User Guide
Page 2
....nist.gov/cryptval) contains contact information for answers to technical or sales-related questions for the FIPS-mode of the Cisco 2621XM/2651XM Router" specifically addresses the required configuration for the module Terminology In this Non-Proprietary Security Policy, the FIPS... 140-2 Validation Submission Documentation is Cisco-proprietary and is releasable only under appropriate non-disclosure agreements. With over 100 Network Modules (NMs) and WAN Interface Cards (WICs), the modular architecture of a FIPS 140-2 cryptographic module security...
....nist.gov/cryptval) contains contact information for answers to technical or sales-related questions for the FIPS-mode of the Cisco 2621XM/2651XM Router" specifically addresses the required configuration for the module Terminology In this Non-Proprietary Security Policy, the FIPS... 140-2 Validation Submission Documentation is Cisco-proprietary and is releasable only under appropriate non-disclosure agreements. With over 100 Network Modules (NMs) and WAN Interface Cards (WICs), the modular architecture of a FIPS 140-2 cryptographic module security...
User Guide
Page 3
... capacity for the 2621XM, and 40 Kpps for building virtual private networks or outsourced dial solutions. The Cisco 2621XM and 2651XM routers incorporate an AIM-VPN/EP cryptographic accelerator card. The AIM-VPN/EP is located inside the module chassis, and is installed directly on the rear ...panel as shown in this cryptographic boundary. The 2621XM/2651XM Cryptographic Module Figure 1 The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600SERIES 99493 The ...
... capacity for the 2621XM, and 40 Kpps for building virtual private networks or outsourced dial solutions. The Cisco 2621XM and 2651XM routers incorporate an AIM-VPN/EP cryptographic accelerator card. The AIM-VPN/EP is located inside the module chassis, and is installed directly on the rear ...panel as shown in this cryptographic boundary. The 2621XM/2651XM Cryptographic Module Figure 1 The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600SERIES 99493 The ...
User Guide
Page 4
...Policy 4 OL-6262-01 and single Token Ring chassis versions. WAN interface cards support a variety of two slots, which are similar to Network Modules in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with descriptions detailed in that the fixed LAN ports ...The expansion bus interacts with the processor. WICs cannot perform cryptographic functions; The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL...
...Policy 4 OL-6262-01 and single Token Ring chassis versions. WAN interface cards support a variety of two slots, which are similar to Network Modules in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with descriptions detailed in that the fixed LAN ports ...The expansion bus interacts with the processor. WICs cannot perform cryptographic functions; The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL...
User Guide
Page 8
The IOS prompts the User for IP tunneling. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. Set keys and algorithms to be used for each interface. The rear of the unit provides 1 Network Module ... configuration tables for their password. User Services A User enters the system by a thick steel chassis. The top portion of this document. • Change WAN Interface Cards-insert and remove WICs in the WAN interface slot as described in flash memory Physical Security The router is allowed entry to the IOS executive...
The IOS prompts the User for IP tunneling. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. Set keys and algorithms to be used for each interface. The rear of the unit provides 1 Network Module ... configuration tables for their password. User Services A User enters the system by a thick steel chassis. The top portion of this document. • Change WAN Interface Cards-insert and remove WICs in the WAN interface slot as described in flash memory Physical Security The router is allowed entry to the IOS executive...
User Guide
Page 9
...second label on the router as shown in a FIPS compliant mode. Any attempt to remove a Network Module will leave tamper evidence. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 9 Alcohol-based cleaning pads are ...slot cover in order to operate in Figure 6. Any attempt to remove a WAN interface card will leave tamper evidence. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or...
...second label on the router as shown in a FIPS compliant mode. Any attempt to remove a Network Module will leave tamper evidence. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 9 Alcohol-based cleaning pads are ...slot cover in order to operate in Figure 6. Any attempt to remove a WAN interface card will leave tamper evidence. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or...
User Guide
Page 10
... and Cisco 2651XM Modular Access Routers with self-adhesive backing. All keys are also protected by the Crypto Officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). The modules contain a cryptographic accelerator card (the ... numbers, they may appear if the label was peeled back. This key is zeroized periodically. The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL...
... and Cisco 2651XM Modular Access Routers with self-adhesive backing. All keys are also protected by the Crypto Officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). The modules contain a cryptographic accelerator card (the ... numbers, they may appear if the label was peeled back. This key is zeroized periodically. The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL...
