Cisco Systems Network Router 2600 User Manual

5
C H A P T E R  
VPN and Security Products  
VPN and Security Products at a Glance  
Product  
Cisco PIX Security  
Appliance  
Features  
Page  
5-2  
Market-leading, purpose-built appliances which provide broad range of integrated security  
services  
Robust stateful inspection firewalling with application awareness  
High-performance and scalable remote access and site-to-site VPN  
• Intrusion protection with for real-time response to network attacks  
Enhanced routing and network integration  
Extensive support for multimedia and VoIP applications  
Award-winning firewall stateful failover for enterprise-class resiliency  
Firewall Module is a high performance integrated stateful firewall solution for Catalyst 6500 family 2-22  
of switches with performance exceeding 5GB. It is based on proven PIX technology while  
providing the following benefits to the customers  
Firewall Blade for  
Catalyst 6500  
• Investment protection  
Low cost of ownership  
Ease of use  
Operational Consistency  
• Scalability  
See the Catalyst 6500 Series Switch in Chapter 2: LAN Switching, page 2-22, for more information  
Remote access Virtual Private Network platform  
5-5  
Cisco VPN 3000 Family  
Has models for all size companies, from small to large enterprise organizations  
Reduces communications expenditures  
Enables users to easily add capacity and throughput  
Network-based, real-time intrusion detection system capable of monitoring an entire enterprise 5-8  
network:  
Capable of directing and forwarding alarms between local, regional, and headquarters-based  
monitoring consoles  
Cisco IDS Network  
Sensor  
• Scalable architecture to allow the deployment of large numbers of sensors in order to provide  
comprehensive security coverage in large networks  
Tight integration into the network through the delivery of the IDS Network Module for the Cisco  
Access Routers and the IDSM2 for the Catalyst 6500 switches  
CTR (Cisco Threat Response) delivers adaptive scan techniques to minimize false alarms  
• Broad range of management options  
The Cisco Security Agent provides threat protection for desktop and server computing systems 5-10  
by identifying and preventing malicious activity. By acting on threats or attacks before they can  
occur, Cisco Security Agent removes known and unknown security risks to enterprise networks  
and applications:  
Cisco Security Agent  
The Cisco Security Agent aggregates and extends multiple endpoint security functions by  
providing host intrusion prevention, distributed firewall, malicious mobile code protection,  
operating system integrity assurance, and audit log consolidation all within a single agent  
package  
• Protects against know and unknown attacks on both servers and desktops  
A centralized identity networking solution that simplifies user-management experience across all 5-12  
Cisco devices and security-management applications. An essential component of the Cisco  
Identity Based Networking Services (IBNS) architecture, it extends access security by combining  
authentication, user and administrator access, and policy control from a centralized identity  
networking framework. This allows greater flexibility and mobility, increased security, and user  
productivity gains. It helps ensure enforcement of assigned policies by allowing network  
administrators to control: Who can log in to the network, Privileges each user has in the network,  
and Security audit or account billing information that is recorded  
Cisco Secure Access  
Control Server (ACS) for  
Windows and Cisco  
Secure Access Control  
Solution Engine  
VPN and Security Products at a Glance  
 
5 -1  
Chapter 5 VPN and Security Products  
When to Sell  
Sell This Product  
PIX 501  
When a Customer Needs These Features  
• Small Office / Home Office desktop integrated security appliance  
Up to 60 Mbps of firewall throughput  
Up to 3 Mbps of 3DES and 3.4 Mbps of AES-256 IPsec VPN throughput  
Hardware VPN client (Easy VPN Remote)  
1
VPN concentrator services (Easy VPN Server) for up to 10 remote users  
• Integrated four port 10/100 Mbps switch  
Remote Office / Branch Office desktop integrated security appliance  
Up to 100 Mbps of firewall throughput  
Up to 16 Mbps of 3DES and 30 Mbps of AES-256 IPsec VPN throughput  
PIX 506E  
PIX 515E  
1
Hardware VPN client (Easy VPN Remote)  
VPN concentrator services (Easy VPN Server) for up to 25 remote users  
• Maximum of two 10BASE-T Ethernet interfaces  
OSPF dynamic routing support  
• Small-to-Medium Business (SMB) integrated security appliance  
1
Up to 188 Mbps of firewall throughput  
1
Up to 130 Mbps of 3DES/AES-256 VPN throughput using hardware acceleration (integrated in select  
models, optional for others)  
VPN concentrator services (Easy VPN Server) for up to 2,000 remote users  
Up to six 10/100 FE interfaces  
VLAN trunking (802.1q tag-based) and OSPF dynamic routing support  
Active/standby firewall stateful failover support  
Enterprise-class integrated security appliance  
PIX 525  
PIX 535  
1
Up to 330 Mbps of firewall throughput  
Up to 145 Mbps of 3DES and 135 Mbps of AES-256 VPN throughput using hardware acceleration  
(integrated in select models, optional for others)  
1
VPN concentrator services (Easy VPN Server) for up to 2,000 remote users  
Gigabit Ethernet support; Up to eight 10/100 FE or three Gigabit Ethernet interfaces  
VLAN trunking (802.1q tag-based) and OSPF dynamic routing support  
Active/standby firewall stateful failover support  
Carrier class large enterprise and service provider firewall appliance  
1
Up to 1.7 Gbps of firewall throughput  
Up to 425 Mbps of 3DES/AES-256 VPN throughput using hardware acceleration (integrated in select  
models, optional for others)  
VPN concentrator services (Easy VPN Server) for up to 2,000 remote users  
Gigabit Ethernet throughput; Up to ten 10/100 FE or nine Gigabit Ethernet interfaces  
VLAN trunking (802.1q tag-based) and OSPF dynamic routing support  
Redundant, hot-swappable power supplies  
Active/standby firewall stateful failover support  
1. At 1400-byte packets  
Key Features  
Security—Purpose-built appliance with a proprietary, hardened operating system  
Performance—Stateful inspection firewall capable of up to 500,000 concurrent  
connections and 1.7 Gbps of throughput (at 1400-byte packets on Cisco PIX 535  
Security Appliances)  
High availability—Award-winning, active/standby firewall stateful failover  
provides enterprise-class, cost-effective resiliency  
Virtual Private Networking (VPN)—Supports both standards-based IPsec and  
L2TP/PPTP-based VPN services  
Optional PIX VPN Accelerator Card+—Scales 3DES/AES-256 VPN throughput  
up to 495 Mbps, using specialized co-processors designed for accelerating  
cryptographic operations  
Free software Cisco VPN Client provides secure connectivity across a broad range  
of platforms including Windows, Mac OS X, Linux and Solaris  
Network Address Translation (NAT) and Port Address Translation  
(PAT)—Conceals internal IP addresses and expands network address space  
Denial-of-Service (DoS) Attack Protection—Protects the firewall, internal servers  
and clients from disruptive hacking attempts  
OSPF dynamic routing support for improved network reliability and performance  
Cisco PIX Security Appliance Series  
 
