PDF(225.1 KB) View with Adobe Reader on a variety of devices
Updated:November 30, 2006
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The modular design of the Cisco
® XR 12000 Series Routers combines shared port adapters (SPAs) and SPA interface processors (SIPs), and enables service prioritization for data, voice, and video services. This extensible design maximizes connectivity options and offers superior service intelligence through programmable interface processors that deliver line-rate performance. Modularity enhances speed-to-service revenue and provides a rich set of quality of service (QoS) features for premium service delivery while effectively reducing the overall cost of ownership. This data sheet contains the specifications for the Cisco XR 12000 Series IPsec VPN Shared Port Adapter.
Service providers and enterprises require ubiquitous and secure connectivity to address today's mission-critical, high-bandwidth applications. Many service providers deploy IPsec VPN technology to geographically extend their existing VPNs, and use IPsec to give remote users access to their corporate VPNs. Enterprises replace their traditional WANs with site-to-site and remote-access VPNs with this technology as well. The Cisco XR 12000 IPsec VPN SPA offers next-generation encryption technology and a form factor designed to enable a more flexible and scalable network infrastructure (see Figure 1).
Figure 1. Cisco XR 12000 IPsec VPN SPA
The Cisco IPsec VPN SPA delivers scalable and cost-effective VPN performance for Cisco XR 12000 Series Routers. Using the Cisco XR 12000 SIP cards (401, 501, and 601), each slot of the Cisco XR 12000 Series Router can support up to two Cisco IPsec VPN SPAs, or any mixture of the Cisco IPsec VPN SPA with other interface SPA types on the same SIP card. Although the Cisco IPsec VPN SPA does not have physical interfaces, it takes advantage of the breadth of interfaces on the Cisco XR 12000 Series Router.
KEY FEATURES AND BENEFITS
Table 1 lists the primary features of the Cisco IPsec VPN SPA.
Table 1. Features of Cisco XR 12000 IPsec VPN SPA
Next-generation encryption technology
In addition to supporting Data Encryption Standard (DES) and Triple Data Encryption Standard (3DES), the Cisco IPsec VPN SPA supports Advanced Encryption Standard (AES), including all key sizes (128-, 192-, and 256-bit keys). Designed to be the next-generation encryption technology, AES offers the ultimate in IPsec VPN security and interoperability.
High-speed VPN performance
High-speed VPN performance provides up to 2.5 Gbps of AES and 3DES IPsec throughput with large packets and 1.6 Gbps with Internet mix (IMIX) traffic.
Up to 20 Cisco IPsec VPN SPAs can be installed in a Cisco 12416 Router (10 slots with 2 SPAs per slot, plus 2 route processors and 4 line cards with line interfaces) to provide up to 50 Gbps of total throughput.
The Cisco IPsec SPA can scale up to 16,000 tunnels for remote access and remote user VPN access. Tunnel establishment is relatively constant for all 16,000 tunnels with an average rate of 100 tunnels per second.
Attractive form factor
Using the Cisco SIP cards, up to 2 Cisco IPsec VPN SPAs can be installed in each slot, or any mixture of the IPsec VPN SPA with other interface SPA types. The half-slot form factor of the SPA reduces slot consumption and increases total performance per slot for flexible mixing and matching.
Note: Support for SPA mixture on the same SIP LC will be introduced in IOS-XR3.5 release.
The Cisco IPsec VPN SPA supports jumbo frames of up to 9200 bytes without the need for fragmentation.
Full integration of secure VPN into the network infrastructure
The Cisco IPsec VPN SPA supports all the Cisco XR 12000 Series Router interfaces in the chassis. No separate VPN devices are needed within the network, intranet, Internet data center, or point of presence (POP).
Comprehensive VPN features
The Cisco IPsec VPN SPA provides hardware acceleration for IPsec and generic routing encapsulation (GRE), comprehensive support of site-to-site IPsec, remote-access IPsec, and certificate authority/public key infrastructure (CA/PKI).
Diverse network traffic types and topologies
Cisco IOS XR Software supports secure, reliable transport of virtually any type of network traffic, including multicast and IP telephony across the IPsec VPN.
VPN resiliency and high availability
The Cisco IPsec VPN support on XR12K harnesses the high-availability capabilities of Cisco IOS XR Software, such as Stateful Switch Over (SSO), In Service Software Upgrade (ISSU), etc. It also supports routing over IPsec tunnels, dead-peer detection (DPD), reverse route injection (RRI), and intra-chassis stateful failover (active-active) for IPsec and GRE. The IPsec capabilities provide superior VPN resiliency and high availability.
Virtual Route Forwarding (VRF)-aware IPsec VPN
VRF-aware IPsec features help enable mapping of IPsec tunnels to VRF instances to provide network-based IPsec VPNs, and the integration of IPsec with Multiprotocol Label Switching (MPLS) VPNs. This feature helps service providers, large enterprises, and other organizations to build secure, scalable, and virtualized VPN services across their network infrastructures.
The Cisco IPsec VPN SPA provides complete and consistent QoS to support service-level agreements (SLAs) with the same level of QoS that is provided on the Cisco XR 12000 Series for traditional VPN access technologies such as Frame Relay, ATM, and VLANs.
