Cisco® Integrated Services Routers provide secure, wire-speed delivery of concurrent data, voice, and video services (Figure 1). The Universal Serial Bus (USB) ports on the router enable important security and provisioning capabilities, including secure device authentication, storage of removable credentials for establishing secure VPN connections, secure distribution of configuration files, bulk flash storage for files and configuration, and booting from the USB.
Figure 1. Cisco 800, 1800, 2800, and 3800 Series Integrated Services Routers, and Cisco 7200VXR Series Services Aggregation Routers
One of the many architectural enhancements specific to the next-generation integrated services routers as well as the Cisco 7200VXR Series Services Aggregation Routers is the integration of USB ports. Two new features are available to take advantage of these USB ports: USB eToken device support and USB flash support. A USB is a low-cost, bidirectional, dynamically attachable serial interface.
The USB versions supported follow:
• USB 1.1 on the Cisco 1841 and Cisco 2800 and 3800 Series routers, and Cisco 7200VXR Series routers (with Cisco 7200VXR Network Processing Engine [NPE-G2]).
• USB 2.0 on the Cisco 871, 1811, 1812, and Cisco 7200VXR Series routers (with the NPE-G2)
The new eToken device and USB flash features are supported on all routers that have built-in USB ports, including the Cisco 871, 1811, 1812, and 1841 routers as well as the Cisco 2800 and 3800 Series Integrated Services Routers and Cisco 7200VXR Series routers (with the NPE-G2).
The USB eToken device and flash features provide Cisco routers with built-in USB ports to support eToken devices and USB flash memory. The USB eToken device feature provides secure configuration distribution and allows you to store VPN credentials for deployment. The USB eToken devices are supplied by SafeNet, and SafeNet owns the eToken trademark. To order eToken devices or for more information, please contact SafeNet at http://www.safenet-inc.com/About/ContactUs/Default.aspx?id=119. The USB flash feature allows you to store images and configurations, and boot images directly through USB flash memory. You can order USB flash memory from Cisco (Table 1).
USB eToken Device Feature
The USB eToken device feature enables device authentication and simplifies the deployment and secure configuration of Cisco routers (Figure 2). It uses smart card technology in a USB form factor to facilitate the authentication and configuration process. The token provides secure access to the router - the token and a personal identification number (PIN) are necessary to access the configuration, keys, and credentials. You can also use the token to provide the configuration to the router securely, because the configuration can be encrypted on the token.
Figure 2. Cisco 2851 Integrated Services Router with Two USB Ports; SafeNet, Inc. eToken Devices
You can use the USB eToken device to store files - it can store any file that you need to store securely and that can fit on the eToken device. The eToken device can store X.509 digital certificates as well as configuration files. You can transfer these files from the router to the eToken device with a Cisco IOS® Software command-line interface (CLI) command or by using a GUI-based software application called Token Management System (TMS), which is available from SafeNet, Inc. For more information about TMS or to order eToken devices, please visit: http://www.safenet-inc.com/About/ContactUs/Default.aspx?id=119.
USB Flash Feature
The USB flash feature provides an optional secondary storage capability and an additional boot device. Images, configurations, and other files can be copied to or from the Cisco USB flash memory with the same reliability as storing and retrieving files using the Compact Flash card. In addition, modular integrated services routers can boot any Cisco IOS Software image saved on USB flash memory. Cisco USB flash memory is available in 64-, 128-, and 256-MB sizes.
There are three main applications for these features-removable credentials, flash storage and touchless or low-touch provisioning applications.
Removable Credentials Application
This application, meaningful in VPN deployment scenarios, uses the smart card token to store the RSA key pair, one or several root certificates, and configuration for VPN deployment. When inserted into the router, the router boots from the configuration stored on the token (or from another configuration as per the CLI). The smart card in the token uses the RSA key pair and root certificates to authenticate one or more IP Security (IPsec) tunnels. The token may contain several root certificates, because a single router may initiate several tunnels to different VPNs. The number of certificates stored may vary by platform (based on role of the router). You can also use the token keys to provide the configuration to the router securely, because the configuration can be encrypted on the token key.
