Guest

Cisco Security Modules for Routers and Switches

VPN Acceleration Module for Cisco 7000 Series VPN Routers

Table Of Contents

Data Sheet

Overview

Features at a Glance

Feature
Description

Physical

Service adapter—Installs in port adapter slot on Cisco 7200 or 7100 Series routers

Service module—Installs in the service module slot on Cisco 7100 Series routers

Platform support

Cisco 7200 Series with NPE 400, 300, or 225

Cisco 7100 Series

Throughput1

Up to 145 Mbps using 3DES

Number of IPsec protected tunnels2

Up to 5000 on Cisco 7200 Series

Up to 3000 on Cisco 7100 Series

Hardware-based encryption

Data protection: IPsec DES and 3DES

Authentication: RSA and Diffie-Hellman

Data integrity: SHA-1 and Message Digest 5 (MD5)

VPN tunneling

IPsec tunnel mode; generic routing encapsulation (GRE) and Layer 2 Tunneling Protocol (L2TP) protected by IPsec

Hardware-based compression

Layer 3 IPPCP LZS

LAN/WAN interface selection

VAM works with most Cisco 7200 VXR-compatible port adapters

Minimum Cisco IOS Software Release supported

12.1(9)E

Standards supported

IPsec/IKE: RFCs 2401-2411, 2451

IPPCP: RFC 2393, 2395

1 As measured with IPSec 3DES HMAC-SHA1 on 1400 byte packets.
2 Number of tunnels supported varies based on the total system memory installed.

Features and Benefits

Feature
Benefit

Hardware-based DES and 3DES encryption

Ensures high-encryption throughput in complex high-bandwidth networks

Offload of high-overhead IPsec and IPPCP processing from the main processor

Reserves critical processing resources for other WAN and security services, such as QoS and firewalling

Supports 5000 IPsec tunnels

Offers high VPN session scalability

IPsec support

Provides confidentiality, data integrity, and data origin authentication. Enables the secure use of cost-effective public networks such as the Internet for wide-area networking

Certificate support for automatic authentication using digital certificates

Scales encryption use for large networks requiring secure connections between multiple locations

Support for full Layer 3 routing, such as Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) across the IPsec VPN

Tracks reachability of all devices and interfaces on the VPN, thus delivering automated failover and recovery for VPN links

Supports IKE keepalives to track availability of tunneling peers

Tracks reachability of tunneling peers to provide failover and recovery for VPN links

Hardware-based IPPCP LZS compression

Lowers cost by compressing network traffic before it traverses over pay-per-byte WAN link

QoS, multiprotocol, and multicast feature interoperation

Enables use of all network services across the VPN

Standards based

Ensures multivendor interoperability among network devices, client software, and other computing systems


Ordering Information—Cisco 7200 and 7100 Software Support

Export Regulations


Data Sheet


VPN Acceleration Module
                  for Cisco 7200 and 7100
Series Routers

Overview

The VPN Acceleration Module (VAM) for Cisco 7200 and 7100 Series routers provides high-performance, hardware-assisted encryption, key generation, and compression services suitable for site-to-site virtual private network (VPN) applications. As an integral component of the Cisco Systems SAFE blueprint for security, the VAM provides encryption scalability while working seamlessly with critical site-to-site VPN software services, such as support for routing, quality of service (QoS), multicast and multiprotocol traffic across the VPN, as well as integrating firewall, intrusion detection, and service level validation. This combination of features delivers a best-in-class solution that accommodates the most diverse site-to-site VPN environments. In addition, the VAM provides hardware-assisted compression services where bandwidth conservation may lower network connection costs. These features, combined with VAM support for the broad set of LAN/WAN media and full Layer 3 routing services, ensure the smooth integration of encryption technology into virtually any enterprise or service provider network environment.

Figure 1 VAM Service Adapter for Cisco 7200 and 7100 Series Routers

Figure 2 VAM Service Module for Cisco 7100 Series. It Plugs into the Service Module Slot.