5 -3  
 
Chapter 5 VPN and Security Products  
VLAN trunking (802.1q tag) support for simplified deployment in switched  
network environments  
Multimedia and VoIP support for widely popular standards, H.232 v4, TAPI,  
JTAPI, RTSP, SIP, MGCP and SCCP  
Web-Based PIX Device Manager (PDM)—For simplified configuration, real-time  
and historical reports, performance baselines and security events information  
Auto Update, SSH, SNMP, TFTP, HTTPS, and telnet for remote management  
Support from two 10/100 Ethernet interfaces to up to nine Gigabit Ethernet  
interfaces  
Competitive Products  
Check Point Software: FireWall-1 / VPN-1  
• NetScreen: NetScreen Security Appliances  
• Nokia: IP-Series Security Appliances  
• SonicWALL: SonicWALL Security Appliances  
• WatchGuard Technologies: Firebox-series and V-series Security  
Appliances  
Specifications  
Feature  
Processor  
RAM  
Flash Memory  
PCI Slots  
PIX 501  
133 MHz  
16 MB  
PIX 506E  
300 MHz  
32 MB  
PIX 515E  
433 MHz  
32 or 64 MB  
16 MB  
PIX 525  
600 MHz  
128 or 256 MB  
16 MB  
PIX 535  
1.0 GHz  
512 MB or 1 GB  
16 MB  
8 MB  
8 MB  
None  
None  
2
3
9
Four port 10/100 switch  
(inside), One 10Base-T  
Ethernet (outside)  
Two 10Base-T  
Ethernet  
Two 10/100 Fast  
Ethernet  
Two 10/100 Fast  
Ethernet  
None  
Fixed Interfaces  
(Physical)  
Four port 10/100 switch  
(inside), One 10Base-T  
Ethernet (outside)  
Two 10Base-T  
Ethernet  
Six 10/100 Fast  
Ethernet (FE) or 8  
VLANs  
Eight 10/100 FE or  
GE or 10 VLANs  
Ten-10/100 FE or GE  
or 24 VLANs  
Maximum  
Interfaces  
(Physical and  
Virtual)  
No  
No  
Yes, integrated in  
select models  
Yes, integrated in  
select models  
Yes, integrated in  
select models  
VPN Accelerator  
Card+ (VAC+)  
Option  
No  
No  
Yes, UR/FO models Yes, UR/FO models Yes, UR/FO models  
Failover Support  
only  
only  
only  
Desktop  
Desktop  
1 RU  
2 RU  
3 RU  
Size  
1
Selected Part Numbers and Ordering Information  
Cisco PIX Bundles1  
PIX-535-UR-BUN  
PIX-535-R-BUN  
PIX 535 Unrestricted Bundle (Chassis, unrestricted software, two 10/100 ports, VPN Accelerator Card+)  
PIX 535 Restricted Bundle (Chassis, restricted software, two 10/100 ports)  
PIX-535-FO-BUN  
PIX-525-UR-GE-BUN  
PIX 535 Failover Bundle (Chassis, failover software, two 10/100 ports, VPN Accelerator Card+)  
PIX 525 Unrestricted GE Bundle (Chassis, unrestricted software, two GE ports, two 10/100 ports, VPN  
Acceleration Card+)  
PIX-525-FO-GE-BUN  
PIX 525 Failover GE Bundle (Chassis, failover software, two GE ports, two 10/100 ports, VPN Acceleration  
Card+)  
PIX-525-UR-BUN  
PIX-525-R-BUN  
PIX 525 Unrestricted Bundle (Chassis, unrestricted software, two 10/100 ports, VPN Accelerator Card+)  
PIX 525 Restricted Bundle (Chassis, restricted software, two 10/100 ports)  
PIX-525-FO-BUN  
PIX 525 Failover Bundle (Chassis, failover software, two 10/100 ports, VPN Accelerator Card+)  
PIX 515E Unrestricted Bundle (Chassis, unrestricted software, six 10/100 ports, VPN Accelerator Card+)  
PIX 515E Failover Bundle (Chassis, failover software, six 10/100 ports, VPN Accelerator Card+)  
PIX 515E Unrestricted Bundle (Chassis, unrestricted software, two 10/100 ports, VPN Accelerator Card+)  
PIX 515E Restricted Bundle (Chassis, restricted software, two 10/100 ports)  
PIX-515E-UR-FE-BUN  
PIX-515E-FO-FE-BUN  
PIX-515E-UR-BUN  
PIX-515E-R-BUN  
PIX-515E-FO-BUN  
PIX-515E-R-DMZ-BUN  
PIX-506E-BUN-K9  
PIX-501-BUN-K9  
PIX-501-50-BUN-K9  
PIX-501-UL-BUN-K9  
PIX 515E Failover Bundle (Chassis, failover software, two 10/100 ports, VPN Accelerator Card+)  
PIX 515E DMZ Bundle (Chassis, restricted software, three 10/100 ports)  
PIX 506E 3DES/AES Bundle (Chassis, software, 3DES/AES license, two 10-BaseT ports)2  
PIX 501 10 User/3DES/AES Bundle (Chassis, SW, 10 user/3DES/AES license, 4 port 10/100 switch)  
PIX 501 50 User/3DES/AES Bundle (Chassis, SW, 50 user/3DES/AES license, 4 port 10/100 switch)  
PIX 501 Unlimited User/3DES/AES Bundle (Chassis, SW, Unlimited Users 3DES/AES license, 4 port 10/100  
switch)  
Cisco PIX Interfaces and Cards  
PIX-1GE-66  
PIX-4FE-66  
PIX-1FE  
PIX-VPN-ACCEL  
PIX-VPN-PLUS  
PIX 66-MHz Single-port Gigabit Ethernet interface card (multimode fiber, SC connector)  
PIX 66-MHz Four-port 10/100 Fast Ethernet interface card, RJ45  
PIX Single-port 10/100 Fast Ethernet interface card  
PIX DES/3DES VPN Accelerator Card (VAC)  
PIX DES/3DES/AES VPN Accelerator Card+ (VAC+)  
Cisco PIX Security Appliance Series  
 
5 -4  
Chapter 5 VPN and Security Products  
PIX Accessories  
PIX-506E-PWR-AC  
PIX-515-PWR-DC  
Redundant AC power supply for PIX 506E  
Redundant DC power supply for PIX 515/515E  
1. This is only a small subset of all parts available via URL listed under “For More Information”. Some parts have  
restricted access or are not available through distribution channels. Resellers: For latest part number and pricing  
info, see the Distribution Product Reference Guide at: http://www.cisco.com/dprg (limited country availability).  
For More Information  
See the PIX Security Appliance Web site: http://www.cisco.com/go/pix  
Cisco VPN 3000 Family  
The Cisco VPN 3000 Concentrator Series—  
A family of purpose-built, remote access Virtual  
Private Network (VPN) platforms that incorporates  
high availability, high performance and scalability with the most advanced encryption  
and authentication techniques available today. Customers can greatly reduce costs by  
leveraging their ISPs’ infrastructure and eliminate costly leased lines. This series  
supports small offices as well as large organizations with up to 10,000 simultaneous  
remote users per unit. With load balancing configured, multiple units can be clustered  
to enable unlimited remote access users. It also supports the widest range of VPN clients  
including Certicom MovianVPN client, Microsoft 2000 L2TP/IPsec Client, and  
Microsoft PPTP for Windows 95/98/ME/NT/2000/XP.  
The Cisco VPN 3002 Hardware Client—Combines the best capabilities of a software  
client with the reliability and stability of a dedicated hardware platform, and scales to  
tens of thousands of users. It sets up connections to a variety of Cisco VPN  
concentrators, including the VPN 3000 series and PIX firewalls.  
When to Sell  
Sell This  
Product  
VPN 3005 and 3015  
Concentrators  
When a Customer Needs These Features  
• A fixed configuration device designed for small- to medium-sized organizations with bandwidth requirements  
up to full-duplex T1/E1 (4 Mbps maximum performance) and up to 100 simultaneous remote access sessions  
Encryption processing is performed in software  
VPN 3015 is field-upgradable to the Cisco VPN 3030 and 3060 models and for redundancy  
VPN 3030 is for medium- to large-sized organizations with bandwidth requirements from full T1/E1 through T3/E3  
(50 Mbps max. performance) and up to 1500 simultaneous sessions; field-upgradeable to the Cisco VPN 3060  
VPN 3060 is for large organizations, with high-performance, high-bandwidth requirements from fractional T3  
through full T3/E3 or greater (100 Mbps max. performance) and up to 5000 simultaneous remote access sessions  
VPN 3030 and 3060  
Concentrators  
• Both have specialized SEP modules to perform hardware-based acceleration  
Optimized to support large enterprise organizations that demand the highest level of performance combined  
with support for up to 10,000 simultaneous remote access sessions  
• Specialized SEP modules perform hardware-based acceleration  
VPN 3080  
Concentrator  
Establishes secure, end-to-end encrypted tunnels to the Cisco VPN 3000 Concentrator and other Cisco Easy  
VPN compliant devices.  
VPN 3000 Client  
• Provided at no charge, installs on PCs and is available for Windows, MAC OS X and Linux/Solaris environments  
Emulates the software client in hardware  
VPN 3002  
Hardware Client  
• Ideal for mixed operating system environments and where corporation does not own/control remote PC or for  
very large applications requiring large number of devices due to ease of deployment, upgradability & scalability  
Cisco VPN 3000 Family  
 