User Guide
Page 13
...Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r ...CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13 The 2621XM/2651XM Router The services accessing ...
...Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r ...CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13 The 2621XM/2651XM Router The services accessing ...
User Guide
Page 14
... Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21...
... Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21...
User Guide
Page 15
... Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 24 CSP 25 CSP 26 CSP 27 CSP 28 CSP 29 CSP 30 CSP 31 r dr w r r w d r r w d r r w d r w d r w d r...IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
... Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 24 CSP 25 CSP 26 CSP 27 CSP 28 CSP 29 CSP 30 CSP 31 r dr w r r w d r r w d r r w d r w d r w d r...IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
User Guide
Page 17
...Officer must apply tamper evidence labels as described in the module by the AIM-VPN/EP (cryptographic accelerator): • Power-up tests - Cisco 2621XM and Cisco 2651XM Modular Access Routers with an alcohol-based cleaning pad. Firmware integrity test - DES KAT - SHA-1 KAT • Conditional tests .... This document may add and remove WAN Interface Cards. The Crypto Officer must ensure that the AIM-VPN/EP cryptographic accelerator card is installed in the "Physical Security" section of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with an alcohol...
...Officer must apply tamper evidence labels as described in the module by the AIM-VPN/EP (cryptographic accelerator): • Power-up tests - Cisco 2621XM and Cisco 2651XM Modular Access Routers with an alcohol-based cleaning pad. Firmware integrity test - DES KAT - SHA-1 KAT • Conditional tests .... This document may add and remove WAN Interface Cards. The Crypto Officer must ensure that the AIM-VPN/EP cryptographic accelerator card is installed in the "Physical Security" section of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with an alcohol...
User Guide
Page 20
...AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 20 OL-6262-01 In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. You can submit comments by using the response card (if present) behind the front cover of your document or by calling 800 553-...NETS (6387). If you do not hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance....
...AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 20 OL-6262-01 In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. You can submit comments by using the response card (if present) behind the front cover of your document or by calling 800 553-...NETS (6387). If you do not hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance....
Software Configuration Guide
Page 5
...Asynchronous/Synchronous Serial Network Modules or WAN Interface Cards 3-5 Configuring 16-Port and 32-Port Asynchronous Network Modules 3-9 Configuring ISDN BRI WAN Interface Cards 3-10 Configuring ISDN BRI Lines 3-12 ISDN ...Connect (Data Pass-Through) 3-16 Configuring Codec Complexity 3-17 Configuring T1 (FT1) WAN Interface Cards 3-18 Default Configuration 3-18 Configuring ATM Interfaces 3-20 Configuring PVCs 3-20 Configuring SVCs 3-21...Interface Configuration 3-29 Configuring 1-Port ADSL WAN Interface Card 3-29 Benefits 3-30 Restrictions 3-30 Prerequisites 3-31 Configuration Tasks 3-31 Configuring the ADSL...
...Asynchronous/Synchronous Serial Network Modules or WAN Interface Cards 3-5 Configuring 16-Port and 32-Port Asynchronous Network Modules 3-9 Configuring ISDN BRI WAN Interface Cards 3-10 Configuring ISDN BRI Lines 3-12 ISDN ...Connect (Data Pass-Through) 3-16 Configuring Codec Complexity 3-17 Configuring T1 (FT1) WAN Interface Cards 3-18 Default Configuration 3-18 Configuring ATM Interfaces 3-20 Configuring PVCs 3-20 Configuring SVCs 3-21...Interface Configuration 3-29 Configuring 1-Port ADSL WAN Interface Card 3-29 Benefits 3-30 Restrictions 3-30 Prerequisites 3-31 Configuration Tasks 3-31 Configuring the ADSL...
