User Guide
Page 2
... and 2651XM routers. "Secure Operation of the Cisco 2621XM/2651XM Router" specifically addresses the required configuration for the module Terminology In this document, the Submission Package contains: • Vendor Evidence document • Finite State Machine • Module Software Listing • Other supporting documentation as the routers, the modules, or the systems. Document Organization The Security...
... and 2651XM routers. "Secure Operation of the Cisco 2621XM/2651XM Router" specifically addresses the required configuration for the module Terminology In this document, the Submission Package contains: • Vendor Evidence document • Finite State Machine • Module Software Listing • Other supporting documentation as the routers, the modules, or the systems. Document Organization The Security...
User Guide
Page 4
... 0/0 (RJ-45) Auxiliary port Console (RJ-45) port (RJ-45) The Cisco 2621XM and 2651XM routers feature a console port, an auxiliary port, dual fixed LAN interfaces, a Network Module slot, and two WIC slots. mixed Token-Ring and Ethernet; Available Network Modules support multi-service voice/data/fax integration, departmental dial concentration, and high-density...
... 0/0 (RJ-45) Auxiliary port Console (RJ-45) port (RJ-45) The Cisco 2621XM and 2651XM routers feature a console port, an auxiliary port, dual fixed LAN interfaces, a Network Module slot, and two WIC slots. mixed Token-Ring and Ethernet; Available Network Modules support multi-service voice/data/fax integration, departmental dial concentration, and high-density...
User Guide
Page 7
...after authentication to the Crypto Officer role by providing a valid Crypto Officer username and password. The module supports RADIUS and TACACS+ for the configuration and maintenance of the Cisco 2621XM and 2651XM Routers can be at least 8 alphanumeric characters in the router that operators may...the online help for more information. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED ...
...after authentication to the Crypto Officer role by providing a valid Crypto Officer username and password. The module supports RADIUS and TACACS+ for the configuration and maintenance of the Cisco 2621XM and 2651XM Routers can be at least 8 alphanumeric characters in the router that operators may...the online help for more information. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED ...
User Guide
Page 10
...role login, and can be zeroized by the Crypto Officer. Zeroized when IKE session is zeroized periodically. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. The word "OPEN" may be inspected for signs of tampering, which provides...CSP 2 3 CSP 3 Description Storage This is stored in Diffie-Hellman (DH) exchange. DRAM (plaintext) The shared secret within IKE exchange. The module supports the following : curled corners, bubbling, crinkling, rips, tears, and slices. This key is the seed key for DH and RSA key generation. ...
...role login, and can be zeroized by the Crypto Officer. Zeroized when IKE session is zeroized periodically. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. The word "OPEN" may be inspected for signs of tampering, which provides...CSP 2 3 CSP 3 Description Storage This is stored in Diffie-Hellman (DH) exchange. DRAM (plaintext) The shared secret within IKE exchange. The module supports the following : curled corners, bubbling, crinkling, rips, tears, and slices. This key is the seed key for DH and RSA key generation. ...
User Guide
Page 15
... Access Policy CSP 24 CSP 25 CSP 26 CSP 27 CSP 28 CSP 29 CSP 30 CSP 31 r dr w r r w d r r w d r r w d r w d r w d r w d r w d The module supports DES (only for legacy systems), 3DES, DES-MAC, TDES-MAC, AES, SHA-1, HMAC SHA-1, MD5, MD4, HMAC MD5, Diffie-Hellman, RSA (for digital signatures and...encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
... Access Policy CSP 24 CSP 25 CSP 26 CSP 27 CSP 28 CSP 29 CSP 30 CSP 31 r dr w r r w d r r w d r r w d r w d r w d r w d r w d The module supports DES (only for legacy systems), 3DES, DES-MAC, TDES-MAC, AES, SHA-1, HMAC SHA-1, MD5, MD4, HMAC MD5, Diffie-Hellman, RSA (for digital signatures and...encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
User Guide
Page 16
... the router only allows plaintext traffic to pass through and no encrypted traffic is symmetric. AES KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with that created the keys, and the CO role is important to test the cryptographic components of a ... tunnels are directly associated with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 16 OL-6262-01 The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method that are run during startup and periodically during operations. The router...
... the router only allows plaintext traffic to pass through and no encrypted traffic is symmetric. AES KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with that created the keys, and the CO role is important to test the cryptographic components of a ... tunnels are directly associated with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 16 OL-6262-01 The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method that are run during startup and periodically during operations. The router...
