Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version 2.4 November 19, 2004 Introduction This is the non-proprietary Cryptographic Module Security Policy for the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 routers. This security policy describes how the routers meet the security requirements of FIPS 140-2, and how to operate the routers in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 certification of the routers. FIPS 140-2 (Federal Information Processing Standards Publication 140-2--Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/cryptval/. This document contains the following sections: · Introduction, page 1 · The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers, page 3 · Secure Operation of the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers, page 42 · Related Documentation, page 44 · Obtaining Documentation, page 45 · Documentation Feedback, page 46 Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA Copyright © 2004 Cisco Systems, Inc. All rights reserved. Introduction · Obtaining Technical Assistance, page 46 · Obtaining Additional Publications and Information, page 47 References This document deals only with operations and capabilities of the 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 routers in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the routers from the following sources: · The Cisco Systems website contains information on the full line of products at www.cisco.com. ­ The 1700 Series product descriptions can be found at: http://www.cisco.com/en/US/products/hw/routers/ps221/index.html ­ The 2600 Series product descriptions can be found at: http://www.cisco.com/en/US/products/hw/routers/ps259/index.html ­ The 3700 Series product descriptions can be found at: http://www.cisco.com/en/US/products/hw/routers/ps282/index.html ­ The 7200 Series product descriptions can be found at: http://www.cisco.com/en/US/products/hw/routers/ps341/index.html · For answers to technical or sales related questions please refer to the contacts listed on the Cisco Systems website at www.cisco.com. · The NIST Validated Modules website (http://csrc.nist.gov/cryptval) contains contact information for answers to technical or sales-related questions for the module Terminology In this document, the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 routers are referred to as the routers, the modules, or the systems. Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: · Vendor Evidence document · Finite State Machine · Module Software Listing · Other supporting documentation as additional references This document provides an overview of the routers and explains the secure configuration and operation of the modules. This introduction section is followed by the "The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers" section, which details the general features and functionality of the routers. The "Secure Operation of the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers" section specifically addresses the required configuration for the FIPS-mode of operation. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 2 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Certification Submission Documentation is Cisco-proprietary and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Cisco Systems. The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Branch office networking requirements are dramatically evolving, driven by web and e-commerce applications to enhance productivity and merging the voice and data infrastructure to reduce costs. The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 modular multi-service routers offer versatility, integration, and security to branch offices. With numerous WAN Interface Cards (WICs) and Network Modules (NMs) available, the modular architecture of the Cisco router easily allows interfaces to be upgraded to accommodate network expansion. The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 provide a scalable, secure, manageable remote access server that meets FIPS 140-2 Level 2 requirements as a multiple-chip embedded module. This section describes the general features and functionality provided by the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 routers. Additional adapters (e.g. WICs and other modules) are excluded from the validation. · The Cisco 1721/1760 Cryptographic Module, page 4 · Cisco 1721 and 1760 Module Interfaces, page 5 · The Cisco 2621XM/2651XM Cryptographic Module, page 10 · Cisco 2621XM and 2651XM Module Interfaces, page 10 · The Cisco 2691 Cryptographic Module, page 13 · Cisco 2691 Module Interfaces, page 14 · The Cisco 3725/3745 Cryptographic Module, page 18 · Cisco 3725 and 3745 Module Interfaces, page 18 · The Cisco 7206 VXR NPE-400 Cryptographic Module, page 24 · Cisco 7206 VXR NPE-400 Module Interfaces, page 25 · Roles and Services, page 27 · Physical Security, page 29 · Cryptographic Key Management, page 36 · Self-Tests, page 42 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 3 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers The Cisco 1721/1760 Cryptographic Module Figure 1 The Cisco 1721 and Cisco 1760 Routers PWR WIC0 ACT/C WIC1 H0 ACT/C H0 ETH ACT Cisco OK ACT/C 1700 H1 ACT/C SER H1 IES COL RO U TER CONSOLE 99390 PWR OK PVDM 0 PVDM 1 OK MOD OK SLOT 0 OK 0 1 OK SLOT 1 0 OK 1 ACT COL Cisco 170 FDX 100 LINK 10/100 ETHE 0 Series RNET AUX SLOT 2 0 1 OK SLOT 3 0 OK 1 The cryptographic boundary is defined as encompassing the "top," "front," "left," "right," and "bottom" surfaces of the case; all portions of the "backplane" of the case which are not designed to accommodate a WIC; and the inverse of the three-dimensional space within the case that would be occupied by an installed WIC. The cryptographic boundary includes the connection apparatus between the WIC and the motherboard/daughterboard that hosts the WIC, but the boundary does not include the WIC itself. In other words, the cryptographic boundary encompasses all hardware components within the case of the device except any installed modular WICs. All of the functionality discussed in this document is provided by components within this cryptographic boundary. The 1760 requires that a special opacity shield be installed over the right-hand side air vents in order to operate in FIPS-approved mode. The shield decreases the effective size of the vent holes, reducing visibility within the cryptographic boundary to FIPS-approved specifications. The shield is self-adhering to the side of the chassis. To install the shield, remove it from its paper backing and apply the shield to the chassis, aligning the holes on the shield with the vent-holes on the side of the chassis. Figure 2 demonstrates the proper application of the shield. Figure 2 Cisco 1760 Opacity Shield Application 99395 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 4 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Cisco IOS features such as tunneling, data encryption, and termination of Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 1700 an ideal platform for building virtual private networks or outsourced dial solutions. Cisco 1700`s RISC-based processor provides the power needed for the dynamic requirements of the remote branch office. Cisco 1721 and 1760 Module Interfaces The interfaces for the router are located on the rear panel of the Cisco 1721 and the front panel of the Cisco 1760 as shown in Figure 3. Figure 3 Cisco 1721 and Cisco 1760 Physical Interfaces Kensington-compatible locking socket WIC 0 slot Console port WIC 1 slot Power switch CONSOLE RD CD TD AL LP DSU 56K SEE MANUAL BEFORE INSTALLATION Model 65524 WIC 0 OK FDX 100 LINK 10/100 ETHERNET AUX MOD OK WIC 1 OK +5, +12, -12 VDC Cisco 1721 WIC 0 10/100-Mbps MOD OK OK LED Ethernet port LED Power socket FDX/100/ Auxiliary port WIC 1 OK LINK LEDs LED WIC/VIC Slot 0 WIC/VIC Slot 1 Console port VIC Slot 2 VIC Slot 3 CONSOLE THESE SLOTS ACCEPT ONLY VOICE INTERFACE CARDS Cisco 1700 Series PWR OK PVDM 0 PVDM 1 MOD SLOT 0 0 1 SLOT 1 0 1 ACT COL FDX 100 LINK 10/100 ETHERNET AUX SLOT 2 0 1 SLOT 3 0 1 OK OK OK OK OK OK OK Power LED Router MOD Slot 0 Slot 1 Ethernet Ethernet Auxiliary Slot 2 Slot 3 99391 OK OK LED LEDs LEDs LEDs port port LEDs LEDs PVDM 0/1 OK LEDs The Cisco 1721 and 1760 routers feature console and auxiliary ports, single fixed LAN interfaces, two Cisco WAN interface card (WIC) slots on the 1721, and two WIC slots and two Voice interface card (VIC) slots on the 1760. WAN interface cards support a variety of serial, ISDN BRI, and integrated CSU/DSU options for primary and backup WAN connectivity. All Cisco 1700 series routers include an auxiliary port supporting 115Kbps Dial-On-Demand Routing, ideal for back-up WAN connectivity. A WIC is inserted into one of the WIC slots, which are located on the back panel of the 1721 and the front panel of the 1760. WICs interface directly with the processor, and cannot perform cryptographic functions; they only serve as a data input and data output physical interface. The physical interfaces include a power plug for the power supply and a power switch. The router has one Fast Ethernet (10/100 RJ-45) connector for data transfers in and out. The module also has two other RJ-45 connectors on the back panel for a console terminal for local system access and an auxiliary port Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 5 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers for remote