Software Configuration Guide
Page 7
...-In 3-57 Configure the Modem for Dial-Out 3-57 Configuration Example 3-58 Configuring 1-Port G.SHDSL WAN Interface Card 3-58 Restrictions 3-59 Prerequisites 3-59 Configuration Tasks 3-59 Configuring G.SHDSL on a Cisco Router 3-60 Configuring ILMI on the DSLAM Connected to the ADSL WAN 3-62 Verifying ATM Configuration 3-62 Configuration Examples... 4-8 Router SJ Configuration 4-8 Router SLC Configuration 4-9 PSTN Gateway Access Using FXO Connection (PLAR Mode) 4-9 Router SJ Configuration 4-9 Software Configuration Guide For Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers vii
...-In 3-57 Configure the Modem for Dial-Out 3-57 Configuration Example 3-58 Configuring 1-Port G.SHDSL WAN Interface Card 3-58 Restrictions 3-59 Prerequisites 3-59 Configuration Tasks 3-59 Configuring G.SHDSL on a Cisco Router 3-60 Configuring ILMI on the DSLAM Connected to the ADSL WAN 3-62 Verifying ATM Configuration 3-62 Configuration Examples... 4-8 Router SJ Configuration 4-8 Router SLC Configuration 4-9 PSTN Gateway Access Using FXO Connection (PLAR Mode) 4-9 Router SJ Configuration 4-9 Software Configuration Guide For Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers vii
Software Configuration Guide
Page 8
... Router 3 Configuration 4-11 Where to Go Next 4-11 Configuration Examples A-1 Cisco 2600 Series Router Configuration Example A-1 Cisco 3631 Router Configuration Example A-6 Cisco 3725 Router Configuration Example A-10 1-Port ADSL WAN Interface Card Configuration Examples A-12 VoATM over AAL2 on the ATM Interface Configuration Example ...Alarms A-22 Discrete Alarm A-22 Analog Alarm Monitoring Current A-22 Analog Alarm Monitoring Current Configured as a Discrete A-22 Cisco 3640 Central Site Configuration to Support ISDN and Modem Calls A-23 Configuration in CPE Mode Example A-25 Configuration in CO...
... Router 3 Configuration 4-11 Where to Go Next 4-11 Configuration Examples A-1 Cisco 2600 Series Router Configuration Example A-1 Cisco 3631 Router Configuration Example A-6 Cisco 3725 Router Configuration Example A-10 1-Port ADSL WAN Interface Card Configuration Examples A-12 VoATM over AAL2 on the ATM Interface Configuration Example ...Alarms A-22 Discrete Alarm A-22 Analog Alarm Monitoring Current A-22 Analog Alarm Monitoring Current Configured as a Discrete A-22 Cisco 3640 Central Site Configuration to Support ISDN and Modem Calls A-23 Configuration in CPE Mode Example A-25 Configuration in CO...
Software Configuration Guide
Page 12
Cards" Appendix C, "Using the ROM Monitor" Describer how the ROM Monitor works in contexts where italic font is not available. Keywords or arguments that appear within ...-line interface (CLI) to configure basic router functionality. Configuring Voice-over-IP Describes how to Facility configure your router. Examples of the Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers. Configuration Examples Provides configuration examples of information displayed on the screen. Variables for example passwords, appear in angle brackets in...
Cards" Appendix C, "Using the ROM Monitor" Describer how the ROM Monitor works in contexts where italic font is not available. Keywords or arguments that appear within ...-line interface (CLI) to configure basic router functionality. Configuring Voice-over-IP Describes how to Facility configure your router. Examples of the Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers. Configuration Examples Provides configuration examples of information displayed on the screen. Variables for example passwords, appear in angle brackets in...
Software Configuration Guide
Page 14
...; Regulatory Compliance and Safety Information • Cisco 3600 Series Routers Hardware Installation Guide • Cisco 3620 and Cisco 3640 Modular Access Routers Quick Start Guide • Cisco 3660 Modular Access Router Quick Start Guide • Cisco Network Modules Hardware Installation Guide • Cisco WAN Interface Cards Hardware Installation Guide • Cisco RPS Hardware Installation Guide • Regulatory Compliance...
...; Regulatory Compliance and Safety Information • Cisco 3600 Series Routers Hardware Installation Guide • Cisco 3620 and Cisco 3640 Modular Access Routers Quick Start Guide • Cisco 3660 Modular Access Router Quick Start Guide • Cisco Network Modules Hardware Installation Guide • Cisco WAN Interface Cards Hardware Installation Guide • Cisco RPS Hardware Installation Guide • Regulatory Compliance...