The features listed in Table 1 provide the following benefits for service providers and enterprises:
• Security integrated into network infrastructure - The Cisco IPsec VPN SPA supports Cisco XR 12000 Series Routers. By integrating VPN capabilities into these infrastructure platforms, VPN services can be delivered over a network in which the service provider has no physical presence and remote users can access their corporate VPN securely. Furthermore, the broad range of Cisco XR 12000 Series interfaces and services (including Session Border Control and virtual firewall in the future) can be used within the same platform.
• Industry-leading technology - In addition to DES and 3DES, the Cisco IPsec VPN SPA introduces AES, the new standard in encryption technology demanded by most government agencies and leading financial institutions in the most secure network environments.
• High performance - Each Cisco IPsec VPN SPA can deliver up to 2.5 Gbps of AES and 3DES encrypted data traffic. Additionally, it can terminate up to 16,000 site-to-site or remote-access IPsec tunnels simultaneously and can set up those tunnels at an average establishment rate of 100 new tunnels per second for all 16,000 tunnels.
• Scalable form factor - Each slot of the Cisco XR 12000 Series Router can support up to two Cisco IPsec VPN SPAs. Up to 20 Cisco IPsec VPN SPAs can be combined in a single Cisco 12416 chassis to provide maximum throughput of 50 Gbps. Additionally, the half-slot form factor of the Cisco IPsec VPN SPA allows the customer to reduce slot consumption, potentially reducing cost while enhancing per-slot and overall system encryption performance.
• VPN resiliency and high availability - Using innovative features such as stateful failover for IPsec and support of dynamic routing updates over site-to-site tunnels, the IPsec VPN SPA provides superior VPN resiliency and high availability.
• Advanced security services - Adding strong encryption, authentication, and integrity to network services is easy with the Cisco IPsec VPN SPA. The SPA simplifies deployment of secure service provider edge and campus VPN applications, including integrated data-, voice-, and video-enabled VPN; storage-area networks (SANs); and integration of IPsec and MPLS VPNs. The Cisco IPsec VPN SPA provides advanced site-to-site and remote-access IPsec services over all types of interfaces.
Table 2 lists specifications of the Cisco IPsec VPN SPA.
Table 2. Product Specifications
• IPsec (RFCs 2401-2411 and 2451)
• Encapsulating Security Payload (ESP)
• Authentication Header (AH)
• X.509 digital certificates (RSA signatures)
• Diffie-Hellman group 1,2, and 5
• Preshared keys
• RADIUS (RFC 2138)
Hashed Message Authentication Code with MD5 (HMAC-MD5) and with Secure Hash Algorithm-1 (HMAC-SHA-1) (RFCs 2403 and 2404)
• Dynamic routing across IPsec (see "Routing Protocols" section of this table)
• Border Gateway Protocol Version 4 (BGPv4)
• Routing Information Protocol (RIP) and RIP Version 2 (RIPv2)
• Open Shortest Path First (OSPF)
• Enhanced Interior Gateway Routing Protocol (EIGRP) and IGRP
• Cisco 12000 Series SPA Interface Processor-401, -501, and -601
Length: 5.92 in. (15 cm)
Width: 6.75 in. (17.15 cm)
Height: 1.52 in. (3.9 cm)
Approvals and compliance
• FCC Part 15 (CFR 47) Class A
• ICES-003 Class A
• EN55022 Class A
• CISPR22 Class A
• AS/NZSCISPR Class A
• VCCI Class A
• EN300 386
• UL 60950
• IEC 60825-1, -2
• IEC 60950
• EN 60950
• EN 60825-1, -2
• CAN/CSA-C22.2 No. 60950-00
• AS/NZS 3260-1993
NEBS and Environmental Standard Compliance
• GR-63-Core NEBS Level 3
• GR-1089-Core NEBS Level 3
• ETSI 300 019 Storage Class 1.1
• ETSI 300 019 Transportation Class 2.3
• ETSI 300 019 Stationary Use Class 3.1
To place an order, visit the
Cisco Ordering Home Page. Table 3 lists ordering information for the Cisco IPsec VPN SPA and SIP cards.
Table 3. Ordering Information
Cisco XR 12000 Series IPsec VPN Shared Port Adapter
Cisco XR 12000 Series SPA Interface Processor-401, -501, and -601
Cisco is committed to maintaining an active product certification and evaluation program for customers worldwide, and is a leader in providing certified and evaluated products to the marketplace. Cisco will continue to work with international security standards bodies to help shape the future of certified and evaluated products, and will work to accelerate certification and evaluation processes. Certification and evaluation are considered at the earliest part of the company's product development cycle, and Cisco will continue to position its security products to help ensure that customers have certified and evaluated products to meet their needs. For security certification product details, visit:
SERVICE AND SUPPORT
Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services, refer to
Cisco Technical Support Services or
Cisco Advanced Services.
FOR MORE INFORMATION
For more information about the Cisco XR12000 IPsec VPN SPA and the Cisco SPA/SIP portfolio, visit
http://www.cisco.com/go/spa or contact your local Cisco account representative.