User Guide
Page 1
... how to operate the router enabled in a secure FIPS 140-2 mode. Government requirements for the Cisco 2811 and Cisco 2821 Integrated Services Router without an AIM card installed. FIPS 140-2 (Federal Information Processing Standards Publication 140-2-Security Requirements for Cryptographic Modules) details the U.S. This document contains the following sections: • Introduction, page 1 • Cisco 2811 and Cisco 2821 Routers, page 2 • Secure Operation of the Cisco 2811 or Cisco 2821 router, page 22 •...
... how to operate the router enabled in a secure FIPS 140-2 mode. Government requirements for the Cisco 2811 and Cisco 2821 Integrated Services Router without an AIM card installed. FIPS 140-2 (Federal Information Processing Standards Publication 140-2-Security Requirements for Cryptographic Modules) details the U.S. This document contains the following sections: • Introduction, page 1 • Cisco 2811 and Cisco 2821 Routers, page 2 • Secure Operation of the Cisco 2811 or Cisco 2821 router, page 22 •...
User Guide
Page 2
... merging the voice and data infrastructure to reduce costs. The Cisco 2811 and Cisco 2821 routers provide a scalable, secure, manageable remote access server that meets FIPS 140-2 Level 2 requirements. This section describes the general features and functionality provided by the "Cisco 2811 and Cisco 2821 Routers" section on page 22 specifically addresses the required configuration for the FIPS-mode of a FIPS 140-2 cryptographic module security policy. Document Organization The Security Policy document is...
... merging the voice and data infrastructure to reduce costs. The Cisco 2811 and Cisco 2821 routers provide a scalable, secure, manageable remote access server that meets FIPS 140-2 Level 2 requirements. This section describes the general features and functionality provided by the "Cisco 2811 and Cisco 2821 Routers" section on page 22 specifically addresses the required configuration for the FIPS-mode of a FIPS 140-2 cryptographic module security policy. Document Organization The Security Policy document is...
User Guide
Page 3
... Rear Panel Physical Interfaces 8 7 H W I C 3 H W I C 1 5 6 1 H W I C 2A F HS W IL C 0 PVDM1 A= ACT S= SPEED FE 0/1 PVDM0 A= FDX A= LINK FE 0/0 A F S L AIM1 AIM0 4 3 2 95556 The Cisco 2811 router features a console port, an auxiliary port, two Universal Serial Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two10/100 Gigabit Ethernet RJ45 ports, an Enhanced Network Module (ENM) slot, and a Compact Flash (CF) drive. All of 350MHz. The interface for cryptographic operations. The Cisco 2811 router supports one single-width network module...
... Rear Panel Physical Interfaces 8 7 H W I C 3 H W I C 1 5 6 1 H W I C 2A F HS W IL C 0 PVDM1 A= ACT S= SPEED FE 0/1 PVDM0 A= FDX A= LINK FE 0/0 A F S L AIM1 AIM0 4 3 2 95556 The Cisco 2811 router features a console port, an auxiliary port, two Universal Serial Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two10/100 Gigabit Ethernet RJ45 ports, an Enhanced Network Module (ENM) slot, and a Compact Flash (CF) drive. All of 350MHz. The interface for cryptographic operations. The Cisco 2811 router supports one single-width network module...
User Guide
Page 4
... flash busy status. The back panel contains the following : • (1) Power inlet • (2) Power switch • (3) Optional RPS input • (4) Console and auxiliary ports • (5) USB ports • (6) CF drive • (7) LEDs described in accordance with AIM module installed. The front panel contains the following : • (1) Ground connector • (2) and (3) Ethernet ports and LEDs • (4)-(7) HWIC slots • (8) ENM slot. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security...
... flash busy status. The back panel contains the following : • (1) Power inlet • (2) Power switch • (3) Optional RPS input • (4) Console and auxiliary ports • (5) USB ports • (6) CF drive • (7) LEDs described in accordance with AIM module installed. The front panel contains the following : • (1) Ground connector • (2) and (3) Ethernet ports and LEDs • (4)-(7) HWIC slots • (8) ENM slot. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security...
User Guide
Page 5
... Speed Link State Off Solid/Blinking Green Off Solid Green One Blink Green Two Blink Green Off Solid Green Description Not receiving packets Receiving packets Half-Duplex Full-Duplex 10 Mbps 100 Mbps No link established Ethernet link is established The physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the Table 4: OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security...
