User Guide
Page 2
... document provides an overview of the Cisco 2621XM and 2651XM routers and explains the secure configuration and operation of operation. With the exception of the Cisco router easily allows interfaces to be found at: http://www.cisco.com/en/US/products/hw/routers/...functionality of a FIPS 140-2 cryptographic module security policy. In addition to reduce costs. "Secure Operation of the Cisco 2621XM/2651XM Router" specifically addresses the required configuration for the module Terminology In this document, the Submission Package contains: • Vendor Evidence document • ...
... document provides an overview of the Cisco 2621XM and 2651XM routers and explains the secure configuration and operation of operation. With the exception of the Cisco router easily allows interfaces to be found at: http://www.cisco.com/en/US/products/hw/routers/...functionality of a FIPS 140-2 cryptographic module security policy. In addition to reduce costs. "Secure Operation of the Cisco 2621XM/2651XM Router" specifically addresses the required configuration for the module Terminology In this document, the Submission Package contains: • Vendor Evidence document • ...
User Guide
Page 7
.../TACACS+ shared secrets must each be found in the Performing Basic System Management manual and in the online help for the configuration and maintenance of the Cisco 2621XM and 2651XM Routers can be at least 8 alphanumeric characters in the FIPS mode. If only integers 0-9 are used ...role-based. Both roles are two main roles in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10...
.../TACACS+ shared secrets must each be found in the Performing Basic System Management manual and in the online help for the configuration and maintenance of the Cisco 2621XM and 2651XM Routers can be at least 8 alphanumeric characters in the FIPS mode. If only integers 0-9 are used ...role-based. Both roles are two main roles in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10...
User Guide
Page 8
...Cisco 2651XM Modular Access Routers with a terminal program. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction. • Status Functions-view the router configuration... Manage the router-log off users, shutdown or reload the outer, manually back up router configurations, view complete configurations, manager user rights, and restore router configurations. • Set Encryption/Bypass-set from specified IP address. • Change Network Modules-...
...Cisco 2651XM Modular Access Routers with a terminal program. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction. • Status Functions-view the router configuration... Manage the router-log off users, shutdown or reload the outer, manually back up router configurations, view complete configurations, manager user rights, and restore router configurations. • Set Encryption/Bypass-set from specified IP address. • Change Network Modules-...
User Guide
Page 9
...will leave tamper evidence. Any attempt to remove a WAN interface card will leave tamper evidence. The labels completely cure within five minutes. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 9 Place the second label on the...Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or WIC, must also be followed to apply tamper evidence labels for this purpose. Once the router has been configured in Figure 6. Place the first label ...
...will leave tamper evidence. Any attempt to remove a WAN interface card will leave tamper evidence. The labels completely cure within five minutes. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 9 Place the second label on the...Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or WIC, must also be followed to apply tamper evidence labels for this purpose. Once the router has been configured in Figure 6. Place the first label ...
User Guide
Page 12
.... Flash (plaintext) This is zeroized as this key in PPP. This key NVRAM is zeroized when the "no " form of the configuration file. The password retrieved from the local database. One can be zeroized because (plaintext) it is in the module binary image. DRAM ...(plaintext) The RSA public key used as an authentication key. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. This key is stored in SSH. The 2621XM/2651XM Router Table 4 Critical Security Parameters (...
.... Flash (plaintext) This is zeroized as this key in PPP. This key NVRAM is zeroized when the "no " form of the configuration file. The password retrieved from the local database. One can be zeroized because (plaintext) it is in the module binary image. DRAM ...(plaintext) The RSA public key used as an authentication key. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. This key is stored in SSH. The 2621XM/2651XM Router Table 4 Critical Security Parameters (...
User Guide
Page 13
...Access to CSPs Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards... CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13 The 2621XM/2651XM Router The services...
...Access to CSPs Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards... CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13 The 2621XM/2651XM Router The services...
User Guide
Page 14
...Access to CSPs (continued) Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/... CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
...Access to CSPs (continued) Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/... CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
User Guide
Page 15
...to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access ...decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
...to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access ...decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
User Guide
Page 18
...the console port is required for authentication. ah-sha-hmac - Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no other than its default. • The Crypto Officer may be loaded. ...characters long. • If the Crypto Officer loads any privilege level other image may configure the module to use RADIUS or TACACS+ for the Crypto Officer role. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy ...
...the console port is required for authentication. ah-sha-hmac - Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no other than its default. • The Crypto Officer may be loaded. ...characters long. • If the Crypto Officer loads any privilege level other image may configure the module to use RADIUS or TACACS+ for the Crypto Officer role. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy ...