Software Configuration Guide
Page 14
...Cisco 3600 Series Routers Hardware Installation Guide • Cisco 3620 and Cisco 3640 Modular Access Routers Quick Start Guide • Cisco 3660 Modular Access Router Quick Start Guide • Cisco Network Modules Hardware Installation Guide • Cisco WAN Interface Cards Hardware Installation Guide • Cisco...the Documentation CD-ROM, select Cisco Product Documentation. Tip To navigate up to specific documents are provided below, starting at http://www.cisco.com, under Service & Support, select Technical Documents and select Cisco Product Documentation. Access User ...
...Cisco 3600 Series Routers Hardware Installation Guide • Cisco 3620 and Cisco 3640 Modular Access Routers Quick Start Guide • Cisco 3660 Modular Access Router Quick Start Guide • Cisco Network Modules Hardware Installation Guide • Cisco WAN Interface Cards Hardware Installation Guide • Cisco...the Documentation CD-ROM, select Cisco Product Documentation. Tip To navigate up to specific documents are provided below, starting at http://www.cisco.com, under Service & Support, select Technical Documents and select Cisco Product Documentation. Access User ...
Software Configuration Guide
Page 37
...Completing the Configuration, page 2-23 • Where to Go Next, page 2-24 If you prefer to configure the router manually or you are supporting (for example, AppleTalk, IP, Novell IPX, and so on). Before Starting Your Router Before you power on your router and begin to use...Relay, HDLC, X.25, and so on) OL-1957-04 Software Configuration Guide for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers 2-1 Determine which network protocols you wish to configure a module or interface that is not included in the documentation appropriate to your PC terminal emulation ...
...Completing the Configuration, page 2-23 • Where to Go Next, page 2-24 If you prefer to configure the router manually or you are supporting (for example, AppleTalk, IP, Novell IPX, and so on). Before Starting Your Router Before you power on your router and begin to use...Relay, HDLC, X.25, and so on) OL-1957-04 Software Configuration Guide for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers 2-1 Determine which network protocols you wish to configure a module or interface that is not included in the documentation appropriate to your PC terminal emulation ...
Software Configuration Guide
Page 59
.../dedicated) [switched]: dedi When in dds mode, the clock for sw56 module can be choose only when connected back to be set in dce mode. Choose clock from line/internal. The following clock rates are supported on this interface? [yes]: IP address for this interface: 1.0.0.1 Subnet mask...RETURN to the System Configuration Dialog. mask is /8 Completing the Configuration When you have provided all the information prompted for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers 2-23 Type setup to return to get started! If you answer yes, the configuration is saved and ...
.../dedicated) [switched]: dedi When in dds mode, the clock for sw56 module can be choose only when connected back to be set in dce mode. Choose clock from line/internal. The following clock rates are supported on this interface? [yes]: IP address for this interface: 1.0.0.1 Subnet mask...RETURN to the System Configuration Dialog. mask is /8 Completing the Configuration When you have provided all the information prompted for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers 2-23 Type setup to return to get started! If you answer yes, the configuration is saved and ...
Software Configuration Guide
Page 67
... for the DCE to send serial clock transmit (SCT) and serial clock receive (SCR) clock signals to the DTE, and for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers 3-7 If a DCE port is reporting a high number of phase. NRZI is the default; Exit back to the... to configure the DCE port to enable mode. All serial interfaces support both nonreturn to zero (NRZ) and nonreturn to configure. NRZ is commonly used with the Command-Line Interface Configuring Asynchronous/Synchronous Serial Network Modules or WAN Interface Cards Command Step 12 Router(config-if)# dce-...
... for the DCE to send serial clock transmit (SCT) and serial clock receive (SCR) clock signals to the DTE, and for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers 3-7 If a DCE port is reporting a high number of phase. NRZI is the default; Exit back to the... to configure the DCE port to enable mode. All serial interfaces support both nonreturn to zero (NRZ) and nonreturn to configure. NRZ is commonly used with the Command-Line Interface Configuring Asynchronous/Synchronous Serial Network Modules or WAN Interface Cards Command Step 12 Router(config-if)# dce-...
Software Configuration Guide
Page 74
...(config-if)# isdn spid2 spid-number [ldn] Note Although the LDN is usually a seven-digit telephone number plus some optional numbers, but Cisco recommends that you power it so the router can answer calls made to determine that ISDN service without SPIDs. In this mode, you might ...stored in NVRAM (for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers OL-1957-04 Two SPIDs are never sent the SPID. Configuring T1 and E1 Interfaces Chapter 3 Configuring with your router or network module, if any. The AT&T 5ESS switch type might support SPIDs, but service ...