... Speed Link State Off Solid/Blinking Green Off Solid Green One Blink Green Two Blink Green Off Solid Green Description Not receiving packets Receiving packets Half-Duplex Full-Duplex 10 Mbps 100 Mbps No link established Ethernet link is established The physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the Table 4: OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security...
User Guide
Page 8
... covering the Cisco 2811 and Cisco 2821 routers with this security policy. Cisco 2811 and Cisco 2821 Routers Figure 6 21 Cisco 2821 Rear Panel Physical Interfaces 64 53 A= ACT A= FDX S= SPEED A= LINK A GE 0/1 GE 0/0 A F F S S L L PVDM2 PVDM1 PVDM0 AIM1 AIM0 7 EVM 2 ONLY 95572 1 8 9 The Cisco 2821 router features a console port, an auxiliary port, two Universal Serial Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two10/100 Gigabit Ethernet RJ45 ports, a Enhanced Network Module (ENM) slot, a Voice Network Module (VeNoM) slot, and a Compact Flash (CF...
... covering the Cisco 2811 and Cisco 2821 routers with this security policy. Cisco 2811 and Cisco 2821 Routers Figure 6 21 Cisco 2821 Rear Panel Physical Interfaces 64 53 A= ACT A= FDX S= SPEED A= LINK A GE 0/1 GE 0/0 A F F S S L L PVDM2 PVDM1 PVDM0 AIM1 AIM0 7 EVM 2 ONLY 95572 1 8 9 The Cisco 2821 router features a console port, an auxiliary port, two Universal Serial Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two10/100 Gigabit Ethernet RJ45 ports, a Enhanced Network Module (ENM) slot, a Voice Network Module (VeNoM) slot, and a Compact Flash (CF...
User Guide
Page 9
... installed and initialized error PVDM1 not installed PVDM1 installed and initialized PVDM1 installed and initialized error PVDM0 not installed PVDM0 installed and initialized PVDM0 installed and initialized error AIM1 not installed AIM1 installed and initialized AIM1 installed and initialized error AIM0 not installed AIM0 installed and initialized AIM0 installed and initialized error Table 7 describes the meaning of Ethernet LEDs on the front panel: OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security...
... installed and initialized error PVDM1 not installed PVDM1 installed and initialized PVDM1 installed and initialized error PVDM0 not installed PVDM0 installed and initialized PVDM0 installed and initialized error AIM1 not installed AIM1 installed and initialized AIM1 installed and initialized error AIM0 not installed AIM0 installed and initialized AIM0 installed and initialized error Table 7 describes the meaning of Ethernet LEDs on the front panel: OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security...
User Guide
Page 11
... the following: • Status Functions-View state of interfaces and protocols, version of files kept in Cisco 2811 and Cisco 2821 is allowed entry to a LAN port. The reason is considered an internal memory module. The module supports RADIUS and TACACS+ for username and password. If the password is correct, the User is role-based. Roles and Services Authentication in flash memory. OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non...
... the following: • Status Functions-View state of interfaces and protocols, version of files kept in Cisco 2811 and Cisco 2821 is allowed entry to a LAN port. The reason is considered an internal memory module. The module supports RADIUS and TACACS+ for username and password. If the password is correct, the User is role-based. Roles and Services Authentication in flash memory. OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non...
User Guide
Page 12
... serialized tamper-evidence labels as protocol ID, addresses, ports, TCP connection establishment, or packet direction. • View Status Functions-View the router configuration, routing tables, active sessions, use gets to view SNMP MIB statistics, health, temperature, memory status, voltage, packet statistics, review accounting logs, and view physical interface status. • Manage the router-Log off users, shutdown or reload the router, manually back up router configurations, view complete configurations, manage user rights, and restore router configurations. • Set Encryption...
... serialized tamper-evidence labels as protocol ID, addresses, ports, TCP connection establishment, or packet direction. • View Status Functions-View the router configuration, routing tables, active sessions, use gets to view SNMP MIB statistics, health, temperature, memory status, voltage, packet statistics, review accounting logs, and view physical interface status. • Manage the router-Log off users, shutdown or reload the router, manually back up router configurations, view complete configurations, manage user rights, and restore router configurations. • Set Encryption...