User Guide
Page 19
...hmac - esp-aes • The following documents: • Cisco 2600 Series Modular Routers Quick Start Guide • Cisco 2600 Series Hardware Installation Guide • Software Configuration Guide for signing - The Crypto officer must configure the module so that any remote connections via a secure IPSec...is configured to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com Cisco 2621XM and Cisco 2651XM...
...hmac - esp-aes • The following documents: • Cisco 2600 Series Modular Routers Quick Start Guide • Cisco 2600 Series Hardware Installation Guide • Software Configuration Guide for signing - The Crypto officer must configure the module so that any remote connections via a secure IPSec...is configured to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com Cisco 2621XM and Cisco 2651XM...
User Guide
Page 21
... commit resources during normal business hours to resolve the situation. You and Cisco will commit all necessary resources around the clock to resolve the situation. Cisco 2621XM and Cisco 2651XM Modular Access Routers with Cisco product capabilities, installation, or configuration. To open S3 and S4 service requests. (S3 and S4 service requests are negatively affected...
... commit resources during normal business hours to resolve the situation. You and Cisco will commit all necessary resources around the clock to resolve the situation. Cisco 2621XM and Cisco 2651XM Modular Access Routers with Cisco product capabilities, installation, or configuration. To open S3 and S4 service requests. (S3 and S4 service requests are negatively affected...
User Guide
Page 22
... provides a variety of general networking, training and certification titles. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go /iqmagazine • Internet Protocol Journal is a quarterly journal published by Cisco Systems, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links...
... provides a variety of general networking, training and certification titles. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go /iqmagazine • Internet Protocol Journal is a quarterly journal published by Cisco Systems, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links...
Software Configuration Guide
Page 1
Software Configuration Guide For Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-1957-04
Software Configuration Guide For Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-1957-04
Software Configuration Guide
Page 2
... of the University of the word partner does not imply a partnership relationship between Cisco and any other countries. and certain other company. (0201R) Software Configuration Guide for the Cisco 2600 series, Cisco 3600 Series, and Cisco 3700 Series Routers Copyright © 2002, Cisco Systems, Inc. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE...
... of the University of the word partner does not imply a partnership relationship between Cisco and any other countries. and certain other company. (0201R) Software Configuration Guide for the Cisco 2600 series, Cisco 3600 Series, and Cisco 3700 Series Routers Copyright © 2002, Cisco Systems, Inc. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE...
Software Configuration Guide
Page 3
... in Cisco 2600 Series Routers 1-4 Cisco 3600 Series Interface Numbering 1-4 Cisco 3600 Series Router Slot Numbering 1-4 Cisco 3600 Series Router Unit Numbering 1-8 Cisco 3600 Series Routers Voice Interface Numbering 1-8 Cisco 3700 Series Interface Numbering 1-9 Cisco 3725 Router Slot Numbering 1-9 Cisco 3745 Router Slot Numbering 1-11 Cisco 3700 Series Routers Voice Interface Numbering 1-12 Software Configuration Guide For Cisco 2600 Series, Cisco 3600...
... in Cisco 2600 Series Routers 1-4 Cisco 3600 Series Interface Numbering 1-4 Cisco 3600 Series Router Slot Numbering 1-4 Cisco 3600 Series Router Unit Numbering 1-8 Cisco 3600 Series Routers Voice Interface Numbering 1-8 Cisco 3700 Series Interface Numbering 1-9 Cisco 3725 Router Slot Numbering 1-9 Cisco 3745 Router Slot Numbering 1-11 Cisco 3700 Series Routers Voice Interface Numbering 1-12 Software Configuration Guide For Cisco 2600 Series, Cisco 3600...
Software Configuration Guide
Page 4
... Using the setup Command Facility 2-2 Configuring Global Parameters 2-2 Configuring Interface Parameters 2-5 Ethernet Interface Configuration 2-6 FastEthernet Interface Configuration 2-6 Token Ring Interface Configuration 2-7 Serial Interface Configuration 2-7 Frame Relay Encapsulation 2-8 LAPB Encapsulation 2-8 X.25 Encapsulation 2-8 ATM-DXI Encapsulation 2-9 SMDS Encapsulation 2-9 Serial Cisco IOS Commands Generated 2-9 Asynchronous/Synchronous Serial Interface Configuration 2-9 Synchronous Configuration 2-9 Asynchronous Configuration 2-11 ISDN BRI Interface Configuration 2-12 ISDN BRI Line...
... Using the setup Command Facility 2-2 Configuring Global Parameters 2-2 Configuring Interface Parameters 2-5 Ethernet Interface Configuration 2-6 FastEthernet Interface Configuration 2-6 Token Ring Interface Configuration 2-7 Serial Interface Configuration 2-7 Frame Relay Encapsulation 2-8 LAPB Encapsulation 2-8 X.25 Encapsulation 2-8 ATM-DXI Encapsulation 2-9 SMDS Encapsulation 2-9 Serial Cisco IOS Commands Generated 2-9 Asynchronous/Synchronous Serial Interface Configuration 2-9 Synchronous Configuration 2-9 Asynchronous Configuration 2-11 ISDN BRI Interface Configuration 2-12 ISDN BRI Line...