Software Configuration Guide
Page 15
... Documents Table 1 Related and Referenced Documents (continued) Cisco Product Document Title Cisco 3700 series routers • Cisco 3700 Series Routers Hardware Installation Guide • Cisco 3725 and Cisco 3745 Modular Access Routers Quick Start Guide • Cisco Network Modules Hardware Installation Guide • Cisco WAN Interface Cards Hardware Installation Guide Cisco IOS software Note Refer to the modular reference...
... Documents Table 1 Related and Referenced Documents (continued) Cisco Product Document Title Cisco 3700 series routers • Cisco 3700 Series Routers Hardware Installation Guide • Cisco 3725 and Cisco 3745 Modular Access Routers Quick Start Guide • Cisco Network Modules Hardware Installation Guide • Cisco WAN Interface Cards Hardware Installation Guide Cisco IOS software Note Refer to the modular reference...
Software Configuration Guide
Page 17
..., you can order documentation through the online Subscription Store: http://www.cisco.com/go/subscription • Nonregistered Cisco.com users can mail your convenience many documents contain a response card behind the front cover. The CD-ROM package is available in the following address: Cisco Systems, Inc. After you complete the form, click Submit to...
..., you can order documentation through the online Subscription Store: http://www.cisco.com/go/subscription • Nonregistered Cisco.com users can mail your convenience many documents contain a response card behind the front cover. The CD-ROM package is available in the following address: Cisco Systems, Inc. After you complete the form, click Submit to...
Software Configuration Guide
Page 22
... Understanding Interface Numbering Chapter 1 Understanding Interface Numbering and Cisco IOS Software Basics Table 1-1 Router Models Model Cisco 2610 Cisco 2610XM Cisco 2611 Cisco 2611XM Cisco 2612 Cisco 2613 Cisco 2620 Cisco 2620XM Cisco 2621 Cisco 2621XM Cisco 2650 Cisco 2650XM Cisco 2651 Cisco 2651XM Cisco 2691 Ethernet (10BASE-T) 1 2 1 Token-Ring (RJ-45) 1 1 WAN Fast Ethernet Network Interface (10/100) Module Slot Card Slots 1 2 1 1 2 1 2 2 1 2 1 2 1 2 1 1 2 1 1 2 2 1 2 2 1 2 1 1 2 1 1 2 2 1 2 2 1 2 2 1 3 Advanced Integration Module Slots...
... Understanding Interface Numbering Chapter 1 Understanding Interface Numbering and Cisco IOS Software Basics Table 1-1 Router Models Model Cisco 2610 Cisco 2610XM Cisco 2611 Cisco 2611XM Cisco 2612 Cisco 2613 Cisco 2620 Cisco 2620XM Cisco 2621 Cisco 2621XM Cisco 2650 Cisco 2650XM Cisco 2651 Cisco 2651XM Cisco 2691 Ethernet (10BASE-T) 1 2 1 Token-Ring (RJ-45) 1 1 WAN Fast Ethernet Network Interface (10/100) Module Slot Card Slots 1 2 1 1 2 1 2 2 1 2 1 2 1 2 1 1 2 1 1 2 2 1 2 2 1 2 1 1 2 1 1 2 2 1 2 2 1 2 2 1 3 Advanced Integration Module Slots...
Software Configuration Guide
Page 26
... left, above slot 2 • Slot 5 is at the right, above slot 3. • Slot 6 is at the top left , above slot 1. For the Cisco 3620 and Cisco 3640 routers shown in interfaces like the FastEthernet port at the bottom center near the power supply. • Slot 1 is at the bottom left... 1-4 and Figure 1-5, the slots are numbered as viewed from the rear of the chassis), near the Console/AUX ports • Slot 0 for all WAN interface card (WIC) interfaces • Slot 1 for network module interfaces at the bottom left. • Slot 2 for network module interfaces at the top left , above ...
... left, above slot 2 • Slot 5 is at the right, above slot 3. • Slot 6 is at the top left , above slot 1. For the Cisco 3620 and Cisco 3640 routers shown in interfaces like the FastEthernet port at the bottom center near the power supply. • Slot 1 is at the bottom left... 1-4 and Figure 1-5, the slots are numbered as viewed from the rear of the chassis), near the Console/AUX ports • Slot 0 for all WAN interface card (WIC) interfaces • Slot 1 for network module interfaces at the bottom left. • Slot 2 for network module interfaces at the top left , above ...