Guest

Cisco Shared Port Adapters/SPA Interface Processors

Cisco XR 12000 Series IPSec VPN Shared Port Adapter

  • Viewing Options

  • PDF (225.1 KB)
  • Feedback

Data Sheet

The modular design of the Cisco ® XR 12000 Series Routers combines shared port adapters (SPAs) and SPA interface processors (SIPs), and enables service prioritization for data, voice, and video services. This extensible design maximizes connectivity options and offers superior service intelligence through programmable interface processors that deliver line-rate performance. Modularity enhances speed-to-service revenue and provides a rich set of quality of service (QoS) features for premium service delivery while effectively reducing the overall cost of ownership. This data sheet contains the specifications for the Cisco XR 12000 Series IPsec VPN Shared Port Adapter.

PRODUCT OVERVIEW

Service providers and enterprises require ubiquitous and secure connectivity to address today's mission-critical, high-bandwidth applications. Many service providers deploy IPsec VPN technology to geographically extend their existing VPNs, and use IPsec to give remote users access to their corporate VPNs. Enterprises replace their traditional WANs with site-to-site and remote-access VPNs with this technology as well. The Cisco XR 12000 IPsec VPN SPA offers next-generation encryption technology and a form factor designed to enable a more flexible and scalable network infrastructure (see Figure 1).

Figure 1. Cisco XR 12000 IPsec VPN SPA

The Cisco IPsec VPN SPA delivers scalable and cost-effective VPN performance for Cisco XR 12000 Series Routers. Using the Cisco XR 12000 SIP cards (401, 501, and 601), each slot of the Cisco XR 12000 Series Router can support up to two Cisco IPsec VPN SPAs, or any mixture of the Cisco IPsec VPN SPA with other interface SPA types on the same SIP card. Although the Cisco IPsec VPN SPA does not have physical interfaces, it takes advantage of the breadth of interfaces on the Cisco XR 12000 Series Router.

KEY FEATURES AND BENEFITS

Table 1 lists the primary features of the Cisco IPsec VPN SPA.

Table 1. Features of Cisco XR 12000 IPsec VPN SPA

Feature

Description

Next-generation encryption technology

In addition to supporting Data Encryption Standard (DES) and Triple Data Encryption Standard (3DES), the Cisco IPsec VPN SPA supports Advanced Encryption Standard (AES), including all key sizes (128-, 192-, and 256-bit keys). Designed to be the next-generation encryption technology, AES offers the ultimate in IPsec VPN security and interoperability.

High-speed VPN performance

High-speed VPN performance provides up to 2.5 Gbps of AES and 3DES IPsec throughput with large packets and 1.6 Gbps with Internet mix (IMIX) traffic.

Scalability

Up to 20 Cisco IPsec VPN SPAs can be installed in a Cisco 12416 Router (10 slots with 2 SPAs per slot, plus 2 route processors and 4 line cards with line interfaces) to provide up to 50 Gbps of total throughput.

The Cisco IPsec SPA can scale up to 16,000 tunnels for remote access and remote user VPN access. Tunnel establishment is relatively constant for all 16,000 tunnels with an average rate of 100 tunnels per second.

Attractive form factor

Using the Cisco SIP cards, up to 2 Cisco IPsec VPN SPAs can be installed in each slot, or any mixture of the IPsec VPN SPA with other interface SPA types. The half-slot form factor of the SPA reduces slot consumption and increases total performance per slot for flexible mixing and matching.

Note: Support for SPA mixture on the same SIP LC will be introduced in IOS-XR3.5 release.

Jumbo-frame support

The Cisco IPsec VPN SPA supports jumbo frames of up to 9200 bytes without the need for fragmentation.

Full integration of secure VPN into the network infrastructure

The Cisco IPsec VPN SPA supports all the Cisco XR 12000 Series Router interfaces in the chassis. No separate VPN devices are needed within the network, intranet, Internet data center, or point of presence (POP).

Comprehensive VPN features

The Cisco IPsec VPN SPA provides hardware acceleration for IPsec and generic routing encapsulation (GRE), comprehensive support of site-to-site IPsec, remote-access IPsec, and certificate authority/public key infrastructure (CA/PKI).

Diverse network traffic types and topologies

Cisco IOS XR Software supports secure, reliable transport of virtually any type of network traffic, including multicast and IP telephony across the IPsec VPN.

VPN resiliency and high availability

The Cisco IPsec VPN support on XR12K harnesses the high-availability capabilities of Cisco IOS XR Software, such as Stateful Switch Over (SSO), In Service Software Upgrade (ISSU), etc. It also supports routing over IPsec tunnels, dead-peer detection (DPD), reverse route injection (RRI), and intra-chassis stateful failover (active-active) for IPsec and GRE. The IPsec capabilities provide superior VPN resiliency and high availability.

Virtual Route Forwarding (VRF)-aware IPsec VPN

VRF-aware IPsec features help enable mapping of IPsec tunnels to VRF instances to provide network-based IPsec VPNs, and the integration of IPsec with Multiprotocol Label Switching (MPLS) VPNs. This feature helps service providers, large enterprises, and other organizations to build secure, scalable, and virtualized VPN services across their network infrastructures.

QoS

The Cisco IPsec VPN SPA provides complete and consistent QoS to support service-level agreements (SLAs) with the same level of QoS that is provided on the Cisco XR 12000 Series for traditional VPN access technologies such as Frame Relay, ATM, and VLANs.

The features listed in Table 1 provide the following benefits for service providers and enterprises:

Security integrated into network infrastructure - The Cisco IPsec VPN SPA supports Cisco XR 12000 Series Routers. By integrating VPN capabilities into these infrastructure platforms, VPN services can be delivered over a network in which the service provider has no physical presence and remote users can access their corporate VPN securely. Furthermore, the broad range of Cisco XR 12000 Series interfaces and services (including Session Border Control and virtual firewall in the future) can be used within the same platform.

