4 4 RESET LIN K LIN K LIN K LIN K CARRIE R ALARM CARRIE R ALARM CARRIE R ALARM CARRIE R ALARM ACTIV E TX RX TX PO RT 1 RX ACTIV E TX RX TX PO RT 2 RX ACTIV E TX RX TX PO RT 3 RX ACTIV E TX RX TX PO RT4 RX OSM 4OC12 POS SI 4 PORT OC 12 ...

Страница 6: ...T PORT 1 PORT 2 Switch Load 100 1 LIN K LIN K SUPERVISOR2 WS X6K SUP2 2GE ST AT US SY ST EM CO NS OL E PW R MG MT RE SE T CONSOLE CONSOLE PORT MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100 1 LIN K LIN K SWITCH FABRIC MDL ST AT US SE LE CT NE XT WS C6500 SFM AC TIV E SWITCH FABRIC MDL ST AT US SE LE CT NE XT WS C6500 SFM AC TIV E OC12 POS MM OSM 40C12 POS MM ST AT US 1 2 3 4 RE SE T LI NK 1 LI NK...

Страница 7: ...virtual private networks or outsourced dial solutions The RISC based processor provides the power needed for the dynamic requirements of the remote branch office Module Interfaces The switch and router chassis physical interfaces are located on the supervisor engine front panel See Figure 4 Figure 4 Supervisor Engine Physical Interfaces The Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 ro...

Страница 8: ...ge The power supply has failed or the power supply fan has failed Incompatible power supplies are installed The redundant clock has failed One VTT2 module has failed or the VTT module temperature minor threshold has been exceeded Red Two VTT modules fail or the VTT module temperature major threshold has been exceeded The temperature of the supervisor engine major threshold has been exceeded 3 ACTI...

Страница 9: ...tes signals on the Catalyst switching bus 3 If no redundant supervisor engine is installed and there is a VTT module minor or major over temperature condition the system shuts down 4 Enter the show crypto eli command to determine whether the FIPS related self tests passed All of these physical interfaces are separated into the logical interfaces from FIPS 140 2 as described in Table 2 Table 2 FIPS...

Страница 10: ... role The module supports RADIUS and TACACS for authentication and they are used in the FIPS mode A complete description of all the management and configuration capabilities of the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers can be found in the Performing Basic System Management manual and in the online help for the switch or the router The user and crypto officer passwords and ...

Страница 11: ... Get commands to view SNMP MIB II statistics health temperature memory status voltage and packet statistics reviews accounting logs and views physical interface status Managing the switch or the router Logs off users shuts down or reloads the switch or router manually backs up switch or router configurations views complete configurations manages user rights and restores switch or router configurat...

Страница 12: ...the bag with the part number 800 26335 xx This is the opacity shield kit for the Catalyst 6509 switch chassis Set the other opacity shield kit aside Step 4 Open the protective packaging and remove the opacity shield and the two bags of installation hardware The opacity shield is identified by the label 6509 E that is silk screened adjacent to some of the holes on the shield Retain the fastener bag...

Страница 13: ...ap rivet fastener and use a new one from the extras supplied in the bag of fasteners Step 12 Repeat step 10 and step 11 for the remaining three snap rivet fasteners Refer to Figure 5 for snap rivet fastener placement Caution Due to decreased airflow when using the opacity shield which is required for FIPS 140 2 validation short term operation as specified by GR 63 CORE at 55º C is impacted Short t...

Страница 14: ...UT OK FAN OK OUTPUT FAIL o FAN STATUS INPUT OK FAN OK OUTPUT FAIL o 1 2 3 4 5 6 7 8 9 IPSec VPN Acceleration Services Module WS SVC IPSEC 1 ST AT US SUPERVISOR2 WS X6K SUP2 2GE ST AT US SY ST EM CO NS OL E PW R MG MT RE SE T CONSOLE CONSOLE PORT MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100 1 LIN K LIN K Shield screw Opacity shield material removed for clarity Chassis shown removed from rack for...

