Integrated Services Adapter and Integrated Services Module Installation and Configuration Product Numbers: SA-ISA(=) and SM-ISM(=) Platforms Supported: Cisco 7100 series routers and Cisco 7200 series routers Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface iii Objectives iii Audience iv Installation Warning iv Document Organization v Document Conventions v Terms and Acronyms vii Related Documentation viii Obtaining Documentation x Cisco.com x Documentation CD-ROM xi Ordering Documentation xi Documentation Feedback xi Obtaining Technical Assistance xii Cisco.
Contents (DRAFT LABEL) ALPHA DRAFT - CISCO CONFIDENTIAL Interoperability Between ISA/ISM and VAM Safety Guidelines 2-3 Safety Warnings 2-3 Electrical Equipment Guidelines 2-5 Preventing Electrostatic Discharge Damage 2-2 2-5 Compliance with U.S.
Preface This preface describes the objectives and organization of this document and explains how to find additional information on related products and services.
Preface Audience Note To ensure compliance with U.S. export laws and regulations, and to prevent problems later on, see the “Compliance with U.S. Export Laws and Regulations Regarding Encryption” section on page 2-6 for specific and important information. Audience To use this publication, you should be familiar not only with Cisco router hardware and cabling but also with electronic circuitry and wiring practices. You should also have experience as an electronic or electromechanical technician.
Preface Document Organization Document Organization This document contains the following chapters: Section Title Description Chapter 1 Overview Describes the ISA and the ISM and their LED displays. Chapter 2 Preparing for Installation Describes safety considerations, tools required, and procedures you should perform before the actual installation.
Preface Document Conventions screen font boldface screen Terminal sessions and information the system displays are in screen font. Information you must enter is in boldface screen font. font italic screen font Arguments for which you supply values are in italic screen font. ^ The symbol ^ represents the key labeled Control—for example, the key combination ^D in a screen display means hold down the Control key while you press the D key.
Preface Terms and Acronyms Attention Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant causer des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents.
Preface Related Documentation • DTE—data terminal equipment • EPROM—erasable programmable read-only memory • EEPROM—electrically erasable programmable read-only memory • GB—gigabit • GBIC—Gigabit Interface Converter • Gbps—gigabits per second • MB—megabyte • Mbps—megabits per second • NVRAM—nonvolatile random-access memory • OIR—online insertion and removal • PCI—Peripheral Component Interconnect • PXF—Parallel eXpress Forwarding—A secondary processor used to accelerate Cisco IOS ser
Preface Related Documentation • Note For configuration information and support, refer to the modular configuration and modular command reference publications in the Cisco IOS software configuration documentation set that corresponds to the software release installed on your Cisco hardware. Access these documents at: http://www.cisco.com/en/US/products/sw/iosswrel/index.html. Select Translated documentation is available at http://www.cisco.
Preface Obtaining Documentation – Cisco IOS Release 12.0 Security Configuration Guide – Cisco IOS Release 12.0 Security Command Reference – Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2 – Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.1 – Cisco IOS Release 12.0 Quality of Service Solutions Configuration Guide – Cisco IOS Interface Configuration Guide, Release 12.
Preface Obtaining Documentation International Cisco web sites can be accessed from this URL: http://www.cisco.com/public/countries_languages.shtml Documentation CD-ROM Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription. Registered Cisco.
Preface Obtaining Technical Assistance Obtaining Technical Assistance Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities. Cisco.com Cisco.
Preface Obtaining Additional Publications and Information All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register: http://tools.cisco.com/RPF/register/register.do If you are a Cisco.
Preface Obtaining Additional Publications and Information • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.
C H A P T E R 1 Overview This chapter describes the ISA and the ISM and contains the following sections: Note • ISA and ISM Overview, page 1-1 • Data Encryption Overview, page 1-2 • Features, page 1-3 • Port Adapter Slot Locations on the Supported Platforms, page 1-4 • LEDs, page 1-6 The ISA and the ISM are the same board, but differ in their outside appearance. ISA and ISM Overview The ISA is a single-width service adapter and the ISM is a single-width service module.