system access or dial backup using a modem. The 10/100Base-T LAN port has Link/Activity, 10/100Mbps, and half/full duplex LEDs. Figure 4 shows the LEDs located on the rear panel of the Cisco 1721 with descriptions detailed in Table 1: Figure 4 Cisco 1721 Rear Panel LEDs CONSOLE RD CD TD AL LP DSU 56K SEE MANUAL BEFORE INSTALLATION Model 99392 WIC 0 OK FDX 100 LINK 10/100 ETHERNET AUX MOD OK WIC 1 OK +5, +12, -12 VDC Cisco 1721 WIC 0 FDX/100/ MOD OK WIC 1 OK OK LED LINK LEDs LED LED Table 1 Cisco 1721 Rear Panel LEDs and Descriptions LED Indication Description WIC 0 OK Green A WIC is correctly inserted in the card slot Off No WIC present / WIC incorrectly inserted in the card slot WIC 1 OK Green A WIC is correctly inserted in the card slot Off No WIC present / WIC incorrectly inserted in the card slot FDX Green The interface is transmitting data in full-duplex mode Off When off, the interface is transmitting data in half-duplex mode 100 Mbps Green The speed of the interface is 100 Mbps Off The speed of the interface is 10 Mbps or no link is established LINK Green An Ethernet link has been established Off No Ethernet link established MOD OK Green VPN hardware encryption module is installed and recognized by Cisco IOS Off VPN hardware encryption module not installed / not recognized by Cisco IOS Figure 5 shows the front panel LEDs of the 1721 and 1760, which provide overall status of the router's operation. The front panel of the 1721 displays whether or not the router is booted, overall activity/link status, and collision information. The front panel of the 1760 displays whether or not the router is booted, overall activity/link status, collision information, and specific information for each installed interface. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 6 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Figure 5 Cisco 1721 and 1760 Front Panel LEDs WIC0 WIC1 ETH PWR ACT/CH0 ACT/CH0 ACT OK ACT/CH1 ACT/CH1 COL CONSOLE THESE SLOTS ACCEPT ONLY VOICE INTERFACE CARDS Cisco 1700 Series PWR OK PVDM 0 PVDM 1 MOD SLOT 0 0 1 SLOT 1 0 1 ACT COL FDX 100 LINK 10/100 ETHERNET AUX SLOT 2 0 1 SLOT 3 0 1 OK OK OK OK OK OK OK Power LED Router MOD Slot 0 Slot 1 Ethernet Ethernet Auxiliary Slot 2 Slot 3 99393 OK OK LED LEDs LEDs LEDs port port LEDs LEDs PVDM 0/1 OK LEDs Table 2 and Table 3 provide more detailed information conveyed by the LEDs on the front panel of the Cisco 1721 and 1760 routers: Table 2 Cisco 1721 Front Panel LEDs and Descriptions LED Indication Description PWR Green Power is supplied to the router Off The router is not powered on OK Green The router has successfully booted up and the software is functional. This LED blinks during the power-on self-test (POST) Off The router has not successfully booted up WIC 0 Green Serial and DSU/CSU cards--Blinks when data is being sent to or received ACT/CH0 from the port on the card in the WIC0 slot ISDN cards--On solid when the first ISDN B channel is up for the card in the WIC0 slot 2-port serial cards--Blinks when data is being sent to or received from the first port on the 2-port card in the WIC0 slot WIC 0 Green Serial and CSU/DSU cards--Remains off ACT/CH1 ISDN cards--On solid when the second ISDN B channel is up for the card in the WIC0 slot 2-port serial cards--Blinks when data is being sent to or received from the second port on the 2-port card in the WIC0 slot WIC 1 Green Serial and DSU/CSU cards--Blinks when data is being sent to or received ACT/CH0 from the port on the card in the WIC1 slot ISDN cards--On solid when the first ISDN B channel is up for the card in the WIC1 slot 2-port serial cards--Blinks when data is being sent to or received from the first port on the 2-port card in the WIC1 slot Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 7 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Table 2 Cisco 1721 Front Panel LEDs and Descriptions (Continued) LED Indication Description WIC 1 Green Serial and CSU/DSU cards--Remains off ACT/CH1 ISDN cards--On solid when the second ISDN B channel is up for the card in the WIC1 slot 2-port serial cards--Blinks when data is being sent to or received from the second port on the 2-port card in the WIC1 slot ETH ACT Green Blinks when there is network activity on the Ethernet port ETH COL Yellow Blinks when there are packet collisions on the local Ethernet network Table 3 Cisco 1760 Front Panel LEDs and Descriptions LED Indication Description PWR Green Power is supplied to the router Off The router is not powered on OK Green The router has successfully booted up and the software is functional. This LED blinks during the power-on self-test (POST) Off The router has not successfully booted up PVDM 0 Green On when a packet voice data