Because remote devices like routers tend to be deployed in less physically secure areas, there is a greater need to provide additional security. With the removable credentials feature, you can enforce two-factor authentication to provide added security at remote locations. You cannot deploy the router at the remote location unless the following two conditions are met:
• The smart card must be inserted in the router.
• You must have entered the PIN for the smart card (if not using the default token PIN).
By storing the VPN credentials on the secure eToken device, you can easily remove the credentials if you need to redeploy the router needs, return it when a lease expires, or return it for repair.
Flash Storage Application
You may deploy configurations and Cisco IOS Software images on USB token flash devices. You can use these USB flash drives to store Cisco IOS Software images, configurations, or any other type of file. Although you can also use Compact Flash devices to store these types of files, the flash storage feature gives you an alternative. Many customers will find the USB form factor to be a preferable deployment media to Compact Flash.
USB flash storage can facilitate Cisco IOS Software distribution. You can download a Cisco IOS Software image through a PC directly to USB flash memory in the PC, and then move it to the router.
Touchless or Low-Touch Provisioning Application
Enterprise customers or service providers can use these USB features to deploy many routers in the network without the need to physically load different configurations to each device prior to shipment and deployment. You also can get the routers directly from the factory without any configuration. Both USB features support loading a bootstrap configuration into the eToken device or USB flash memory. When connectivity is established at the remote site with the help of boot configuration, you can contact either a Cisco Configuration Engine or a Trivial File Transfer Protocol (TFTP) server to download a complete configuration. Another value derived from this application is that you can perform the task at the remote site without a high degree of technical knowledge.
Cisco IOS Software Upgrade
You can now easily upgrade your Cisco IOS Software images in remote locations, even if you cannot download large files over your network. Cisco USB flash devices are orderable with preloaded Cisco IOS Software images. After the USB flash is sent to the branch office and plugged into the Cisco router, the router can reboot from USB flash memory and run the newest Cisco IOS Software image.
eToken Device USB Feature
• Removable credentials allow remote provisioning of routers.
• Security credentials are physically separated from the router chassis.
• You can use the eToken device for security purposes that require you to enter a PIN to access the stored information. This feature adds to the security of the application because it requires both the smart card itself (something you have) and a password (something you know), providing a two-factor authentication for added security enforcement. This feature also greatly reduces the possibility for a third party to access the information on the card if it is lost or stolen.
• From a provisioning perspective, you will see value in being able to order routers directly from Cisco (or a reseller) with a desired Cisco IOS Software image installed, to have the routers shipped directly to your premises, and to provide configuration files in a touchless or low-touch manner by distributing an eToken device. This scenario allows you or your service provider to use deployment technicians of a lower skill set for router installations.
USB Flash Feature
• You can store configurations and images on USB token flash devices.
• The USB flash drive provides an alternative mechanism to Compact Flash for storing files and images. As for Compact Flash, it is possible to boot any Cisco IOS Software image from USB flash memory. Because the USB form factor is ubiquitous, you can see value in using such a device over a Compact Flash.
• You can order the Cisco USB flash memory with preloaded Cisco IOS Software images.
The USB eToken device and USB flash memory features are supported in the following Cisco IOS Software Releases:
• For the Cisco 871, 1811, 1812, 1841, 2800, and 3800 Integrated Services Routers: As of 12.3(14)T
• For the Cisco 7200VXR Services Aggregation Routers: With NPE-G2 as of 12.4(4)XD (in the future: also in 12.4T and 12.2SB)
The USB flash tokens are available in 64-, 128-, and 256-MB sizes. Table 1 lists the part numbers for ordering.
Table 1. USB Flash Memory Part Numbers
64 MB USB Flash
64 MB USB Flash (spare)
128 MB USB Flash
128 MB USB Flash (spare)
256 MB USB Flash
256 MB USB Flash (spare)
Service and Support
Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco Services can help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, please visit: Cisco Technical Support Services or Cisco Advanced Services.
For More Information
For more information about the Cisco ISRs and USB options, visit http://www.cisco.com/go/isr or contact your local Cisco account representative.