Chapter 1 Overview Data Encryption Overview Note The Cisco 7100 series VPN routers do not support ISM and ISA in the same chassis. The Cisco 7100 series routers do not support online insertion and removal of the ISM. The Cisco 7200 series routers do not support the ISM. The Cisco 7200 series routers support online insertion and removal of the ISA.
Chapter 1 Overview Features • CA—In addition, Certificate Authority (CA) interoperability is provided in support of the IPSec standard, using Certificate Enrollment Protocol (CEP). CEP permits Cisco IOS devices and CAs to communicate so that your Cisco IOS device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.
Chapter 1 Overview Port Adapter Slot Locations on the Supported Platforms Table 1-1 Features (continued) Feature Description Number of Tunnels Up to 2000 IPSec protected tunnels Up to 2000 PPTP tunnels protected by MPPE Encryption Data protection: IPSec DES and 3 DES, 40 and 128-bit RC4 MPPE (stateful or stateless) Authentication: RSA and Diffie Hellman, MS Chap Data integrity: SHA-1 and MD5 VPN Tunneling IPSec tunnel mode, GRE, LT2P, L2F protected by IPSec, PPTP protected by MPPE Number of ISM
Chapter 1 Overview Port Adapter Slot Locations on the Supported Platforms Note The Cisco 7100 series VPN routers do not support an ISM and an ISA in the same chassis.
Chapter 1 Overview LEDs Figure 1-3 Port Adapter Slots in the Cisco 7206 3 2 1 0 6 TOKEN RING 5 FAST ETHERNET 4 K RJ4 LIN 0 MII 5 D EN AB LE 3 3 2 2 1 0 LINK 1 0 3 EN AB LE D ETHERNET 10BT 2 TX RX 4 TX RX 3 TX RX 0 T O T M N E SL EJ EC IA M C PC EN AB LE D 0 R II Port adapter slot 5 Port adapter slot 3 Port adapter slot 1 5 J-4 R EN R 5 PW J-4 R INK O K 1 O L 28329 M II 5 J-4 FE O T SL 2 FAST ETHERNET INPUT/OUTPUT CONTROLLER 1 Cisco 7200 Series T
Chapter 1 Overview LEDs Figure 1-4 ISA Front Panel LEDs (SA-ISA shown) ENCRYPT/COMP SA-ISA LE AB EN OT R RO ER 17607 BO Table 1-2 ISA LEDs LED Label Color State Function ENABLE Green On Indicates the ISA is powered up and enabled for operation. BOOT Amber Pulses1 Indicates the ISA is operating. On Indicates the ISA is booting or a packet is being encrypted or decrypted. On Indicates an encryption error has occurred. ERROR Amber This LED is normally off. 1.
Chapter 1 Overview LEDs Table 1-3 ISM LEDs LED Label Color State Function EN Green On Indicates the ISM is powered up and enabled for operation. BOOT Amber Pulses1 Indicates the ISM is operating. On Indicates the ISM is booting or a packet is being encrypted or decrypted. On Indicates an encryption error has occurred. This LED is normally off. ERROR Amber 1. After successfully booting, the boot LED pulses in a “heartbeat” pattern to indicate that the ISM is operating.
C H A P T E R 2 Preparing for Installation This chapter describes the general equipment, safety, and site preparation requirements for installing the ISA and the ISM. This chapter contains the following sections: • Required Tools and Equipment, page 2-1 • Software and Hardware Requirements and Compatibility, page 2-1 • Software Compatibility, page 2-2 • Safety Guidelines, page 2-3 • Compliance with U.S.
Chapter 2 Preparing for Installation Software and Hardware Requirements and Compatibility Note Table 2-1 The Cisco IOS Release 12.1 Mainline does not support the ISA/ISM. Minimum Cisco IOS Software Releases Platform Recommended Minimum Cisco IOS Release Cisco 7100 series Cisco IOS Release 12.0(5)XE or a later release of Cisco IOS Release 12.0 XE • Cisco 7120 series and Cisco 7140 series Cisco IOS Release 12.1(1)E or a later release of Cisco IOS Release 12.1 E Cisco IOS Release 12.