5 -5  
 
Chapter 5 VPN and Security Products  
Key Features  
Cisco VPN 3000 Concentrators Series  
Support for industry standard IPSec DES/3DES/AES and Cisco IPSec/NAT for  
VPN Access through Port Address Translation firewalls  
Unlimited-use license for Cisco VPN Client distribution included at no cost with  
multiple OS support including Windows, MAC OS X, Linux and Solaris; also  
integrates with Zone Alarms personal firewall  
Supports standard authentication: RADIUS, SDI Tokens, and Digital Certificates  
VPN load balancing allows for multiple units to cluster as a single shared pool  
Cisco VPN 3002 Hardware Client supports up to 253 users/stations per VPN 3002  
Works with most operating systems including Windows, Linux, Solaris, and MAC OS X  
Auto-upgrade capability automates upgrades with no user intervention required  
Client technology employs push policy and automatic address assignment from the  
central site concentrator, enabling virtually unlimited scalability  
Competitive Products  
• Nortel: Contivity products  
• Nokia  
• Netscreen: LAN to LAN environments  
Specifications  
Cisco VPN 3000 Series Concentrators  
Feature  
VPN 3005  
100  
VPN 3015  
100  
VPN 3030  
1500  
VPN 3060  
5000  
VPN 3080  
10,000  
100 Mbps  
Hardware  
4
Simultaneous Users  
Encryption Throughput  
Encryption Method  
Encryption (SEP) Module  
Redundant SEP  
4 Mbps  
Software  
0
4 Mbps  
50 Mbps  
Hardware  
1
100 Mbps  
Hardware  
2
Software  
0
No  
No  
Optional  
3
Optional  
2
Yes  
0
4
N/A  
Expansion Slots  
Upgradeable  
No  
Yes  
Yes  
N/A  
N/A  
32 MB  
1U, Fixed  
Single  
128 MB  
2U, Scalable  
128 MB  
2U, Scalable  
256 MB  
2U, Scalable  
256 MB  
2U  
Memory  
Hardware Configuration  
Power Supply  
Single, with a dual Single, with a dual Single, with a dual Dual  
option  
Unlimited  
100  
option  
Unlimited  
500  
option  
Unlimited  
1000  
Unlimited  
100  
Unlimited  
1000  
Client License  
LAN-to-LAN Connections  
(internal user database)  
1.75 x 17.5 x 11.5 in. 3.5 x 17.5 x 14.5 in. 3.5 x 17.5 x 14.5 in. 3.5 x 17.5 x 14.5 in. 3.5 x 17.5 x 14.5 in.  
Dimensions (HxWXD)  
Cisco VPN 3002 Hardware Client  
Feature  
Hardware Processor  
VPN 3002 Hardware Client  
Motorola PowerPC processor; Dual flash image architecture  
CPVN3002-K9: One Public 10/100Mbps RJ-45 Ethernet Interface and One Private Port 10/100Mbps  
RJ-45 Ethernet Interface  
Network Interfaces  
CVPN3002-8E-K9: One Public 10/100Mbps RJ-45 Ethernet Interface and Eight Private Port  
10/100Mbps RJ-45  
Ethernet Interfaces via AUTO-MDIX switch  
1.967 x 8.6 x 6.5 in. (5 x 8.6 x 16.51 cm)  
Physical Dimensions  
Power Supply  
External AC Operation: 100-240V at 50/60 Hz with universal power factor correction; 4 foot cord  
included and international “pigtail” power cord selection  
IPsec with IKE key management  
Tunneling Protocol Support  
Monitoring & Configuration  
Event logging; SNMP MIB-II support  
Embedded management interface is accessible via console port or local web browser; SSH/SSL  
56-bit DES (IPsec); 168-bit Triple DES (IPsec); AES 128 & 256-bit (IPsec)  
Encryption Algorithms, Key  
Management & Authentication  
Algorithms  
Cisco VPN 3000 Family  
 
5 -6  
Chapter 5 VPN and Security Products  
Feature  
Authentication and Accounting  
VPN 3002 Hardware Client  
Support for redundant external authentication servers including RADIUS  
Servers  
Microsoft NT Domain authentication, X.509v3 Digital Certs (PKC7-PKCS10)  
Client Mode—acts as client, receives random IP address from Concentrator Pool; Uses NAPTto hide  
stations 3002; Network behind 3002 is unroutable; few configuration parameters  
Configuration Modes  
Network Extension Mode—acts as site-to-site device; Uses NAPT to hide stations only to Internet  
(stations visible to central site); Network behind 3002 is routable; additional configuration  
parameters  
1
Selected Part Numbers and Ordering Information  
Cisco VPN 3000 Concentrator  
CVPN3005-E/FE-BUN  
CVPN3015-NR-BUN  
CVPN3030-NR-BUN  
CVPN3030-RED-BUN  
CVPN3060-NR-BUN  
CVPN3060-RED-BUN  
CVPN3080-RED-BUN  
CVPN3005-E/FE hw set, sw, client, & US power cord  
CVPN3015-NR non-redundant hw set, sw, client, & US power cord  
CVPN3030-NR non-redundant hw set, sw, client, & US power cord  
CVPN3030-RED redundant hw set, sw, client, & US power cord  
CVPN3060-NR non-redundant hw set, sw, client, & US power cord  
CVPN3060-RED redundant hw set, sw, client, & US power cord  
CVPN3080-RED redundant hw set, sw, client, & US power cord  
Cisco VPN 3000 Series Upgrades  
CVPN1530-UPG-RED  
CVPN1560-UPG-NR  
CVPN1560-UPG-RED  
CVPN1580-UPG-RED  
CVPN3030-UPG-RED  
CVPN3060-UPG-NR  
CVPN3080-UPG-R/R  
CVPN3080-UPG-RED  
CVPN3060-UPG-RED  
CVPN6060-UPG-RED  
CVPN6080-UPG-RED  
CVPN3060-UPG-R/R  
CVPN6080-UPG-R/R  
Cisco VPN 3015 To 3030 (Redundant) Upgrade Kit  
Cisco VPN 3015 To 3060 (Non-Redundant) Upgrade Kit  
Cisco VPN 3015 To 3060 (Redundant) Upgrade Kit  
Cisco VPN 3015 To 3080 (Redundant) Upgrade Kit  
Cisco VPN 3030 To 3080 (Redundant) Upgrade Kit  
Cisco VPN 3030 To 3060 (Non-Redundant) Upgrade Kit  
Cisco VPN 3030 (Redundant) to 3080 (Redundant) Upgrade Kit  
Cisco VPN 3030 To 3080 (Redundant) Upgrade Kit  
Cisco VPN 3030 To 3060 (Redundant) Upgrade Kit  
Cisco VPN 3060 To 3060 (Redundant) Upgrade Kit  
Cisco VPN 3060 To 3080 (Redundant) Upgrade Kit  
Cisco VPN 3030 (Redundant) to 3060 (Redundant) Upgrade Kit  
Cisco VPN 3060 (Redundant) to 3080 (Redundant) Upgrade Kit  
Cisco VPN 3000 Series Accessories  
CVPN3000-PWR=  
Cisco VPN 3000 Concentrator Power Supply  
Cisco VPN 3000 Series Basic Maintenance  
CON-SNT-PKG4  
CON-SNT-PKG8  
CON-SNT-PKG11  
CON-SNT-PKG13  
CON-SNT-PKG14  
Cisco VPN Client  
CVPN-CLIENT-K9=  
SMARTnet Maintenance for Cisco CVPN3005-E/FE-BUN  
SMARTnet Maintenance for Cisco CVPN3015-NR-BUN  
SMARTnet Maintenance for Cisco CVPN3030-NR-BUN  
SMARTnet Maintenance for Cisco CVPN3030-RED-BUN  
SMARTnet Maintenance for Cisco CVPN3060-RED-BUN  
Cisco VPN Client CD (included with Concentrator purchase)  
For More Information  
See the Cisco VPN 3000 series Web site: http://www.cisco.com/go/vpn3000  
Cisco VPN 3000 Family  
 