...(config-if)# isdn spid2 spid-number [ldn] Note Although the LDN is usually a seven-digit telephone number plus some optional numbers, but Cisco recommends that you power it so the router can answer calls made to determine that ISDN service without SPIDs. In this mode, you might ...stored in NVRAM (for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers OL-1957-04 Two SPIDs are never sent the SPID. Configuring T1 and E1 Interfaces Chapter 3 Configuring with your router or network module, if any. The AT&T 5ESS switch type might support SPIDs, but service ...
Software Configuration Guide
Page 77
... channels for cards with 5 PVDMs installed) for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers 3-17 The MEL options help preserve CAS integrity on the number of PVDMs that support the following services: G.711, G.726, G.729a, and fax relay Each HDV network module can support only one type of channels that an HDV...
... channels for cards with 5 PVDMs installed) for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers 3-17 The MEL options help preserve CAS integrity on the number of PVDMs that support the following services: G.711, G.726, G.729a, and fax relay Each HDV network module can support only one type of channels that an HDV...
Software Configuration Guide
Page 88
... can perform the following optional configuration tasks, see the Multipoint Wireless Support for the Cisco 2600 and Cisco 3600 Series Routers feature module: • Specifying an alternative boot location • Configuring cable loss 3-28 Software Configuration Guide for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers OL-1957-04 If an interface is down...
... can perform the following optional configuration tasks, see the Multipoint Wireless Support for the Cisco 2600 and Cisco 3600 Series Routers feature module: • Specifying an alternative boot location • Configuring cable loss 3-28 Software Configuration Guide for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers OL-1957-04 If an interface is down...
Software Configuration Guide
Page 89
...can perform the following tests to a specified IP address. It supports Asynchronous Transfer Mode (ATM) Adaptation Layer 2 (AAL2) and AAL5 for the Cisco 2600 series and Cisco 3600 series platforms for the Cisco 2600 series and Cisco 3600 series routers. If an interface is displayed as a period ...the Alcatel Digital Subscriber Loop Access Multiplexer (DSLAM) and the Cisco 6130, Cisco 6160, and Cisco 6260 DSLAMs with Flexi-line cards. Check that the list includes the new interface. • Display all network modules and their interfaces with the show controllers command. • ...
...can perform the following tests to a specified IP address. It supports Asynchronous Transfer Mode (ATM) Adaptation Layer 2 (AAL2) and AAL5 for the Cisco 2600 series and Cisco 3600 series platforms for the Cisco 2600 series and Cisco 3600 series routers. If an interface is displayed as a period ...the Alcatel Digital Subscriber Loop Access Multiplexer (DSLAM) and the Cisco 6130, Cisco 6160, and Cisco 6260 DSLAMs with Flexi-line cards. Check that the list includes the new interface. • Display all network modules and their interfaces with the show controllers command. • ...
Software Configuration Guide
Page 107
Chapter 3 Configuring with the Command-Line Interface Configuring the 1-Port HSSI Network Module • Supports speeds up to 52 Mbps • Supports a range of the Cisco IOS Release 11.3 Wide-Area Networking Configuration Guide. The default method is required; ATM-DXI... Configuration Guide for X.25-based encapsulations. Command interface hssi slot/port Specify HSSI Encapsulation The HSSI supports the serial encapsulation methods, except for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers 3-47 encapsulation {atm-dxi | hdlc | frame-relay | ppp | sdlc-...
Chapter 3 Configuring with the Command-Line Interface Configuring the 1-Port HSSI Network Module • Supports speeds up to 52 Mbps • Supports a range of the Cisco IOS Release 11.3 Wide-Area Networking Configuration Guide. The default method is required; ATM-DXI... Configuration Guide for X.25-based encapsulations. Command interface hssi slot/port Specify HSSI Encapsulation The HSSI supports the serial encapsulation methods, except for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers 3-47 encapsulation {atm-dxi | hdlc | frame-relay | ppp | sdlc-...
Software Configuration Guide
Page 109
... majority of your traffic is offloaded from compressed data. To configure compression over PPP encapsulations. Configuring the Compression Network Module for the Cisco 3600 Series Routers Cisco 3640 and Cisco 3620 routers now support a compression port module that transmits at 56 kbps without compress transmits at 112 kbps with the Command-Line Interface Configuring the Compression...
