Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Network-Based Security Services Solution

Release Notes for Cisco Network-Based Security Service Solution 2.0

Downloads

Table Of Contents

Release Notes for Cisco Network-Based Security Service Solution 2.0

Contents

Introduction

System Requirements

Hardware Supported

Software Features

Limitations

Caveats

Related Documentation


Release Notes for Cisco Network-Based Security Service Solution 2.0

Contents

These release notes contain the following sections:

Introduction

System Requirements

Software Features

Limitations

Caveats

Related Documentation

Introduction

The Cisco Network Based Security Services solution Release 2.0 allows a service provider to offer scalable security services such as secure on-net and off-net remote access, remote site-to-site services, and virtual firewall.

The Cisco Network Based Security Services solution Release 2.0 leverages the Cisco 7600 series router as an IPSec aggregator router, a virtual firewall device, and a provider edge (PE) router to integrate security services with Multiprotocol Label Switching (MPLS)-IP based Virtual Private Networks (VPNs).

System Requirements

Hardware Supported

The key hardware components for Cisco Network Based Security Services solution Release 2.0 are the Cisco 7600 series routers with Supervisor Engine 720, Firewall Service Module (FWSM), and the VPN Service Module (VPNSM).

The following Cisco platforms can be used as customer premises equipment at the remote locations for IPSec termination to the Cisco 7600 series router:

Cisco PIX Firewall with EzVPN client

Cisco VPN 3002 hardware client

Any Cisco access router supporting IPSec such as Cisco 800 series, Cisco 1700 series, and Cisco 2600 series.

The Cisco VPN client can be used as a remote access client on a PC, laptop, and other hand-held devices for IPSec termination to the Cisco 7600 series router.

Table 1 outlines the key components of the solution.

Table 1 Solution Key Components

Component Type
Hardware
Minimum Software Version Required
Minimum
Flash Memory
Required (MB)
Minimum DRAM Required (MB)

Security Services PE

Cisco 7603

Cisco 7606

Cisco 7609

Cisco 7613

Cisco IOS Release 12.2(18)SXD1

64

512

Firewall

Cisco Firewall Service Module for Cisco 7600 series routers

FWSM ver 2.2

NA

NA

IPSec

Cisco IPSec VPN Service Module for Cisco 7600 series routers

NA

NA

NA


Software Features

Key software features supported by this solution for Virtual Firewall service are:

Multiple Security Contexts

Context Access Control

Resource Limiter

Network Access Control

Network Address Translation

Protocol Fixups

External URL Filtering

Inter/Intra-chassis Failover

Key software features supported by this solution for IPSec VPN service are:

VRF Aware IPSec

IPSec VPN Client support

GRE support

Reverse Route Injection (RRI)

Support for Easy VPN Client/Server model

Radius support for AAA

NAT Transparency

Dead Peer Detection

IPSec Idle-Timeout

Public Key Infrastructure (PKI) support

IKE Call Admission Control

Limitations

The known limitations for this solution are:

Up to four FWSM modules are supported per chassis.

FWSM does not support any routing protocols in routed mode.

Only one VPNSM module is supported per chassis.

IPSec implementation is supported only with Supervisor 720 on the Cisco 7600.

Front-door VRF (FVRF), the ability to have the ingress interface in a VRF, is not supported with the Cisco 7600 implementation.

Encrypted GRE tunnels are supported in the "tunnel protection" mode only.

Tunnel options are not supported for encrypted GRE tunnels in VRF mode.

Stateful failover for IPSec VPN is not supported.

VRF-aware Dynamic Multipoint VPN (DMVPN) is not supported.

MPLS over GRE is not supported on Supervisor 720, which prevents PE-to-PE encryption to be deployed on the 7600.

QoS service policy cannot be applied on the GRE interfaces. It must be applied on the outbound physical/VLAN interface.

Per-VRF AAA is not supported for IPSec VPN.

IKE Call admission limits are not currently supported.

QoS pre-classification for IPSec packets is not currently supported.

Caveats

Table 2 shows a list of caveats as applicable to the solution. For a complete listing of caveats check the release notes for the IOS software release 12.2SX.

Table 2 Solution Caveats

Identifier
Status
Description
Explanation/Workaround

CSCef77289

Open

A Cisco 7600 router with Sup720 and VPNSM configured for IPSec tunnels using a loopback address as the crypto local endpoint can reload if the loopback interface is removed and there are a few established IPSec tunnels.

Do not change or remove the IP address being used as local crypto source when there are active IPSec tunnels.

CSCef77822

Open

If the "match address <acl>" is changed in a crypto-map, the crypto-maps get removed from the VPNSM and do not get downloaded again. Because of this no crypto tunnels come up.

Resetting the module by the command "hw-module module <slot> reset" will fix this problem.

CSCef40191

Open

GRE interface packet rate counters not incrementing.

Cosmetic defect that does not affect data traffic.

CSCef63670

Open

GRE tunnel keepalives are not supported in the VRF mode.

Use IPSec Dead Peer Detection (DPD) instead.

CSCef64919

Resolved

After routing flaps, a console message about VPN-SM IKE ID exhaustion is displayed repeatedly.

Configure Call Admission control (CAC) using "call admission load [#]."


Related Documentation

For information related to Cisco 7600 product, please refer to: http://www.cisco.com/en/US/products/hw/routers/ps368/index.html

For Cisco IOS Release 12.2SX release notes, please refer to: http://www.cisco.com/en/US/products/hw/switches/ps708/prod_release_note09186a00801c8339.html

For general information related to FWSM service module, please refer to: http://www.cisco.com/en/US/products/hw/switches/ps708/products_data_sheet0900aecd800fa576.html

For FWSM 2.2 configuration guide, please refer to: http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_book09186a00802010f2.html

For FWSM 2.2 general release notes, please refer to: http://www.cisco.com/en/US/products/hw/switches/ps708/prod_release_note09186a0080225e11.html

For information on VPNSM service module, please refer to: http://www.cisco.com/en/US/products/hw/switches/ps708/products_data_sheet09186a00800c4fe2.html

Copyright © 2004 Cisco Systems, Inc. All rights reserved.