5 -7  
Chapter 5 VPN and Security Products  
Cisco VPN Security Router Bundles with Enhanced Integrated  
Network Security  
The Cisco VPN Security Router Bundles are based on the Cisco 1700, 2600XM, 2691,  
3600, 3700, and 7200 modular multiservice router platforms. A benefit to purchasing  
the bundles is a single part number when ordering a Cisco router with all the necessary  
VPN and Security components at a reduced price compared to ordering each component  
separately. Each VPN bundle can have optional modules added as needed. All bundles  
include the selected router platform, a VPN hardware card, additional memory, and the  
Cisco IOS® to run IPSec 3DES or AES encryption and IOS Firewall with IDS  
(Intrusion Detection System). In addition the 2600XM and 3700 Series now have  
Advanced Security Network Modules available for ULR Filtering and hardware-based  
IDS. Cisco 1700, 2600XM, 2691, 3600, and 3700 Series based Security bundles come  
pre-installed with Security Device Manager (SDM) for fast and easy deployment based  
on Cisco TAC and ICSA Labs recommended router security configurations.  
When to Sell  
Sell This Product When a Customer Needs These Features  
Deploying VPN or routers and want to have future option for VPN  
• Planning to use the Internet for remote business communications (remote access VPN)  
• When migrating from leased lines to VPN  
Cisco VPN Security  
Router Bundles  
Reduction of network equipment to manage  
• Needs to integrate Voice and VPN Services (V3PN)  
Specifications  
Feature  
All Bundles Include  
Cisco VPN Security Router Bundles  
Firewall with IDS; GRE and IPSec; High Availability/Failover; VPN QoS; AES in Hardware (excluding  
C1700 Bundles)  
Software: C1700 Bundles  
Hardware: C2600XM, C2691-VPN, C3725-VPN, C3745-VPN, 7200 Bundles  
C1700: 100; C2600XM, C2691-VPN: 800; C3725-VPN, C3745-VPN: 2000; 7200 Bundles: 5000  
IPPCP Compression  
Max Tunnel  
For More Information  
See individual product pages for more detail (page 1-1).  
Cisco Intrusion Detection System  
(IDS) Network Sensors  
Cisco integrated network security solutions  
enable organizations to protect productivity  
gains and reduce operating costs. The Cisco Intrusion Protection is designed to  
efficiently protect your data and information infrastructure. Cisco delivers four critical  
elements for efficient intrusion protection system which are:  
Accurate threat detection—Cisco Intrusion Detection System Version 4.0 (Cisco  
IDS 4.0) delivers the first step in providing a secure environment by  
comprehensively detecting all potential threats  
Intelligent threat investigation—Cisco Threat Response technology virtually  
eliminates false alarms, and automatically determines which threats need  
immediate attention to avoid costly intrusions.  
Ease of management—Browser-based tools simplify the user interaction, while  
providing powerful analytical tools that allow for a rapid and efficient response to  
threats.  
Cisco VPN Security Router Bundles with Enhanced Integrated Network Security  
 
5 -8  
 
Chapter 5 VPN and Security Products  
Flexible deployment options—A range of high-availability devices provide the  
flexible backbone for creating the secure and efficient intrusion protection system.  
The current Cisco IDS sensing portfolio includes the following sensor appliances: IDS  
4215, IDS 4235, IDS 4250, and IDS 4250-XL. Additionally, Cisco IDS delivers  
solutions that are integrated into the Catalyst 6500 switch with the Intrusion Detection  
System Module (IDSM-2) and into the Cisco Access Routers with the IDS Network  
Module (NM-CIDS).  
When to Sell  
Sell This Product  
Cisco IDS Network  
Sensors  
When a Customer Needs These Features  
• A distributed intrusion detection system capable of directing and forwarding alarms between local,  
regional, and headquarters-based monitoring consoles  
• A scalable architecture to allow the deployment of large numbers of sensors in order to provide  
comprehensive security coverage in large network environments  
Cisco network IDS appliances (Cisco IDS 4200 Series Appliances) that can be deployed throughout the  
network with the ability to monitor multiple subnets using a single appliance through the support of  
multiple interfaces  
The Cisco IDS Switch Module (IDSM2) enables customers to perform both security monitoring and  
switching functions within the same chassis  
The Cisco IDS Network Module enables full features intrusion protection integrated into the Cisco  
Access Routers  
• Broad performance range from 10 Mbps to 1 Gbps  
Automated false alarm reduction capabilities through CTR (Cisco Threat Response)  
Flexible IDS signature customization options  
• Broad range of management and monitoring options to fit any environment.  
• A robust, 24 hour x 7 day-a-week monitoring and response system with the latest attack detection  
capabilities  
Key Features  
High-Speed Performance including support for full line rate gigabit environments  
Integrated solutions for the Cisco Catalyst Switch and Cisco Access Routers  
Easy Installation and Setup; Remote Configuration Capability  
Comprehensive Attack Database  
Notification actions; Automated response actions  
Comprehensive IDS Anti-Evasion Techniques  
Cisco IOS-like CLI for full featured IDS management capabilities  
Competitive Products  
• Internet Security Systems (ISS): RealSecure  
• Symantec: Recourse Manhunt & ManTrap/NetProwler  
Enterasys: Dragon IDS  
• Snort: IDS  
Tipping Point  
• NAI: Intrushield  
• Intrusion.com: SecureNet  
• Network Flight Recorder, Inc.: NFR  
• Netscreen: OneSecure IDP  
Specifications  
IDS Network  
IDS Module Module  
Feature  
Performance  
Processor  
IDS-4215  
80 Mbps  
IDS-4235  
250 Mbps  
1.26 GHz  
IDS-4250  
500 Mbps  
IDS-4250-XL (IDSM-2)  
(NM-CIDS)  
45Mbps  
1000 Mbps  
600 Mbps  
850 MHz  
Dual 1.26 GHz  
Dual 1.26 GHz.  
Includes  
customized HW  
acceleration  
Custom Hardware 10-45 Mbps  
512 MB  
1 GB  
2 GB  
2 GB  
2 GB  
512 MB  
RAM  
Cisco Intrusion Detection System (IDS) Network Sensors  
 