Features at a Glance

Feature
Description

Physical

Service adapter—Installs in port adapter slot on Cisco 7200 or 7100 Series routers

Service module—Installs in the service module slot on Cisco 7100 Series routers

Platform support

Cisco 7200 Series with NPE 400, 300, or 225

Cisco 7100 Series

Throughput1

Up to 145 Mbps using 3DES

Number of IPsec protected tunnels2

Up to 5000 on Cisco 7200 Series

Up to 3000 on Cisco 7100 Series

Hardware-based encryption

Data protection: IPsec DES and 3DES

Authentication: RSA and Diffie-Hellman

Data integrity: SHA-1 and Message Digest 5 (MD5)

VPN tunneling

IPsec tunnel mode; generic routing encapsulation (GRE) and Layer 2 Tunneling Protocol (L2TP) protected by IPsec

Hardware-based compression

Layer 3 IPPCP LZS

LAN/WAN interface selection

VAM works with most Cisco 7200 VXR-compatible port adapters

Minimum Cisco IOS Software Release supported

12.1(9)E

Standards supported

IPsec/IKE: RFCs 2401-2411, 2451

IPPCP: RFC 2393, 2395

1 As measured with IPSec 3DES HMAC-SHA1 on 1400 byte packets.
2 Number of tunnels supported varies based on the total system memory installed.

The VAM supports Data Encryption Standard (DES) or Triple DES (3DES) IPsec encryption at greater than full-duplex DS-3 line rate (up to 145 Mbps) for site-to-site VPNs such as intranets and extranets. Moreover, it supports up to 5000 encrypted tunnels for mixed VPN environments that have both site-to-site and remote access VPN requirements. The VAM also integrates hardware-assisted RSA and IPPCP Layer 3 compression. Accelerating RSA processing speeds tunnel setup and creation time improving overall VPN initialization. And in those environments where bandwidth is costly, the VAM provides hardware-based IP Payload Compression Protocol (IPPCP) Lempel-Ziv-Stac (LZS) processing to compress network traffic before it is encrypted and sent over pay-per-byte WAN connections.

The VAM coprocessor architecture offloads all VPN processor-intensive functions from the main route processor, minimizing impact on system resources, thus delivering increased tunneling, encryption, and compression scalability for the most demanding VPN deployments.

Features and Benefits

Feature
Benefit

Hardware-based DES and 3DES encryption

Ensures high-encryption throughput in complex high-bandwidth networks

Offload of high-overhead IPsec and IPPCP processing from the main processor

Reserves critical processing resources for other WAN and security services, such as QoS and firewalling

Supports 5000 IPsec tunnels

Offers high VPN session scalability

IPsec support

Provides confidentiality, data integrity, and data origin authentication. Enables the secure use of cost-effective public networks such as the Internet for wide-area networking

Certificate support for automatic authentication using digital certificates

Scales encryption use for large networks requiring secure connections between multiple locations

Support for full Layer 3 routing, such as Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) across the IPsec VPN

Tracks reachability of all devices and interfaces on the VPN, thus delivering automated failover and recovery for VPN links

Supports IKE keepalives to track availability of tunneling peers

Tracks reachability of tunneling peers to provide failover and recovery for VPN links

Hardware-based IPPCP LZS compression

Lowers cost by compressing network traffic before it traverses over pay-per-byte WAN link

QoS, multiprotocol, and multicast feature interoperation

Enables use of all network services across the VPN

Standards based

Ensures multivendor interoperability among network devices, client software, and other computing systems


Ordering Information—Cisco 7200 and 7100 Software Support

To enable either 56-bit DES or 168-bit 3DES, select the appropriate software image. VAM support is available in Cisco IOS® Software Release 12.1E images beginning with Software Release 12.1(9)E.

Export Regulations

DES and 3DES software for the VAM is controlled by U.S. export regulations on encryption products. The module itself is not controlled. U.S. regulations require the recording of names and addresses of recipients of DES and 3DES software. For more details, see
http://www.cisco.com/wwl/export/crypto/.

Part Number
Description

SA-VAM

VPN Acceleration Module (VAM) for Cisco 7200 and 7100 Series

SM-VAM

VPN Acceleration Module (VAM) for Cisco 7100 Series