User Guide
Page 15
... that specific tunnel only via electronic key entry. This will completely zeroize this command will zeroize each key from the DRAM, the running configuration. The following command will zeroize the IPSec DES/3DES/AES session key (which is also used with support for key establishment despite being non-approved). X9.31 PRNG • Onboard hardware implementations - See the Cisco IOS Reference Guide. All pre-shared keys are used...
... that specific tunnel only via electronic key entry. This will completely zeroize this command will zeroize each key from the DRAM, the running configuration. The following command will zeroize the IPSec DES/3DES/AES session key (which is also used with support for key establishment despite being non-approved). X9.31 PRNG • Onboard hardware implementations - See the Cisco IOS Reference Guide. All pre-shared keys are used...
User Guide
Page 17
... address. NVRAM (plaintext) This is NVRAM zeroized by overwriting it onto the peer. "# no username password" Automatically when SSH session terminated Overwrite with new password Overwrite with care. DRAM (plaintext) The authentication key used as this command does not decrypt the configuration file, so zeroize with new password OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 17 This key...
... address. NVRAM (plaintext) This is NVRAM zeroized by overwriting it onto the peer. "# no username password" Automatically when SSH session terminated Overwrite with new password Overwrite with care. DRAM (plaintext) The authentication key used as this command does not decrypt the configuration file, so zeroize with new password OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 17 This key...
User Guide
Page 18
... Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item PRNG Seed r DH private exponent r DH public key r dr w d r w d r w d Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 18 OL-8663-01 NVRAM (plaintext), DRAM (plaintext) Overwrite with new password "# no radius-server key...
... Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item PRNG Seed r DH private exponent r DH public key r dr w d r w d r w d Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 18 OL-8663-01 NVRAM (plaintext), DRAM (plaintext) Overwrite with new password "# no radius-server key...
User Guide
Page 23
...documents: • Cisco 2800 Series Integrated Services Routers Quick Start Guides • Cisco 2800 Series Hardware Installation documents OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 23 RSA - Since SNMP v2C uses community strings for authentication, only gets are secured through IPSec, using FIPS-approved algorithms. Note that any remote connections via a secure IPSec tunnel between the remote system and the module. The Crypto officer must configure the module so that all users must still authenticate after remote access...
...documents: • Cisco 2800 Series Integrated Services Routers Quick Start Guides • Cisco 2800 Series Hardware Installation documents OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 23 RSA - Since SNMP v2C uses community strings for authentication, only gets are secured through IPSec, using FIPS-approved algorithms. Note that any remote connections via a secure IPSec tunnel between the remote system and the module. The Crypto officer must configure the module so that all users must still authenticate after remote access...
Quick Start Guide
Page 6
... document contains translations of rack-mount brackets with AC-powered routers • Cisco product registration card; optional 23-inch rack mount brackets, if ordered • Ethernet cable for LAN interface • Cisco 2800 Series and Cisco 3800 Series Regulatory Compliance and Safety Information document • Cisco Router and Security Device Manager (SDM) Quick Start Guide document • Cisco 2800 Series Integrated Services Routers Quick Start Guide (this document) Items Not Included Individual items in this quick start guide. AC power cord with screws for management access...
... document contains translations of rack-mount brackets with AC-powered routers • Cisco product registration card; optional 23-inch rack mount brackets, if ordered • Ethernet cable for LAN interface • Cisco 2800 Series and Cisco 3800 Series Regulatory Compliance and Safety Information document • Cisco Router and Security Device Manager (SDM) Quick Start Guide document • Cisco 2800 Series Integrated Services Routers Quick Start Guide (this document) Items Not Included Individual items in this quick start guide. AC power cord with screws for management access...
Quick Start Guide
Page 29
... for initial configuration using SDM to configure the router, see the "Initial Configuration Using the Setup Command Facility" section on using ROM monitor, see the "Initial Configuration Using the Cisco CLI-Manual Configuration" section on the front of the chassis blinks green and the fans operate. If the rommon 1> prompt appears, your router. • If you like to enter the initial configuration dialog? [yes/no]: To learn how to get started. At any keys on...