5 -9  
Chapter 5 VPN and Security Products  
Autosensing  
10/100 Base-T  
Ethernet,  
Autosensing  
10/100/1000  
Autosensing  
Dual  
PCI  
Internal  
Monitoring  
Interface  
10/100/1000BASE- 1000BASE-SX  
10-/100-Mbps  
Ethernet and  
external  
Base-T Ethernet TX (upgradable to interface with  
(upgradable to  
support up to 5  
monitoring  
(upgradable to  
support up to 5  
monitoring  
support up to 5  
monitoring  
interfaces)  
Optional  
MTRJ  
10-100-Mbps  
Ethernet  
interfaces)  
interfaces)  
1000-Base SX  
(fiber) supported  
with the SX model  
Autosensing  
10/100 Base-T  
Ethernet  
Autosensing  
Autosensing  
Autosensing  
PCI  
10/1010/100Base T  
Command &  
Control  
Interface  
10/100/1000Base- 10/100/1000Base- 10/100/1000Base-  
TX  
TX  
TX  
1
Selected Part Numbers and Ordering Information  
Cisco IDS Network Appliance Sensor1  
IDS-4215-K9  
4215 Cisco IDS 4215 Sensor (chassis, software, SSH, 2 onboard 10/100 Base-T interfaces with RJ-45  
connector) 80-Mbps  
IDS-4215-4FE-K9  
IDS-4235-K9  
Cisco IDS 4215 Sensor (chassis, software, SSH, 2 onboard 10/100BASE-Tx interfaces with RJ-45  
connector plus 4FE interface card), 80-Mbps  
Cisco IDS 4235 Sensor (chassis, software, SSH, 10/100/1000BASE-T with RJ-45 connector, up to 200  
Mbps)  
IDS-4250-TX-K9  
IDS-4250-SX-K9  
IDS-4250-XL-K9  
Cisco IDS 4250 Sensor (chassis, software, SSH, 10/100/1000BASE-T with RJ-45 connector)  
Cisco IDS 4250 Sensor (chassis, software, SSH, 1000BASE-SX with SC connector)  
Cisco IDS 4250-XL Sensor (chassis, software, SSH, hardware accelerator with dual 1000BASE-SX  
and MTRJ connectors)  
Cisco IDS Network Module for Cisco Access Routers  
IDS NM-CIDS  
Cisco IDS Network Module, 20-GB IDE hard disk  
1. This is only a small subset of all parts available via URL listed under “For More Information”. Some parts have  
restricted access or are not available through distribution channels. Resellers: For latest part number and pricing  
info, see the Distribution Product Reference Guide at: http://www.cisco.com/dprg (limited country availability).  
Note  
Export Considerations: The Cisco IDS 4215, Cisco IDS 4235,  
Cisco IDS 4250, Cisco IDS 4250-XL, Cisco IDSM-2 & Cisco IDS  
Network Module are subject to export controls. Please refer to the  
export compliance Web site at  
http://www.cisco.com/wwl/export/crypto for guidance. For specific  
export questions, please contact export@cisco.com  
.
For More Information  
See the Cisco IDS web site: http://www.cisco.com/go/ids  
See the Cisco IDS Management solutions web site: http://www.cisco.com/go/vms  
Cisco Security Agent  
The next-generation Cisco Security Agent network security software provides threat  
protection for server and desktop computing systems, also known as “endpoints.” The  
Cisco Security Agent goes beyond conventional host and desktop security solutions by  
identifying and preventing malicious behavior before it can occur, thereby removing  
potential known and unknown (“Day Zero”) security risks that threaten enterprise  
networks and applications. The Cisco Security Agent aggregates and extends multiple  
endpoint security functions by providing host intrusion prevention, distributed firewall,  
malicious mobile code protection, operating system integrity assurance, and audit log  
consolidation all within a single agent package.  
 
5 -1 0  
 
Chapter 5 VPN and Security Products  
The Cisco Security Agent analyzes behavior rather than relying on signature matching,  
its solution provides robust protection with reduced operational costs. Customers  
require robust endpoint security that prevents security attacks from affecting the  
network and critical applications.  
As a key component of the SAFE blueprint for secure e-business, the Cisco Security  
Agent provides unprecedented endpoint protection that enables businesses to participate  
in e-commerce securely and take advantage of the Internet economy.  
When to Sell  
Sell This Product  
Cisco Security Agent  
When a Customer Needs These Features  
Host intrusion protection, distributed firewall, malicious mobile code protection, operating system  
hardening, file integrity and/or audit log consolidation. The Cisco Security Agent provides all of these  
features in one integrated package  
• Protection against both known and unknown attacks  
• Protection for servers and/or desktops/laptops  
• A solution that is scalable to protect thousands of servers and desktops for large enterprise  
deployments  
Key Features  
Provides industry-leading protection for Unix and Windows servers  
Open, extensible architecture offers the capability to define and enforce security  
according to corporate policy  
Competitive Products  
• Internet Security Systems (ISS)  
• Symantec: Intruder Alert  
Enterasys: Squire  
• Sana Security: Primary Response  
• NAI: Entercept  
• NFR (Centrax)  
Specifications  
Cisco Security Server  
Feature Agent  
Cisco Security Desktop  
Agent  
Cisco Security Agent  
Manager  
Windows 2000 Server and Advanced Windows NT v4.0 Workstation (Service Microsoft Windows 2000 Server and  
Server (up to Service Pack 3) Pack 5 or later) Advanced Server (up to SP 2)  
Platforms  
Windows NT v4.0 Server and Enterprise Windows 2000 Professional (up to  
Server (Service Pack 5 or later)  
Service Pack 3)  
Solaris 8 SPARC architecture (64-bit  
kernel)  
Windows XP Professional (up to Service  
1)  
1
Selected Part Numbers and Ordering Information  
Cisco Security Agent Options  
CSA-SRVR-K9=  
Cisco Security Server Agent (Win + Sol), 1 Agent  
CSA-B10-SRVR-K9  
CSA-B25-SRVR-K9  
CSA-B50-SRVR-K9  
CSA-B100-SRVR-K9  
CSA-B25-DTOP-K9  
CSA-B100-DTOP-K9  
CSA-B250-DTOP-K9  
CSA-B500-DTOP-K9  
CSA-B1000-DTOP-K9  
CSA-PROFILER-K9  
Cisco Security Server Agent (Win + Sol), 10 Agent Bundle  
Cisco Security Server Agent (Win + Sol), 25 Agent Bundle  
Cisco Security Server Agent (Win + Sol), 50 Agent Bundle  
Cisco Security Server Agent (Win + Sol), 100 Agent Bundle  
Cisco Security Desktop Agent (Win + Sol), 25 Agent Bundle  
Cisco Security Desktop Agent (Win + Sol), 100 Agent Bundle  
Cisco Security Desktop Agent (Win + Sol), 250 Agent Bundle  
Cisco Security Desktop Agent (Win + Sol), 500 Agent Bundle  
Cisco Security Desktop Agent (Win + Sol), 1000 Agent Bundle  
Cisco Security Agent Profiler  
Note  
Export Considerations: The Cisco Security Agent is subject to  
export controls. Please refer to the export compliance Web site at  
http://www.cisco.com/wwl/export/crypto for guidance. For specific  
export questions, please contact export@cisco.com  
.
For More Information  
See the Cisco Security Agent Web site: http://www.cisco.com/go/securityagent  
Cisco Security Agent  
 