Software Configuration Guide
Page 5
... Checking the Modem Configuration 3-28 Configuring Wireless Multipoint Interfaces 3-28 Checking the Interface Configuration 3-29 Configuring 1-Port ADSL WAN Interface Card 3-29 Benefits 3-30 Restrictions 3-30 Prerequisites 3-31 Configuration Tasks 3-31 Configuring the ADSL Port on the ADSL WAN Interface Card 3-31 Verifying ATM Configuration 3-32 Software Configuration Guide For Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers...
... Checking the Modem Configuration 3-28 Configuring Wireless Multipoint Interfaces 3-28 Checking the Interface Configuration 3-29 Configuring 1-Port ADSL WAN Interface Card 3-29 Benefits 3-30 Restrictions 3-30 Prerequisites 3-31 Configuration Tasks 3-31 Configuring the ADSL Port on the ADSL WAN Interface Card 3-31 Verifying ATM Configuration 3-32 Software Configuration Guide For Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers...
Software Configuration Guide
Page 6
... 3-47 Convert HSSI to Clock Master 3-48 Disable Fair Queueing 3-48 Configuration Examples 3-48 Configuring the Compression Network Module for the Cisco 3600 Series Routers 3-49 Configuration Task 3-49 Configuration Example 3-50 Configuring the Digital Modem Network Module for the Cisco 3640 Router 3-50 Prerequisites 3-50 Configuration Tasks 3-51 Configure the E1/T1 Network Module for ISDN PRI 3-51...
... 3-47 Convert HSSI to Clock Master 3-48 Disable Fair Queueing 3-48 Configuration Examples 3-48 Configuring the Compression Network Module for the Cisco 3600 Series Routers 3-49 Configuration Task 3-49 Configuration Example 3-50 Configuring the Digital Modem Network Module for the Cisco 3640 Router 3-50 Prerequisites 3-50 Configuration Tasks 3-51 Configure the E1/T1 Network Module for ISDN PRI 3-51...
Software Configuration Guide
Page 7
... 4-4 Configuration for Router RLB-1 4-4 Configuration for Router RLB-w 4-5 Configuration for Router R12-e 4-5 Configuration for Router RLB-2 4-5 Linking PBX Users with E&M Trunk Lines 4-6 Router SJ Configuration 4-7 Router SLC Configuration 4-7 PSTN Gateway Access Using FXO Connection 4-8 Router SJ Configuration 4-8 Router SLC Configuration 4-9 PSTN Gateway Access Using FXO Connection (PLAR Mode) 4-9 Router SJ Configuration 4-9 Software Configuration Guide For Cisco 2600 Series, Cisco 3600 Series, and Cisco...
... 4-4 Configuration for Router RLB-1 4-4 Configuration for Router RLB-w 4-5 Configuration for Router R12-e 4-5 Configuration for Router RLB-2 4-5 Linking PBX Users with E&M Trunk Lines 4-6 Router SJ Configuration 4-7 Router SLC Configuration 4-7 PSTN Gateway Access Using FXO Connection 4-8 Router SJ Configuration 4-8 Router SLC Configuration 4-9 PSTN Gateway Access Using FXO Connection (PLAR Mode) 4-9 Router SJ Configuration 4-9 Software Configuration Guide For Cisco 2600 Series, Cisco 3600 Series, and Cisco...
Software Configuration Guide
Page 8
...-Inward Dialing on a BRI Port 4-10 Router 1 Configuration 4-11 Router 2 Configuration 4-11 Router 3 Configuration 4-11 Where to Go Next 4-11 Configuration Examples A-1 Cisco 2600 Series Router Configuration Example A-1 Cisco 3631 Router Configuration Example A-6 Cisco 3725 Router Configuration Example A-10 1-Port ADSL WAN Interface Card Configuration Examples A-12 VoATM over AAL2 on the ATM Interface Configuration Example A-12 VoATM over AAL5 on the...
...-Inward Dialing on a BRI Port 4-10 Router 1 Configuration 4-11 Router 2 Configuration 4-11 Router 3 Configuration 4-11 Where to Go Next 4-11 Configuration Examples A-1 Cisco 2600 Series Router Configuration Example A-1 Cisco 3631 Router Configuration Example A-6 Cisco 3725 Router Configuration Example A-10 1-Port ADSL WAN Interface Card Configuration Examples A-12 VoATM over AAL2 on the ATM Interface Configuration Example A-12 VoATM over AAL5 on the...