Guest

Cisco Versatile Interface Processors

VIP2 Distributed Services-Cisco IOS Encryption

 

Data Sheet

Versatile Interface Processor 2 Distributed Services—Cisco IOS Encryption

Overview

Rapidly growing use of the Internet and other wide-area network (WAN) connections increases concern about the security of corporate information assets. Data encryption addresses these concerns but has been implemented on a limited basis because either the processing power required significantly impacts performance or the use of external link encryptors are costly and difficult to manage. Cisco addresses these concerns with the encryption capabilities of Cisco Internetwork Operating System (Cisco IOSTM) software coupled with the distributed services feature of the Versatile Interface Processor (VIP) model VIP2-40.

As a standard feature of the VIP2-40 when coupled with any Cisco IOS image that supports encryption, this distributed service enables deployment of encryption for ensuring information security while maintaining router performance. It achieves this by offloading processing-intensive encryption tasks normally performed by the Route Switch Processor (RSP or RSP7000) to the processing capabilities of the VIP2-40. In conjunction with NetFlowTM switching software, it further improves network and encryption performance by assigning encryption only to those users, applications, or sessions that require the high degree of security that encryption offers.

Each VIP2-40 becomes a separate cryptographic engine, performing all encryption functions for media ports on that VIP2-40. This feature enables encryption performance to scale as VIP2-40s are added to a system. With relief from encryption tasks, the RSP can fully dedicate its resources to ensuring high switching and packet routing performance. With the ability to mix and match performance and resource utilization needs for encryption services, Cisco's router and encryption products offer the best mix of security, performance, and value for any encryption environment.

Benefits

  • Enhanced encryption throughput

    • Improves system encryption performance for each VIP2-40 installed

    • Significantly increases the number of encrypted links in a single router without degradation

    • Delivers encryption services for VIP2-40 links without impacting platform routing or switching capabilities

  • Enhanced router performance

    • Offloads encryption processing functions to VIP2-40 for locally attached port adapters

    • Reserves critical processing resources for routing or WAN services such as queuing

    • Leverages router processing by limiting encryption to only those paths requiring high levels of security

  • Provides network-level encryption

    • Network administrators can designate IP address pairs, TCP port addresses (such as World Wide Web or Telnet), or combinations of both to selectively encrypt traffic

    • Secures use of public switched networks and the Internet for wide-area networking

  • Reduced system encryption costs

    • No external third-party encryption devices required

    • Encryption can be distributed between Cisco IOS software in the RSP and multiple VIP2-40 units for maximum balance of performance, cost, and security

  • Simplified network management

    • Enables network administrators to apply security policy only to originating and destination routers without regard for network topology; eliminates need for encryption support at all primary and possible routes

Specifications

  • Prerequisites

    • VIP2-40

    • Cisco IOS security license

    • Cisco 7505, 7507, or 7513 router

    • Cisco 7000 or 7010 router with RSP7000

  • Encryption supported

    • Data Encryption Standard (DES) message encryption

    • Diffie-Hellman Public Key Encryption (PKE) (key exchange)

    • Digital Signature Standard (DSS) authentication

  • DES key length

    • 56-bit

    • 40 bit

  • DES encryption modes

    • CFB-8

    • CFB-64

  • Cisco IOS software release required

    • Software release 11.2(1) and higher

  • WAN protocol support

    • High-Level Data Link Control (HDLC)

    • Point-to-Point Protocol (PPP)

    • Frame Relay (Requires software release 11.2(7)P and higher)