5 -1 1  
Chapter 5 VPN and Security Products  
Cisco Secure Access Control Server (ACS) for Windows and Cisco  
Secure Access Control Solution Engine  
Cisco Secure Access Control Server (ACS) version 3.2 for Windows, a key component  
of Cisco’s Identity Based Networking Services (IBNS) architecture, extends access  
security by combining authentication, user/admin access and policy control from a  
centralized identity networking framework allowing for greater flexibility and mobility,  
increased security, and user productivity gains. Cisco Secure ACS also provides identity  
networking support for Cisco Structured Wireless Aware Networks (SWAN), as an  
extension of the local authentication provided on Cisco Aironet Access Points. ACS  
allows a network administrator to manage and administer user access for Cisco IOS®  
routers, virtual private networks (VPNs), firewalls, dial and broadband DSL, cable  
access solutions, storage, content, voice over IP (VoIP), Cisco wireless solutions, and  
Cisco Catalyst® switches via IEEE 802.1x access control.  
Version 3.2 introduces a new, secure, hardware-based offering for Cisco Secure ACS.  
The Cisco Secure ACS Solution Engine, a 1-rack-unit (1-RU) security-hardened  
solution engine with a preinstalled Cisco Secure ACS license, provides essentially the  
same features and functions as the Cisco Secure ACS for Windows, in a dedicated,  
application-specific solution engine package. Cisco Secure ACS Solution Engine  
provides a z define access control lists of any length, per user or group of users. It  
extends per-user access control ero-touch installation and highly reliable AAA solution  
with increased total-cost-of-ownership protection through high availability and  
simplified day-to-day operation the Cisco Secure ACS service.  
When to Sell  
Sell This Product  
When a Customer Needs These Features  
Centrally manage who can log in to the network from wired or wireless connections  
• Privileges each user has in the network  
Accounting information recorded in terms of security audits or account billing  
• What access and command controls are enabled for each configuration administrator  
Virtual VSA for Aironet rekey  
Cisco Secure Access  
Control Server (ACS)  
for Windows and Cisco  
Secure Access Control  
Solution Engine  
• Secure server authentication and encryption  
• Simplified firewall access and control through Dynamic Port Assignment  
• Same User AAA services  
Key Features  
Protected Extensible Authentication Protocol (PEAP) support for Microsoft®  
Windows and Cisco clients—Provides support for Microsoft® PEAP on Windows  
98, NT, 2000 and XP by supporting client authentication with MS-CHAPv2, and  
support for Cisco PEAP with one-time token authentication and support of  
non-MSCHAP end-user databases such as, NDS, and ODBC.  
EAP mixed configurations—Allows flexible EAP settings to be set concurrently  
and processed per the 802.1X protocol presented by the end user. ACS supports  
PEAP-EAP-GTC (Cisco PEAP), PEAP-EAP-MSCHAPv2 (Microsoft® PEAP),  
EAP-TLS, EAP-MD5, and Cisco EAP Wireless (LEAP).  
Accounting Support for Aironet—Supports user-based accounting from the  
Wireless Access Points when they are configured as RADIUS (Cisco Aironet)  
AAA clients.  
EAP-TLS enhancements—Extends ACS PKI capabilities with the addition of  
EAP-TLS authentication against ODBC user databases, and EAP-TLS silent  
session resume support which prevents users from re-authenticating during a  
RADIUS session timeout.  
Cisco Secure Access Control Server (ACS) for Windows and Cisco Secure  
 
5 -1 2  
 
Chapter 5 VPN and Security Products  
Machine authentication support—Supports machine authentication by  
maintaining communication to a back end Windows Active Directory during boot  
time. ACS supports machine authentication using PEAP with MSCHAPv2 or  
EAP-TLS 802.1X authentication types.  
LDAP Multithreading—Increases performance by processing multiple LDAP  
authentication requests in parallel rather than in sequential order.  
Downloadable access control lists for VPN users—Allows administrators to  
define access control lists of any length, per user or group of users. It extends  
per-user access control list support to Cisco VPN solutions and PIX Firewall  
solutions.  
Integration with Cisco’s security management software application—Provides a  
consolidated administrative TACACS+ control framework for many Cisco  
security management tools such as CiscoWorks VPN/Security Management  
Solution (VMS)  
Competitive Products  
Funk: Steel Belted RADIUS  
• Nortel: Preside RADIUS Server (OEM of Funk product)  
Lucent/Avaya: Security Management Server (LSMS)  
Specifications  
Feature  
Cisco Secure Access Control Server (ACS) for Windows  
• Pentium processor, 550 MHz or faster  
Hardware1  
• 256 MB RAM  
• 250 MB free disk space, more if you are running your database on the same device  
• Minimum resolution of 800 x 600 with 256 colors  
1. Cisco Secure Access Control Server Solution Engine system specifications are available in the Product Literature  
1
Selected Part Numbers and Ordering Information  
Cisco Secure Access Control Server (ACS) for Windows1  
CSACS-3.1-WIN-K9  
Cisco Secure ACS 3.1 for Windows  
CSACS-3.1-WINUP-K9  
Upgrade to CSACS 3.1 for Windows from ACS versions 1.x, 2.x, 3.0 and Cisco Secure ACS for Unix  
version 2.x  
CSACSE-1111-K9  
Cisco Secure ACS Solution Engine version 3.2; includes Cisco 1111 hardware platform and Cisco  
Secure Access Control Server software, version 3.2  
CSACSE-1111-UP-K9  
Upgrade for customers using Cisco Secure ACS 3.X for Windows or Cisco Secure ACS for Unix  
customers to the Cisco Secure ACS Solution Engine version 3.2; includes Cisco 1111 hardware  
platform and Cisco Secure Access Control Server software, version 3.2  
CSACS-3.2-WIN-K9  
Cisco Secure ACS 3.2 for Windows  
CSACS-3.2-WINUP-K9  
Upgrade to CSACS 3.1 for Windows from ACS versions 1.x, 2.x, 3.x and Cisco Secure ACS for Unix  
version 2.x  
1. This is only a small subset of all parts available via URL listed under “For More Information”. Some parts have  
restricted access or are not available through distribution channels. Resellers: For latest part number and pricing  
info, see the Distribution Product Reference Guide at: http://www.cisco.com/dprg (limited country availability).  
For More Information  
See the Cisco Secure ACS for Windows Web site: http://www.cisco.com/go/acs  
http://www.cisco.com/en/US/products/sw/secursw/ps5338/index.html  
Cisco Secure Access Control Server (ACS) for Windows and Cisco Secure  
 
5 -1 3  
Chapter 5 VPN and Security Products  
Cisco Secure User Registration Tool  
Cisco Secure URT is a virtual LAN (VLAN) assignment service that provides LAN  
security by actively identifying and authenticating users and then associating them only  
to the specific network services and resources they need through dynamic VLAN  
assignments to Cisco Catalyst® Switch networks. URT v2.5 introduces many  
innovative features, including a Web-based logon from Windows, Macintosh, and Linux  
clients, RADIUS and Lightweight Directory Access Protocol (LDAP) authentication,  
and a secure link between the client and the VLAN Policy Server (VPS). It also includes  
a security feature based on the Media Access Control (MAC) address that prevents users  
from accessing the network if they are not using authorized machines. Web based LAN  
authentication allows for user mobility within the LAN environment.  
When to Sell  
Sell This Product  
Cisco Secure User  
Registration Tool (URT)  
When a Customer Needs These Features  
• Web-based LAN authentication for Windows, Macintosh, and Linux client platforms—ideal for mobile  
users within the LAN environment  
Extended security to protect user access to the logon VLAN from unregistered PCs through MAC-based  
security option  
RADIUS authentication and accounting support  
• Multiple user access per port  
Key Features  
Web Client Logon Interface—Supports customizable Web-based authentication  
for Windows, Macintosh, and Linux client platforms  
MAC-Based Security Option—Provides extended security to protect user access  
to the logon VLAN from unregistered PCs  
RADIUS Authentication and Accounting Support—RADIUS authentication is  
offered for Web logon  
Secure Link Between Cisco Secure URT Client and VPS Server—Security  
authentication and data encryption have been added to URT v2.5 to enable a more  
secure connection from the user  
LDAP Support (Active Directory and NDS directories)—Cisco Secure URT v2.5  
supports Windows’ Active Directory and Novell’s NDS LDAP servers  
Multiple Users Per Port—Previous versions of Cisco Secure URT support only a  
single user logon on a single port  
Display of Windows NT Groups—The URT Administrator interface is enhanced  
to display the users belonging to a Windows NT group  
MAC Address Events History—With URT v2.5 MAC-address-based logon/logoff  
events are added as an option and reported to the history events tool  
Specifications  
Feature  
Hardware  
Cisco Secure User Registration Tool (URT)  
Windows 2000 (SP2) server, professional, and Windows XP Professional-Min H/W (Pentium III, 512MB  
DRAM, 65 MB of disk space)  
Netscape version 4.79 and 6.2; IE version 5.5 (SP2) or 6.0  
Browser for Web Login  
Windows 98 (2ndE), Windows NT4 Workstation/Server (SP6A), Windows 2000 (SP2)  
Professional/server, Windows XP Professional, Windows XP Home (Web Client Only), Mac OS 10.1  
(Web client only), Linux Redhat/ SuSE/ Mandrake/ VA (Web Client only)-Min H/W for Web client  
(Pentium II, 256MB DRAM, 65 MB of disk space), Min H/W for traditional client (Pentium II, 64MB  
DRAM, 1MB of disk space)  
Client Software Requirements  
1900 series (1912, 1924), v9.00.05; C2800 series (2822, 2828), v9.00.05; C2900XL series (2908XL, 2916XL,  
2912XL, 2912LRE-XL, 2924XL, 2924LRE-XL), v12.0(5)WC3b; C2948GL3 series (2948GL3, 4232)  
v12.0(18)W5(22b); C2950 series, v12.1.6.EA2c; C3500XL series (3508XL, 3512XL, 3524XL, 3548XL, 3550XL),  
v12.0(5)WC3b; C3550 series, v12.1.8.EA1c; C4000 series (4003, 4006, 4912g), v7.1(2); C5000 series (2900,  
2926, 2948, 5000, 5002, 5500, 5505, 5509), v6.3(5); C6000 series (6006, 6009, 6506, 6509, 6513), v7.1(3)  
Supported Cisco Products  
(latest tested version)  
Cisco Secure User Registration Tool  
 