Страница 15: ...ing A bag containing the installation hardware In some kits there is no bag the installation hardware is premounted in the opacity shield An envelope with 30 FIPS tamper evidence labels and a disposable ESD wrist strap Step 3 Remove the opacity shield from its protective packaging a If the thumbscrews and the snap rivet fasteners are already installed on the opacity shield remove the four snap riv...

Страница 16: ... snap rivet fastener and use a new one from the extras supplied in the bag of fasteners Step 10 Repeat step 8 and step 9 for the remaining three snap rivet fasteners Refer to Figure 6 for snap rivet fastener placement Caution Due to decreased airflow when using the opacity shield which is required for FIPS 140 2 validation short term operation as specified by GR 63 CORE at 55º C is impacted Short ...

Страница 17: ... Opacity Shield on the Cisco 7606 Router SUPERVISOR2 WS X6K SUP2 2GE ST AT US SY ST EM CO NSO LE PW R M G M T RES ET CONSOLE CONSOLE PORT MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100 1 LI NK LI NK 4 5 6 IPSec VPN Acceleration Services Module WS SVC IPSEC 1 STATUS 130882 Shield screw Opacity shield material removed for clarity Snap rivet sleeve Snap rivet pin Chassis shown removed from rack for ...

Страница 18: ...0 F Step 2 Place labels on the chassis as shown in either Figure 7 Catalyst 6509 switch Figure 8 Cisco 7606 router or Figure 9 Cisco 7609 router a Fan tray The tamper evidence label should be placed so that one half of the label adheres to the front of the fan tray and the other half adheres to the left side of the chassis Any attempt to remove the fan tray will damage the tamper seal which indica...

Страница 19: ...es to the Supervisor Engine 2 faceplate Any attempt to install or remove a Flash PC card will damage the tamper seal which indicates tampering has occurred b Place a tamper evidence label so that one half of the label adheres to the GBIC transceiver installed in the supervisor engine 2 network interface uplink port and the other half adheres to the Supervisor Engine 2 faceplate Any attempt to remo...

Страница 20: ...T MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100 1 LIN K LIN K 130879 4 5 6 IPSec VPN Acceleration Services Module WS SVC IPSEC 1 ST AT US IN PU T O K FA N O K O UT PU T FA IL Cisco Systems Inc IN PU T O K FA N O K O UT PU T FA IL Cisco Systems Inc 130880 INPUT OK FAN OK OUTPUT FAIL o INPUT OK FAN OK OUTPUT FAIL o POWER SUPPLY 1 POWER SUPPLY 2 IPSec VPN Acceleration Services Module WS SVC IPSEC 1...

Страница 21: ...phic accelerator card support DES 56 bit only for legacy systems and 3DES 168 bit IPsec encryption MD5 and SHA 1 hashing and hardware support for RSA signature generation The module supports the critical security parameters CSPs as described in Table 3 Table 3 Critical Security Parameters CSP Number Key or CSP Name Description Storage 1 key This is the seed key for X9 31 PRNG This key is stored in...

Страница 22: ...ransform_key4 The IPsec authentication key It is zeroized when IPsec session is terminated DRAM plaintext 16 signature The RSA public key of the CA The no crypto ca trust label command invalidates the key and it frees the public key label that prevents use of the key This key does not need to be zeroized because it is a public key NVRAM plaintext 17 dnssec_zone_key This key is a public key of the ...

Страница 23: ...atabase on the switch or router Issuing the command no username password zeroizes the password that is used as this key from the local database NVRAM plaintext 26 ssh encryption key This is the SSH session key It is zeroized when the SSH session is terminated DRAM plaintext 27 User Password The password of the user role This password is zeroized by overwriting it with a new password NVRAM plaintex...

Страница 24: ...or IKE authentication Table 4 Role and Service Access to Critical Security Parameters CSPs SRDI Role Service Access Policy Security Relevant Data Item Critical Security Parameters Role Service User Role Status Functions Network Functions CSP 1 20 R CSP 22 27 R Terminal Functions Directory Functions Crypto Officer Role Configure the Router CSP 13 R W D CSP 19 R W D CSP 21 R W D CSP 25 R W D Define ...

