Guest

Cisco PIX 500 Series Security Appliances

Cisco PIX Firewall VPN Accelerator Card Plus (VAC+) QandA

Q & A


Cisco PIX Firewall VPN Accelerator Card Plus


Q. What is the Cisco PIX® Firewall VPN Accelerator Card Plus?

A. The Cisco PIX Firewall VPN Accelerator Card Plus (VAC+) for the Cisco PIX Firewall series is the latest Cisco hardware-based accelerator designed to provide higher-performance tunneling, and encryption (Advanced Encryption Standard [AES], Data Encryption Standard [DES], and Triple DES [3DES]) services suitable for site-to-site and remote-access applications. Offloading encryption functions to the card not only improves IP Security (IPSec) encryption processing, but also maintains high-end firewall performance.

Q. When will the Cisco PIX Firewall VAC+ be available?

A. The Cisco PIX Firewall VAC+ will begin shipping as a spare in April 2003, and can be installed in Cisco PIX firewalls that have been upgraded to Cisco PIX OS Release 6.3 or later. The Cisco PIX Firewall VAC+ will also be available as a configurable option on new Cisco PIX firewalls purchased directly from Cisco, after Cisco PIX OS v6.3 is released to manufacturing.

Q. What are the Cisco PIX Firewall VAC+ system requirements?

A. The Cisco PIX Firewall VAC+ requires Cisco PIX OS Release 6.3(1) or later, with a DES or 3DES/AES license. It is supported on the Cisco PIX 515/515E, 520, 525, and 535 platforms (limit one per chassis).

Q. Which slot does Cisco recommend putting the Cisco PIX Firewall VAC+?

A. In the Cisco PIX 535 Firewall, it is recommended that you install the Cisco PIX Firewall VAC+ in a 64-bit, 66-MHz PCI slot. In the Cisco PIX 515/515E, 520, and 525 firewalls, you can install the Cisco PIX Firewall VAC+ in any available slot—they are all in the same 32-bit, 33-MHz bus.

Q. How much does the Cisco PIX Firewall VAC+ cost?

A. The Cisco PIX Firewall VAC+ has an MSRP of US$3750 as a spare, and when configured for use in a Cisco PIX Firewall with a restricted feature license.

Q. Will the Cisco PIX Firewall VAC+ be available for free as part of unrestricted and failover bundles?

A. The Cisco PIX Firewall VAC+ will be available as a configurable $0 option on Cisco PIX 515E, 525, and 535 Firewall unrestricted (UR) and failover (FO) bundles, when purchased directly from Cisco, after Cisco PIX OS v6.3 is released to manufacturing. The estimated release date is April 2003.

The Cisco PIX Firewall VAC+ will be available as a default $0 option on Cisco PIX 515E, 525, and 535 Firewall UR and FO bundles, when purchased from second-tier vendors and resellers, after Cisco PIX OS v6.3 is designated as the default shipping image. This date has not yet been determined, but is expected to be approximately three months after the first customer ship (FCS) date.

Q. Will the existing Cisco PIX Firewall VPN Accelerator Card be discontinued?

A. End-of-sale (EoS) has not been scheduled for the existing Cisco PIX Firewall VPN Accelerator Card (VAC). It will remain available for the foreseeable future as a solution for users on operating systems older than Cisco PIX OS Release 6.3(1).

Q. How is the Cisco PIX Firewall VAC+ different from the VAC?

A. Table 1 details the differences between the Cisco PIX Firewall VAC+ and VAC.

Table 1   VAC+ Features

VAC VAC+
Processor

IRE 2141

Broadcom BCM5823

Maximum VPN throughput1

102 Mbps

440 Mbps

64-bit, 66-MHz PCI

No

Yes

128, 192, and 256-bit AES

No

Yes

1Cisco PIX 535 Firewall with VAC and VAC+ running Cisco PIX OS Release 6.3 168-bit 3DES at 1400-byte packets.

Q. Is there a performance penalty when using AES instead of 3DES?

A. No. In fact, 128-bit AES is significantly faster than 168-bit 3DES. There is very little performance difference between 256-bit AES and 168-bit 3DES.

Q. Does the Cisco PIX Firewall VAC+ support compression?

A. No. The Cisco PIX Firewall VAC+ does not currently support compression in hardware or software.

Q. What do customers have to change in their cryptographic configurations when they add the Cisco PIX Firewall VAC+ to a Cisco PIX Firewall?

A. No changes are needed. The Cisco PIX Firewall VAC+ begins to function immediately after installation. No special configuration is needed.

Q. How can I check if the Cisco PIX Firewall VAC+ is installed in a chassis?

A. From the Cisco PIX command prompt, issue the show version command.

Q. How can I check if the Cisco PIX Firewall VAC+ is encrypting or decrypting packets?

A. From the Cisco PIX command prompt, issue the show crypto engine verify command.

Q. How do I get a license (activation key) for AES encryption?

A. AES, for all key lengths, is enabled using the same key as provided for 168-bit 3DES. Users with a 3DES license may use their existing activation key. New users must purchase a 3DES activation key to use AES functions.

PIX-515-VPN-3DES

515/515E 3DES and AES VPN feature license

PIX-VPN-3DES

52x/53x 3DES and AES VPN feature license

Q. Can I use the Cisco PIX Firewall VAC+ simultaneously with a VAC or Private Link 2 (PL2)?

A. The presence of older VPN cards, such as the VAC or PL2, will be ignored by the Cisco PIX Firewall if a VAC+ is installed in the system. Cisco recommends removing the older VPN cards when you upgrade to the VAC+.

Q. When a customer purchases the Cisco PIX Firewall VAC+, do they get the Cisco VPN Client for free?

A. Yes. The Cisco VPN Client is available to existing customers with Cisco SMARTnet contracts—free of charge. The part number (CVPN-CLNT-36-K9=) is only needed for people without Cisco SMARTnet contracts.

Q. Can I upgrade my Cisco PIX Firewall VAC to a VAC+?

A. The Cisco Technology Migration Plan provides the ability to trade in old Cisco equipment and receive a credit toward the purchase of new Cisco products. For more information about this plan, visit:

http://www.cisco.com/pcgi-bin/front.x/CTMP/ctmpServlet/StartHandler

Additional Information

For more information about Cisco PIX Firewalls, visit:

http://www.cisco.com/go/pix

For more information about the Cisco PIX VAC+, visit:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheets_list.html