... for initial configuration using SDM to configure the router, see the "Initial Configuration Using the Setup Command Facility" section on using ROM monitor, see the "Initial Configuration Using the Cisco CLI-Manual Configuration" section on the front of the chassis blinks green and the fans operate. If the rommon 1> prompt appears, your router. • If you like to enter the initial configuration dialog? [yes/no]: To learn how to get started. At any keys on...
Quick Start Guide
Page 33
... mark '?' Default settings are in the configuration. Initial Configuration Using the Setup Command Facility This section shows how to use the CLI or Cisco Router and Security Device Manager (SDM) to perform additional configuration. Use ctrl-c to enter basic management setup: At any prompt. Enter enable password: xxxxxx 33 The following messages appear, press Return to abort configuration dialog at any point you for basic information about your router model, the installed interface modules, and the software image.
... mark '?' Default settings are in the configuration. Initial Configuration Using the Setup Command Facility This section shows how to use the CLI or Cisco Router and Security Device Manager (SDM) to perform additional configuration. Use ctrl-c to enter basic management setup: At any prompt. Enter enable password: xxxxxx 33 The following messages appear, press Return to abort configuration dialog at any point you for basic information about your router model, the installed interface modules, and the software image.
Quick Start Guide
Page 35
..., SDM and a default configuration file were installed on page 30. Use the enabled mode 'configure' command to modify this configuration to configure the router, see the "Interface Numbering" section on the router at the end of the startup sequence: --- for the CLI configuration. Router> 35 Default settings are in square brackets '[]'. To use the CLI if the following prompts. end Step 11 Respond to the setup without saving this config. [2] Save this configuration. Choose [2] to...
..., SDM and a default configuration file were installed on page 30. Use the enabled mode 'configure' command to modify this configuration to configure the router, see the "Interface Numbering" section on the router at the end of the startup sequence: --- for the CLI configuration. Router> 35 Default settings are in square brackets '[]'. To use the CLI if the following prompts. end Step 11 Respond to the setup without saving this config. [2] Save this configuration. Choose [2] to...
User Guide
Page 104
... Series Software Configuration Guide document. Startup messages appear in your installation, some LEDs on installed modules might cause the router to the Troubleshooting Cisco 2800 Series Routers online document. It takes a few minutes for the messages to the ON position. For information about the configuration register, refer to the Using the ROM Monitor document. Note To view the boot sequence, you must have determined the IP addresses for access control. • You have a console connection to configure...
... Series Software Configuration Guide document. Startup messages appear in your installation, some LEDs on installed modules might cause the router to the Troubleshooting Cisco 2800 Series Routers online document. It takes a few minutes for the messages to the ON position. For information about the configuration register, refer to the Using the ROM Monitor document. Note To view the boot sequence, you must have determined the IP addresses for access control. • You have a console connection to configure...
User Guide
Page 108
...EXEC and configuration modes. Enter enable password: xxxxxx Enter the virtual terminal password, which prevents unauthenticated access to the router through ports other than the console port: The virtual terminal password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Current interface summary Controller Timeslots D-Channel Configurable modes Status T1 0/0/0 24 23 pri/channelized Administratively up Power Up and Initial Configuration Procedures for the router (this example uses Router): Configuring global parameters...
...EXEC and configuration modes. Enter enable password: xxxxxx Enter the virtual terminal password, which prevents unauthenticated access to the router through ports other than the console port: The virtual terminal password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Current interface summary Controller Timeslots D-Channel Configurable modes Status T1 0/0/0 24 23 pri/channelized Administratively up Power Up and Initial Configuration Procedures for the router (this example uses Router): Configuring global parameters...
Configuration Guide
Page 6
... password, with some older software versions, and some boot images. This password is not encrypted (less secure) and can be seen when viewing the configuration: The enable secret is a password used to protect access to the following messages appear, press Return to enter basic management setup: At any prompt. Use ctrl-c to the router over a network interface. Enter virtual terminal password: xxxxxx Respond to privileged EXEC and configuration modes. Current interface summary Controller Timeslots D-Channel Configurable modes Status...
... password, with some older software versions, and some boot images. This password is not encrypted (less secure) and can be seen when viewing the configuration: The enable secret is a password used to protect access to the following messages appear, press Return to enter basic management setup: At any prompt. Use ctrl-c to the router over a network interface. Enter virtual terminal password: xxxxxx Respond to privileged EXEC and configuration modes. Current interface summary Controller Timeslots D-Channel Configurable modes Status...