... majority of your traffic is offloaded from compressed data. To configure compression over PPP encapsulations. Configuring the Compression Network Module for the Cisco 3600 Series Routers Cisco 3640 and Cisco 3620 routers now support a compression port module that transmits at 56 kbps without compress transmits at 112 kbps with the Command-Line Interface Configuring the Compression...
User Guide
Page 4
Cisco 2621 Modular Access Routers BRI, and integrated CSU/DSU options for the power supply and a power switch. The AIM slot supports integration of the router's operation. The physical interfaces include power plug for primary and backup WAN connectivity, while available network modules support... multi-service voice/data/fax integration, departmental dial concentration, and high-density serial options. All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial On Demand Routing, ideal for ...
Cisco 2621 Modular Access Routers BRI, and integrated CSU/DSU options for the power supply and a power switch. The AIM slot supports integration of the router's operation. The physical interfaces include power plug for primary and backup WAN connectivity, while available network modules support... multi-service voice/data/fax integration, departmental dial concentration, and high-density serial options. All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial On Demand Routing, ideal for ...
User Guide
Page 18
... chassis versions. The physical interfaces include power plug for primary and backup WAN connectivity, while available network modules support multi-service voice/data/fax integration, departmental dial concentration, and high-density serial options. mixed Token-Ring...supporting 115Kbps Dial On Demand Routing, ideal for remote system access or dial backup using a modem. The 10/100Base-T LAN ports have Link/Activity, 10/100Mbps, and half/full duplex LEDs. Cisco 2651 Modular Access Routers The Cisco 2600 series features single or dual fixed LAN interfaces, a network module slot, two Cisco...
... chassis versions. The physical interfaces include power plug for primary and backup WAN connectivity, while available network modules support multi-service voice/data/fax integration, departmental dial concentration, and high-density serial options. mixed Token-Ring...supporting 115Kbps Dial On Demand Routing, ideal for remote system access or dial backup using a modem. The 10/100Base-T LAN ports have Link/Activity, 10/100Mbps, and half/full duplex LEDs. Cisco 2651 Modular Access Routers The Cisco 2600 series features single or dual fixed LAN interfaces, a network module slot, two Cisco...
User Guide
Page 27
... compromise the security of Supported Cards Network Modules Supported Cisco 2600 Series Supported Network Modules 1-Port DS3 ATM Network Module 1-Port DS3 ATM Network Module 1-Port E3 ATM Network Module 1-Port E3 ATM Network Module 16 port Asynchronous Module 16 port Asynchronous Module 32 port Asynchronous Module 32 port Asynchronous Module 4-Port Async/Sync Serial Network Module 4-Port Async/Sync Serial Network Module 4-Port ISDN-BRI...
... compromise the security of Supported Cards Network Modules Supported Cisco 2600 Series Supported Network Modules 1-Port DS3 ATM Network Module 1-Port DS3 ATM Network Module 1-Port E3 ATM Network Module 1-Port E3 ATM Network Module 16 port Asynchronous Module 16 port Asynchronous Module 32 port Asynchronous Module 32 port Asynchronous Module 4-Port Async/Sync Serial Network Module 4-Port Async/Sync Serial Network Module 4-Port ISDN-BRI...
User Guide
Page 29
...= NM-HDV-2E1-60 NM-HDV-2E1-60= Voice/Fax Network Modules Supported Cisco 2600 Voice/Fax Network Modules One-slot Voice/fax Network Module One-Slot Voice/fax Network Module-Spare Two-Slot Voice/fax Network Module Two-Slot Voice/fax Network Module-Spare Part Number NM-1V NM-1V= NM-2V NM-2V= ...Voice/Fax Interface Card for Voice/Fax Modules Supported Cisco 2600 Voice/Fax Interface Card ...
...= NM-HDV-2E1-60 NM-HDV-2E1-60= Voice/Fax Network Modules Supported Cisco 2600 Voice/Fax Network Modules One-slot Voice/fax Network Module One-Slot Voice/fax Network Module-Spare Two-Slot Voice/fax Network Module Two-Slot Voice/fax Network Module-Spare Part Number NM-1V NM-1V= NM-2V NM-2V= ...Voice/Fax Interface Card for Voice/Fax Modules Supported Cisco 2600 Voice/Fax Interface Card ...