Critical high-bandwidth business applications have created a need for ubiquitous connectivity and increased performance. Enterprises and service providers require high performance and secure connectivity. Many enterprises augment or replace their traditional WANs with site-to-site and remote-access VPNs to better accommodate these new connectivity requirements. Service providers are also offering managed VPN services, including virtualized network-based VPNs.
Figure 1. Cisco IPSec VPN Services Module for the Cisco Catalyst 6500 Series and Cisco 7600 Series
® IPSec VPN Services Module (VPNSM) delivers cost-effective VPN performance for Cisco Catalyst
® 6500 Series switches and Cisco 7600 Series routers. Primary VPN features delivered by the Cisco IPSec VPNSM include:
• Security integrated into network infrastructure-The Cisco IPSec VPNSM supports Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers. By integrating VPNs into these infrastructure platforms, the network can be secured without extra overlay equipment or network alterations. Furthermore, the broad range of LAN and WAN interfaces, as well as the entire line of security services modules (VPN, firewall, network anomaly detection, intrusion detection and prevention, content services, Secure Sockets Layer [SSL], and wireless LAN), can now be used within the same platform.
• High performance-Using the latest in encryption hardware acceleration technology, each Cisco IPSec VPNSM can deliver up to 1.9 Gbps of Triple Data Encryption Standard (3DES) traffic at large packet sizes (more than 500 bytes) and 1.6 Gbps of 3DES traffic at average packet sizes as defined by internet mix traffic (IMIX).
• Scalability-The Cisco IPSec VPNSM can terminate up to 8000 site-to-site or remote-access IPSec tunnels simultaneously and can establish those tunnels at up to 65 new tunnels per second. Furthermore, Dynamic Multipoint VPN (DMVPN) enables a zero-touch, fully dynamic deployment of partial or full-mesh IPSec VPNs over a hub-and-spoke topology.
• VPN resiliency and high availability-Using innovative features such as stateful failover for IPSec and generic routing encapsulation (GRE), Hot Standby Router Protocol with Reverse Route Injection (HSRP+RRI), Dead Peer Detection (DPD), and support of dynamic routing updates over site-to-site tunnels, the Cisco IPSec VPNSM provides superior VPN resiliency and high availability.
• Provides advanced security services-Adding strong encryption, authentication, and integrity to network services is easy with the Cisco IPSec VPNSM. Secured campus and provider-edge VPN applications, including integrated data, voice, and video-enabled VPN; storage area networks; and integration of IPSec and MPLS VPNs, are now easily deployable. The Cisco IPSec VPNSM provides advanced site-to-site and remote-access IPSec services over both LAN and WAN interfaces.
CISCO IPSEC VPNSM OVERVIEW
The Cisco IPSec VPNSM is a full-slot card that fits into Cisco Catalyst 6500 Series and Cisco 7600 Series chassis. It does not have physical WAN or LAN interfaces; instead, it takes advantage of the LAN and WAN interfaces of the platform. Cisco IPSec VPNSM features are detailed in Table 1, and part numbers are listed in Table 2.
Table 1. Cisco IPSec VPNSM Features
High-Speed VPN Performance
High-speed VPN performance provides up to 1.9 Gbps of 3DES IPSec throughput with large packets and 1.6 Gbps with IMIX traffic.
Up to 10 Cisco IPSec VPNSMs can be installed in a system to provide up to 19 Gbps of total throughput, enabling wire-speed secured transport for native 10 Gigabit Ethernet interfaces.
Full Integration of the VPN into the Network Infrastructure
The Cisco IPSec VPNSM supports Cisco Catalyst 6500 Series and Cisco 7600 Series chassis and LAN and WAN interfaces, enabling an integrated security approach to building a VPN in your infrastructure. No separate VPN devices are needed within your campus, intranet, Internet data center, or point of presence (POP).
Comprehensive VPN Features
The Cisco IPSec VPNSM provides hardware acceleration for both IPSec and GRE, comprehensive support of site-to-site IPSec, remote-access IPSec, and Certificate Authority/Public Key Infrastructure (CA/PKI).
Diverse Network Traffic Types and Topologies
® Software supports secure, reliable transport of virtually any type of network traffic, including multiprotocol, multicast, and IP telephony across the IPSec VPN. Rich routing capabilities enable meshed and hierarchical network topologies.
VPN Resiliency and High Availability
Routing over IPSec tunnels, DPD, HSRP+RRI, and intrachassis and interchassis stateful failover for both IPSec and GRE provide superior VPN resiliency and high availability.
DMVPN enables a dynamic partial-mesh or full-mesh site-to-site VPN while greatly simplifying the management of large VPN deployments. DMVPN enables dynamic spoke-to-spoke tunnel establishment without preconfiguration in the spoke routers, and enables the VPN to dynamically add or remove spoke routers without any change to other spoke configurations. This improves network performance by reducing latency and jitter while optimizing main office bandwidth utilization.
Virtual Routing and Forwarding (VRF)-Aware IPSec VPN
VRF-aware IPSec features enable mapping of IPSec tunnels to VRF instances to provide network-based IPSec VPNs, and the integration of IPSec with MPLS VPNs. This feature enables service providers, large enterprises, and educational institutions to build secure, scalable, and virtualized VPN services across their network infrastructures.
VPN and Network Infrastructure Management
Comprehensive systems help manage solutions, from a single platform to hundreds or even thousands of platforms. Element management uses the Cisco Router Management Center (Router MC) and VPN monitor components of the CiscoWorks VPN/Security Management Solution (VMS). These features allow comprehensive end-to-end VPN management of numerous platforms throughout your network using the Cisco IP Solution Center (ISC) for service provider and large enterprise VPN, security, and quality of service (QoS).
Table 2. Part Numbers and Ordering Information
Cisco Part Number
Cisco IPSec VPN Services Module for the Cisco Catalyst 6500 Series and Cisco 7600 Series
Cisco Catalyst 6503 VPN system: Cisco Catalyst 6503E chassis, Supervisor Engine 720-3B, integrated dual gigabit interface converter (GBIC), IPSec VPNSM, with one open slot for expansion
Cisco Catalyst 6506 VPN system: Cisco Catalyst 6506E chassis, Supervisor Engine 720, integrated dual GBIC, IPSec VPNSM, with four open slots for expansion