Industry-leading technology - In addition to DES and 3DES, the Cisco IPsec VPN SPA introduces AES, the new standard in encryption technology demanded by most government agencies and leading financial institutions in the most secure network environments.

High performance - Each Cisco IPsec VPN SPA can deliver up to 2.5 Gbps of AES and 3DES encrypted data traffic. Additionally, it can terminate up to 16,000 site-to-site or remote-access IPsec tunnels simultaneously and can set up those tunnels at an average establishment rate of 100 new tunnels per second for all 16,000 tunnels.

Scalable form factor - Each slot of the Cisco XR 12000 Series Router can support up to two Cisco IPsec VPN SPAs. Up to 20 Cisco IPsec VPN SPAs can be combined in a single Cisco 12416 chassis to provide maximum throughput of 50 Gbps. Additionally, the half-slot form factor of the Cisco IPsec VPN SPA allows the customer to reduce slot consumption, potentially reducing cost while enhancing per-slot and overall system encryption performance.

VPN resiliency and high availability - Using innovative features such as stateful failover for IPsec and support of dynamic routing updates over site-to-site tunnels, the IPsec VPN SPA provides superior VPN resiliency and high availability.

Advanced security services - Adding strong encryption, authentication, and integrity to network services is easy with the Cisco IPsec VPN SPA. The SPA simplifies deployment of secure service provider edge and campus VPN applications, including integrated data-, voice-, and video-enabled VPN; storage-area networks (SANs); and integration of IPsec and MPLS VPNs. The Cisco IPsec VPN SPA provides advanced site-to-site and remote-access IPsec services over all types of interfaces.

PRODUCT SPECIFICATIONS

Table 2 lists specifications of the Cisco IPsec VPN SPA.

Table 2. Product Specifications

Description

Specification

VPN tunneling

• IPsec (RFCs 2401-2411 and 2451)
• Encapsulating Security Payload (ESP)
• Authentication Header (AH)

Encryption

• DES
• 3DES
• AES

Authentication

• X.509 digital certificates (RSA signatures)
• Diffie-Hellman group 1,2, and 5
• Preshared keys
• RADIUS (RFC 2138)

Integrity

Hashed Message Authentication Code with MD5 (HMAC-MD5) and with Secure Hash Algorithm-1 (HMAC-SHA-1) (RFCs 2403 and 2404)

Key management

• Internet Key Exchange (IKE; RFCs 2407-2409)
• IKE-XAUTH
• IKE-CFG-MODE

CA/PKI support

• Simple Certificate Enrollment Protocol (SCEP)
• Microsoft

Resiliency and high availability

• RRI
• Intra-chassis active/active IPsec stateful failover
• DPD
• Dynamic routing across IPsec (see "Routing Protocols" section of this table)

Routing protocols

• Border Gateway Protocol Version 4 (BGPv4)
• Routing Information Protocol (RIP) and RIP Version 2 (RIPv2)
• Open Shortest Path First (OSPF)
• Enhanced Interior Gateway Routing Protocol (EIGRP) and IGRP

SIP engines

• Cisco 12000 Series SPA Interface Processor-401, -501, and -601

Physical dimensions

Length: 5.92 in. (15 cm)

Width: 6.75 in. (17.15 cm)

Height: 1.52 in. (3.9 cm)

Power

40 watts

Approvals and compliance

EMC

• FCC Part 15 (CFR 47) Class A
• ICES-003 Class A
• EN55022 Class A
• CISPR22 Class A
• AS/NZSCISPR Class A
• VCCI Class A
• EN55024
• EN300 386
• EN50082-1
• EN61000-3-2
• EN61000-3-3

Safety Compliance

• UL 60950
• IEC 60825-1, -2
• IEC 60950
• EN 60950
• EN 60825-1, -2
• CAN/CSA-C22.2 No. 60950-00
• AS/NZS 3260-1993
• 21CFR1040

NEBS and Environmental Standard Compliance

• GR-63-Core NEBS Level 3
• GR-1089-Core NEBS Level 3
• ETSI 300 019 Storage Class 1.1
• ETSI 300 019 Transportation Class 2.3
• ETSI 300 019 Stationary Use Class 3.1

ORDERING INFORMATION

To place an order, visit the Cisco Ordering Home Page. Table 3 lists ordering information for the Cisco IPsec VPN SPA and SIP cards.

Table 3. Ordering Information

Product Name

Part Number

Cisco XR 12000 Series IPsec VPN Shared Port Adapter

SPA-IPSEC-2G-2

SPA-IPSEC-2G-2=

Cisco XR 12000 Series SPA Interface Processor-401, -501, and -601

12000-SIP-401

12000-SIP-501

12000-SIP-601

CERTIFICATIONS

Cisco is committed to maintaining an active product certification and evaluation program for customers worldwide, and is a leader in providing certified and evaluated products to the marketplace. Cisco will continue to work with international security standards bodies to help shape the future of certified and evaluated products, and will work to accelerate certification and evaluation processes. Certification and evaluation are considered at the earliest part of the company's product development cycle, and Cisco will continue to position its security products to help ensure that customers have certified and evaluated products to meet their needs. For security certification product details, visit: www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_audience_business_benefit0900aecd8009a16f.html .

SERVICE AND SUPPORT

Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services, refer to Cisco Technical Support Services or Cisco Advanced Services.

FOR MORE INFORMATION

For more information about the Cisco XR12000 IPsec VPN SPA and the Cisco SPA/SIP portfolio, visit http://www.cisco.com/go/spa or contact your local Cisco account representative.