5 -1 4  
 
Chapter 5 VPN and Security Products  
1
Selected Part Numbers and Ordering Information  
Cisco Secure User Registration Tool (URT)1  
URT-2.5-K9  
Starter Kit: includes one (1) User Registration Tool 2.5 Software license, and one (1) Cisco 1101  
VLAN Policy Server (VPS) appliance  
URT-2.5-UP  
Software only; upgrades customers from URT 2.X to 2.5; includes upgrade for both URT Admin  
Server and Cisco 1100 VPS appliance  
URT-1101-HW-K9  
Hardware Only; Cisco 1101 VPS appliance; additional appliance needed for backup, use in  
distributed deployments, or deployments requiring Web logon capabilities  
1. This is only a small subset of all parts available via URL listed under “For More Information”. Some parts have  
restricted access or are not available through distribution channels.  
For More Information  
See the Cisco Secure User Registration Tool Web site: http://www.cisco.com/go/urt  
Cisco IOS Firewall  
The Cisco IOS Firewall enriches Cisco IOS Software security capabilities, integrating  
robust firewall functionality and intrusion detection for every network perimeter. When  
combined with Cisco IOS IPSec software and other Cisco IOS Software-based  
technologies such as L2TP tunneling and quality of service (QoS), it provides a  
complete, integrated virtual private network solution. Because it is available for a wide  
range of Cisco routers, it gives customers the flexibility to choose a solution that meets  
their bandwidth, LAN/WAN density, and multiservice requirements, while benefiting  
from advanced security.  
When to Sell  
Sell This Product When a Customer Needs These Features  
An integrated stateful firewall solution with powerful security and multiprotocol routing all on the same  
platform  
Cisco IOS Firewall  
• Scalability options from the Cisco 800 up to the Cisco 7500 and the Catalyst 6000  
Low cost solution where high performance is not a requirement  
For secure extranet and intranet perimeters and Internet connectivity for branch and remote offices  
• Secure remote access or data transfer via a Cisco IOS Software-based VPN solution  
Real-time (inline) integrated intrusion detection system (IDS) to complement firewall or existing IDS (Cisco  
Secure IDS)  
• Security and access to the network on a per-user basis  
Key Features  
Context-based access control (CBAC) provides secure, stateful, application-based  
packet inspection, supporting the latest protocols and advanced applications  
Intrusion detection for real-time inline monitoring, interception, and response to  
network misuse for 100 attack signatures  
Supports URL Filtering either local on the router through exclusive domains as  
well as use of external Websense and N2H2 servers.  
Dynamic, per-user authentication/authorization for LAN, WAN, and VPN clients  
Authentication proxy for https, ftp and telnet connections  
Supports Security Device Manager (SDM)  
Graphical configuration and management via the VPN/Security Management  
Solution (VMS) and the IP Solution Center (ISC)  
Provides strong perimeter security for a complete Cisco IOS Software-based VPN  
solution, including IPSec, QoS, and tunnelling  
Competitive Products  
• Nortel: BaySecure Firewall-1  
Checkpoint, Nokia, Netscreen, etc  
Cisco IOS Firewall  
 
5 -1 5  
 
Chapter 5 VPN and Security Products  
Specifications  
Feature  
Supported Network Interfaces  
Cisco IOS Firewall  
All network interfaces on supported platforms  
Cisco 1720, 2600/2600XM, 3600, 7100, and 7200 series router platforms (supports full feature set)  
Supported Platforms  
Cisco 800, UBR900, 1600, and 2500 series router platforms include all firewall features with  
exception of intrusion detection and authentication proxy  
No maximum; dependent on platform, network connection, and traffic  
Simultaneous Sessions  
Part Numbers and Ordering Information  
For More Information  
See the Cisco IOS Firewall Feature Set Web site: http://www.cisco.com/go/csis  
Cisco 7100 Series  
The Cisco 7100 series VPN router is a high-end  
,
integrated VPN solution that melds high-speed,  
industry-leading routing with a comprehensive  
suite of advanced site-to-site VPN services.  
The Cisco 7100 series VPN router integrates  
key features of VPNs—tunneling, data  
encryption, security, firewall, advanced bandwidth management, and service-level  
validation—to deliver self-healing, self-defending, VPN platforms that cost-effectively  
accommodate remote-office and extranet connectivity using public data networks. The  
Cisco 7100 series VPN router offers specific hardware configurations optimized for  
VPN applications and network topologies. Optional WAN and embedded Fast Ethernet  
interfaces combined with high-performance routing and rich VPN services provide  
turnkey VPN routing solutions.  
When to Sell  
Sell This Product  
Cisco 7120  
When a Customer Needs These Features  
Entry-level Cisco 7100 Series Router designed for large branch or central site VPN with VPN services  
throughput of up to 50 Mbps  
Designed primarily for site-to-site VPN deployments with incidental remote access requirements  
High-end site-to-site VPN platform for central site VPN applications with VPN services throughput up to  
140 Mbps  
Cisco 7140  
• Provides superior routing and VPN services performance for central site environments, as well as dual  
power supplies for increased solution reliability  
Key Features  
Comprehensive suite of VPN services—tunneling, data encryption, security,  
firewall, quality of service, and service level validation—integrated with industry  
leading routing  
High performance RISC processor delivering high-speed, scalable VPN services  
and routing throughput and extensive memory for reliable, high-speed VPN  
services delivery  
Dual autosensing 10/100BASE-T Fast Ethernet ports for connectivity to the  
corporate LAN; the Cisco 7120 Series also has an integrated 4-port T1/E1 serial  
WAN interface  
Integrated Services Module (ISM) is included for support up to 2000 simultaneous  
tunneling sessions with 90 Mbps encryption performance and Windows  
95/98/NT4.0 and Windows 2000 compatibility for remote access; an optional  
Cisco 7100 Series  
 