Chapter 2 Preparing for Installation Safety Guidelines • If ISA and VAM are in the chassis at system bootup, and the encryption mppe command is in the router’s running configuration, then both ISA and VAM are enabled at system bootup. The ISA card supports MPPE, and the VAM supports ISAKMP/IPSec. You can enable encryption mppe by following the steps in “Configuring IPSec” section on page 4-4. To disable MPPE on an ISA card, use the no encryption mppe command. This disables the ISA.
Chapter 2 Preparing for Installation Safety Guidelines Warning This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the Regulatory Compliance and Safety Information document that accompanied this device.
Chapter 2 Preparing for Installation Safety Guidelines Aviso Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos físicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes.
Chapter 2 Preparing for Installation Compliance with U.S. Export Laws and Regulations Regarding Encryption Caution • When installing a component, use any available ejector levers or captive installation screws to properly seat the bus connectors in the backplane or midplane. These devices prevent accidental removal, provide proper grounding for the system, and help to ensure that bus connectors are properly seated.
C H A P T E R 3 Removing and Installing the ISA and the ISM This chapter describes how to remove the ISA or ISM from supported platforms and also how to install a new or replacement ISA or ISM.
Chapter 3 Removing and Installing the ISA and the ISM Online Insertion and Removal Figure 3-1 Handling the ISM Printed circuit board 23778 Metal carrier Figure 3-2 Handling the ISA Metal carrier H6420 Printed circuit board Online Insertion and Removal Several platforms support online insertion and removal (OIR); therefore, you do not have to power down the router when removing and replacing an ISA on Cisco 7200 series routers.
Chapter 3 Removing and Installing the ISA and the ISM Warnings and Cautions Each module has a bus connector that connects it to the router. The connector has a set of tiered pins in three lengths that send specific signals to the system as they make contact with the module. The system assesses the signals it receives and the order in which it receives them to determine if a module is being removed from or introduced to the system.
Chapter 3 Removing and Installing the ISA and the ISM ISA or ISM Removal and Installation ISA or ISM Removal and Installation In this section, the illustrations that follow give step-by-step instructions on how to remove and install the ISA or the ISM.
Chapter 3 Removing and Installing the ISA and the ISM ISA or ISM Removal and Installation Cisco 7100 Series—Removing and Installing the ISM Step 1 To remove the ISM, use a number 2 Phillips screwdriver to loosen the captive installation screws. Step 2 Grasp the captive installation screws of the ISM to pull it from the router. Captive installation screws Note: When inserting the ISM, hold the ISM up at a slight angle to engage the carrier guides.
Chapter 3 Removing and Installing the ISA and the ISM ISA or ISM Removal and Installation Cisco 7200 Series—Removing and Installing the ISA Step 1 Port adapter lever (locked position) To remove the service adapter, place the port adapter lever in the unlocked position. (See A.) The port adapter lever remains in the unlocked position.
C H A P T E R 4 Configuring the ISA and ISM This chapter contains the information and procedures needed to configure the ISA or the ISM in the Cisco 7100 series VPN routers and Cisco 7200 series routers.
Chapter 4 Configuring the ISA and ISM Using the EXEC Command Interpreter Configuring IPSec requires privileged-level access to the EXEC command interpreter. Also, privileged-level access usually requires a password. (Contact your system administrator, if necessary, to obtain privileged-level access.) These sections contain basic configuration information only. For detailed configuration information, refer to the “IP Security and Encryption” chapter of the Security Configuration Guide publication.
Chapter 4 Configuring the ISA and ISM Configuring IKE Use the ppp encrypt mppe{auto | 40 | 128} [passive | required] [stateful] command in interface configuration mode to enable MPPE on the virtual template. Configuring IKE IKE is enabled by default. IKE does not have to be enabled for individual interfaces but is enabled globally for all interfaces at the router. You must create IKE policies at each peer. An IKE policy defines a combination of security parameters to be used during the IKE negotiation.
Chapter 4 Configuring the ISA and ISM Configuring IPSec Configuring IPSec After you have completed IKE configuration, configure IPSec at each participating IPSec peer.