Страница 25: ...he pre shared keys The crypto officer needs to be authenticated to store keys All Diffie Hellman DH keys agreed upon for individual tunnels are directly associated with that specific tunnel only through the IKE protocol Key Zeroization All of the keys and CSPs of the module can be zeroized Refer to the description column of Table 3 for information on methods to zeroize each key and CSP Self Tests ...

Страница 26: ...ections to place the module in a FIPS approved mode of operation Operating this router or switch without maintaining the following settings will remove the module from the FIPS approved mode of operation Initial Setup Before configuring the router or switch note these requirements The crypto officer must ensure that the VPN Services Module cryptographic accelerator card is installed in the chassis...

Страница 27: ...aracters to users Identification and authentication on the console port is required for users From the configure terminal command line the crypto officer enters the following syntax line con 0 password PASSWORD login local The crypto officer shall only assign users to a privilege level 1 the default The crypto officer shall not assign a command to any privilege level other than its default The cry...

Страница 28: ...eader application The RSS feeds are a free service and Cisco currently supports RSS Version 2 0 CCSP CCVP the Cisco Square Bridge logo Follow Me Browsing and StackWise are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn and iQuick Study are service marks of Cisco Systems Inc and Access Registrar Aironet ASIST BPX Catalyst CCDA CCDP CCIE CCIP CCNA CCNP Cisco the Cisco C...

Отзывы:

Нет отзывов

Похожие инструкции для 7606

4IPNET WHG301 User Manual preview
WHG301
Бренд: 4IPNET Страницы: 97
Salto Node Installation Manual preview
Node
Бренд: Salto Страницы: 2
Ericsson Marconi OMS 1200 Product Description preview
Marconi OMS 1200
Бренд: Ericsson Страницы: 136
ZyXEL Communications Dimension ES-3124 User Manual preview
Dimension ES-3124
Бренд: ZyXEL Communications Страницы: 228
ZyXEL Communications XS1920 Series User Manual preview
XS1920 Series
Бренд: ZyXEL Communications Страницы: 422
Dust Networks SmartMesh IA-510 D2511 Manager'S Manual preview
SmartMesh IA-510 D2511
Бренд: Dust Networks Страницы: 30
Draytek Vigor 2700G Specifications preview
Vigor 2700G
Бренд: Draytek Страницы: 2
Genie IP8ESP User Manual preview
IP8ESP
Бренд: Genie Страницы: 6
IBASE Technology FWA8207 Series User Manual preview
FWA8207 Series
Бренд: IBASE Technology Страницы: 39
ENERMAX LIQMAX III ELC-LMT120-ARGB User Manual preview
LIQMAX III ELC-LMT120-ARGB
Бренд: ENERMAX Страницы: 32
Lattice Semiconductor sysCLOCK ECP5 Usage Manual preview
sysCLOCK ECP5
Бренд: Lattice Semiconductor Страницы: 43
Paradyne ACCULINK 3161 CSU Quick Reference Manual preview
ACCULINK 3161 CSU
Бренд: Paradyne Страницы: 19
Keysight Technologies U3024AH10 User'S And Service Manual preview
U3024AH10
Бренд: Keysight Technologies Страницы: 106
Cypress Semiconductor CY7C1441AV33 Specification Sheet preview
CY7C1441AV33
Бренд: Cypress Semiconductor Страницы: 31
OWC ACCELSIOR 8M2 Assembly Manual & User Manual preview
ACCELSIOR 8M2
Бренд: OWC Страницы: 9
Williams Sound DW SY 1 User Manual preview
DW SY 1
Бренд: Williams Sound Страницы: 2
Abocom WR5205G User Manual preview
WR5205G
Бренд: Abocom Страницы: 59
ekwb EK-UNI Holder D5 V3 Installation And Mounting Manual preview
EK-UNI Holder D5 V3
Бренд: ekwb Страницы: 2

Бренды по названию

Популярные бренды

Загрузить еще бренды