5 -1 6  
 
Chapter 5 VPN and Security Products  
Integrated Services Adapter (ISA) may be installed in the Cisco 7140 to provide  
dual encryption acceleration performance up to 3000 tunnels and 140 Mbps 3DES  
encryption throughput  
Competitive Products  
Check Point: VPN-1 Appliance  
• Nokia: IP440  
• Nortel: Contivity 4500  
Specifications  
Feature  
Embedded Dual 10/100BASE-T  
Cisco 7120  
Autosensing, RJ-45  
Cisco 7140  
Autosensing, RJ-45  
Fast Ethernet Interfaces  
EIA/TIA-232, EIA/TIA-449, X.21, V.35, EIA-530  
1 slot  
None  
1 slot  
WAN Physical Interfaces  
WAN/LAN Interface Expansion  
Slot  
Gigabit Ethernet 1000BASE-SX and  
1000BASE-LX/LH  
Same as Cisco 7120  
Supported Network and  
Services Port Adapters  
Fast Ethernet 100BASE-TX and 100BASE-FX  
Fast Ethernet/ISL TX and ISL FX  
Ethernet 10BASE-T and 10BASE-FL  
Dedicated Token Ring  
Multichannel T1 and E1  
ATM  
Synchronous Serial  
HSSI  
ISDN BRI  
Packet over SONET OS3/STM1  
Integrated Services Adapter (ISA)  
1 slot  
1 slot  
Service Module Slot  
Included Service Modules  
Console and Auxiliary Ports  
SDRAM  
Integrated Services Module (ISM)  
1 of each, RJ-45 interface  
64 MB packet  
Integrated Services Module (ISM)  
1 of each, RJ-45 interface  
64 MB packet  
128 MB system (expandable to 256 MB)  
48 MB  
128 MB system (expandable to 256 MB)  
48 MB  
2
Flash Memory  
PCMCIA Slots for Flash  
Memory  
2
Single AC  
Dual AC  
Power Supply  
3.5 in. x 17.5 in. x 18.25 in.  
3.5 in. x 17.5 in. x 18.25 in.  
Dimensions (HxWxD)  
1
Cisco IOS Software and Memory Requirements  
To run the Cisco IOS Software Feature Packs, you need, at a minimum, the amount of  
memory shown in the following table. Some configurations will require more than the  
recommended minimum.  
Distribution1  
Feature Pack  
IOS Image  
Flash Memory DRAM Memory  
Part Number  
Description  
IP IPSEC 56  
Release  
12.1(6)E  
12.1(6)E  
12.1(6)E  
12.1(6)E  
12.1(6)E  
12.1(6)E  
Required  
16MB  
Required  
64MB  
CD71-CL-12.1.6E=  
CD71-CK2-12.1.6E=  
CD71-CHK2-12.1.6E=  
CD71-AL-12.1.6E=  
CD71-AK2-12.1.6E=  
CD71-AHK2-12.1.6E=  
IP IPSEC 3DES  
16MB  
64MB  
IP/FW/IDS IPSEC 3DES  
Enterprise IPSEC 56  
Enterprise IPSEC 3DES  
Enterprise/FW/IDS IPSEC 3DES  
16MB  
64MB  
16MB  
64MB  
16MB  
64MB  
16MB  
64MB  
1. For the complete list of IOS Feature Sets, refer to the parts list, via the URL listed under “For More Information”. For  
users with CCO access, search by IOS feature or release via the Feature Navigator at http://www.cisco.com/go/fn  
Cisco 7100 Series  
 
5 -1 7  
Chapter 5 VPN and Security Products  
1
Selected Part Numbers and Ordering Information  
Cisco 7100 Series Bundles—71201  
CISCO7120-4T1/VPN  
C7120-4T1/VPN/K9  
Cisco 7100 Series Bundles—7140  
CISCO7140-2FE/VPN  
C7140-2FE/2VPN/K8  
C7140-2FE/2VPN/K9  
C7140-2FE/VPN/K9  
Cisco 7100 Port Adapters  
PA-FE-TX  
PA-FE-FX  
PA-2FE-TX  
PA-2FE-FX  
PA-2FEISL-TX  
PA-2FEISL-FX  
PA-4E  
7120-4T1 VPN Bundle, ISM, 2xFE, AC PS, IPSEC DES  
7120-4T1 VPN Bundle, ISM, 2xFE, AC PS, IPSEC 3DES  
7140-2FE VPN Bundle, ISM, 2xFE, 2xAC PS, IPSEC DES  
7140-2FE VPN Bundle, ISM & ISA, 2xFE, 2xAC PS, IPSEC DES  
7140-2FE VPN Bundle, ISM & ISA, 2xFE, 2xAC PS, IPSEC 3DES  
7140-2FE VPN Bundle, ISM, 2xFE, 2xAC PS, IPSEC 3DES  
1-port Fast Ethernet 100BaseTx Port Adapter  
1-port Fast Ethernet 100BaseFx Port Adapter  
2-port Fast Ethernet 100BaseTx Port Adapter  
2-port Fast Ethernet 100BaseFx Port Adapter  
2-port Token Ring ISL 100BaseTx Port Adapter  
2-port Token Ring ISL 100BaseFx Port Adapter  
4-port Ethernet 10BaseT Port Adapter  
PA-8E  
8-port Ethernet 10BaseT Port Adapter  
PA-5EFL  
5-port Ethernet 10BaseFL Port Adapter  
PA-4T+  
4-port Serial Port Adapter, Enhanced  
PA-8T-V35  
8-port Serial, V.35 Port Adapter  
PA-8T-232  
8-port Serial, 232 Port Adapter  
PA-8T-X21  
8-port Serial, X.21 Port Adapter  
PA-4R-DTR  
PA-GE  
4-port Dedicated Token Ring, 4/16Mbps, HDX/FDX Port Adapter  
Gigabit Ethernet Port Adapter  
PA-H  
1-port HSSI Port Adapter  
PA-2H  
2-port HSSI Port Adapter  
PA-A3-T3  
1-port ATM Enhanced DS3 Port Adapter  
PA-A3-E3  
1-port ATM Enhanced E3 Port Adapter  
PA-A3-OC3MM  
PA-A3-OC3SMI  
PA-A3-OC3SML  
PA-4E1G/75  
PA-4E1G/120  
PA-E3  
1-port ATM Enhanced OC3c/STM1 Multimode Port Adapter  
1-port ATM Enhanced OC3c/STM1 Single mode (IR) Port Adapter  
1-port ATM Enhanced OC3c/STM1 Single mode (LR) Port Adapter  
4-port E1 G.703 Serial Port Adapter (75ohm/Unbalanced)  
4-port E1 G.703 Serial Port Adapter (120ohm/Balanced)  
1-port E3 Serial Port Adapter with E3 DSU  
PA-2E3  
2-port E3 Serial Port Adapter with E3 DSUs  
PA-T3  
1-port T3 Serial Port Adapter with T3 DSUs  
PA-2T3  
2-port T3 Serial Port Adapter with T3 DSUs  
PA-MC-2T1  
PA-MC-2E1/120  
PA-MC-4T1  
2-port multichannel T1 port adapter with integrated CSU/DSUs  
2-port multichannel E1 port adapter with G.703 120ohm interf  
4-port multichannel T1 port adapter with integrated CSU/DSUs  
8-port multichannel T1 port adapter with integrated CSU/DSUs  
8-port multichannel E1 port adapter with G.703 120ohm interf  
1-port Packet/SONET OC3c/STM1 Multimode Port Adapter  
1-port Packet/SONET OC3c/STM1 Single mode (IR) Port Adapter  
1-port Packet/SONET OC3c/STM1 Single mode (LR) Port Adapter  
Integrated Services Module for IPSec & MPPE encryption  
Integrated Services Adapter for IPSec or MPPE encryption  
4-port BRI Port Adapter, U Interface  
PA-MC-8T1  
PA-MC-8E1/120  
PA-POS-OC3MM  
PA-POS-OC3SMI  
PA-POS-OC3SML  
SM-ISM  
SA-ISA  
PA-4B-U  
PA-8B-S/T  
8-port BRI Port Adapter, S/T Interface  
1. This is only a small subset of all parts available via URL listed under “For More Information”. Some parts have  
restricted access or are not available through distribution channels.  
For More Information  
See the Cisco 7100 series Web site: http://www.cisco.com/go/7100  
Cisco 7100 Series  
 
5 -1 8  

Craftsman Lawn Mower 247370253 User Manual
Craftsman Snow Blower 5368818 User Manual
Creative Labs Car Stereo System TX FM User Manual
Curtis Home Theater System dvd5041 User Manual
Cypress Computer Hardware CY7C09079V User Manual
Earthquake Sound Speaker DB 10 User Manual
Fellowes Paper Shredder 59cb User Manual
Festool Sander RAS 11504 E User Manual
Garland Range Master Series User Manual
GE Dishwasher PDWT502VII User Manual