Chapter 4 Configuring the ISA and ISM Configuring IPSec Later, you will associate the crypto access lists to particular interfaces when you configure and apply crypto map sets to the interfaces (following instructions in the section “Creating Crypto Maps” section on page 4-7). Note IKE uses UDP port 500. The IPSec Encapsulation Security Protocol (ESP) and Authentication Header (AH) protocols use protocol numbers 50 and 51.
Chapter 4 Configuring the ISA and ISM Configuring IPSec If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change is not applied to existing security associations but is used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command.
Chapter 4 Configuring the ISA and ISM Creating Crypto Maps Table 4-1 shows allowed transform combinations.
Chapter 4 Configuring the ISA and ISM Creating Crypto Maps For IPSec to succeed between two IPSec peers, both peers’ crypto map entries must contain compatible configuration statements. When two peers try to establish a security association, each must have at least one crypto map entry that is compatible with one of the other peer’s crypto map entries.
Chapter 4 Configuring the ISA and ISM Applying Crypto Maps to Interfaces Applying Crypto Maps to Interfaces You need to apply a crypto map set to each interface through which IPSec traffic flows. Applying the crypto map set to an interface instructs the router to evaluate all the interface’s traffic against the crypto map set and to use the specified policy during connection or security association negotiation on behalf of traffic to be protected by encryption.
Chapter 4 Configuring the ISA and ISM Verifying Configuration To clear (and reinitialize) IPSec security associations, use one of the following commands in global configuration mode: Command Purpose clear crypto sa Clear IPSec security associations (SAs). or Using the clear crypto sa command without parameters clears out the full SA database, which clears out active security sessions. You may also specify the peer, map, or spi keywords to clear out only a subset of the SA database.
Chapter 4 Configuring the ISA and ISM Verifying Configuration Peer = 172.21.114.67 Extended IP access list 141 access-list 141 permit ip source: addr = 172.21.114.123/0.0.0.0 dest: addr = 172.21.114.67/0.0.0.0 Current peer: 172.21.114.67 Security-association lifetime: 4608000 kilobytes/120 seconds PFS (Y/N): N Transform sets={t1,} The following is sample output for the show crypto ipsec sa command: Router# show crypto ipsec sa interface: Ethernet0 Crypto map tag: router-alice, local addr. 172.21.114.
Chapter 4 Configuring the ISA and ISM IPSec Example outbound esp sas: spi: 0x20890A6F(545852015) transform: esp-des esp-md5-hmac, in use settings ={Tunnel,} slot: 0, conn id: 27, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y outbound ah sas: For a detailed description of the information displayed by the show commands, refer to the “IP Security and Encryption” chapter of the Security Command Reference publication.
Chapter 4 Configuring the ISA and ISM IPSec Example Note In the above example, the encryption DES of policy 15 would not appear in the written configuration because this is the default value for the encryption algorithm parameter. A transform set defines how the traffic will be protected crypto ipsec transform-set auth1 ah-md5-hmac esp-des esp-md5-hmac mode tunnel A crypto map joins the transform set and specifies where the protected traffic is sent (the remote IPSec peer).
Chapter 4 Configuring the ISA and ISM IPSec Example Integrated Services Adapter and Integrated Services Module Installation and Configuration 4-14 OL-3575-01 B0
INDEX defaults, viewing A 4-3 initialization-vector size command access-list (encryption) command 4-5 installation access lists VIP prerequisites See also IPSec, crypto access lists 2-1 interface processor acronyms list of 4-6 installation prerequisites vii 2-1 tools and parts required for installation 2-1 IPSec access lists C requirements cache memory configuring viii clear crypto sa command crypto ipsec transform-set command crypto map command 4-4 to 4-10 crypto access lists 4-
Index M match address command 4-8 P parts required for VIP installation and maintenance 2-1 POSIP LEDs, checking 1-6 to ?? prerequisites VIP installation 2-1 S safety guidelines 2-3 SAs clearing 4-10 IKE established crypto map entries, creating set peer command 4-8 4-8 set transform-set command 4-8 show crypto dynamic-map command show crypto ipsec sa command 4-10 4-10 show crypto ipsec security-association lifetime command 4-10 show crypto ipsec transform-set command show crypto isakmp