module (PVDM) is correctly inserted in OK PVDM card slot 0 PVDM 1 Green n when a packet voice data module (PVDM) is correctly inserted in PVDM OK card slot 1 MOD OK Green On when a VPN module is present FDX Green The interface is transmitting data in full-duplex mode Off When off, the interface is transmitting data in half-duplex mode 100 Mbps Green The speed of the interface is 100 Mbps Off The speed of the interface is 10 Mbps or no link is established LINK Green An Ethernet link has been established Off No Ethernet link established SLOT 0 OK Green On when either a WIC or a VIC is correctly inserted in the card slot 0 Green ISDN--On when the first ISDN B channel is connected Serial, CSU/DSU, and VIC--Blinks when data is being sent to or received from port 0 in slot 0. For the VIC-2BRI-ST-NT/TE, blinks when data is being sent to or received from any of the B channels 1 Green ISDN--On when the second ISDN B channel is connected Serial and VIC--Blinks when data is being sent to or received from port 1 in slot 0 SLOT 1 OK Green On when either a WIC or a VIC is correctly inserted in the card slot 0 Green ISDN--On when the first ISDN B channel is connected Serial, CSU/DSU, and VIC--Blinks when data is being sent to or received from port 0 in slot 1 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 8 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Table 3 Cisco 1760 Front Panel LEDs and Descriptions (Continued) LED Indication Description 1 Green ISDN--On when the second ISDN B channel is connected Serial and VIC--Blinks when data is being sent to or received from port 1 in slot 1 SLOT 2 OK Green On when a VIC is correctly inserted in the card slot 0 Green VIC--Blinks when data is being sent to or received from port 0 in slot 2 1 Green VIC--Blinks when data is being sent to or received from port 1 in slot 2 SLOT 3 OK Green On when a VIC is correctly inserted in the card slot 0 Green VIC--Blinks when data is being sent to or received from port 0 in slot 3 1 Green VIC--Blinks when data is being sent to or received from port 1 in slot 3 All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the Table 4: Table 4 Cisco 1721 and Cisco 1760 FIPS 140-2 Logical Interfaces Router Physical Interface FIPS 140-2 Logical Interface 10/100BASE-TX LAN Port Data Input Interface WIC/VIC Interface Console Port Auxiliary Port 10/100BASE-TX LAN Port Data Output Interface WIC/VIC Interface Console Port Auxiliary Port 10/100BASE-TX LAN Port Control Input Interface WIC/VIC Interface Power Switch Console Port Auxiliary Port 10/100BASE-TX LAN Port Status Output Interface WIC/VIC Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED Activity LED Console Port Auxiliary Port Power Plug Power Interface Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 9 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers The Cisco 2621XM/2651XM Cryptographic Module Figure 6 The Cisco 2621XM/2651XM Router POWER Cisco 2600 SERIES RPS ACTIVITY 99493 The cryptographic boundary is defined as encompassing the "top," "front," "left," "right," and "bottom" surfaces of the case; all portions of the "backplane" of the case which are not designed to accommodate a WIC or Network Module; and the inverse of the three-dimensional space within the case that would be occupied by an installed WIC or Network Module. The cryptographic boundary includes the connection apparatus between the WIC or Network Module and the motherboard/daughterboard that hosts the WIC or Network Module, but the boundary does not include the WIC or Network Module itself. In other words, the cryptographic boundary encompasses all hardware components within the case of the device except any installed modular WICs or Network Modules. All of the functionality discussed in this document is provided by components within this cryptographic boundary. Cisco IOS features such as tunneling, data encryption, and termination of Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 2600 an ideal platform for building virtual private networks or outsourced dial solutions. Cisco 2600`s RISC-based processor provides the power needed for the dynamic requirements of the remote branch office, achieving wire speed Ethernet to Ethernet routing with up to 30 thousand packets per second (Kpps) throughput capacity for the 2621XM, and 40 Kpps for the 2651XM. Cisco 2621XM and 2651XM Module Interfaces The interfaces for the router are located on the rear panel as shown in Figure 7. Figure 7 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 SERIAL 1 SERIAL 1 Cisco 2650 100-240V­ 1A CONN SERIAL 0 WIC SERIAL 0 50/60 Hz 47 W CONN 2A/S CONN WIC SEE MANUAL BEFORE INSTALLATION CONN 2T SEE MANUAL BEFORE INSTALLATION W1 W0 LINK ETHERNET 1 ACT LINK ETHERNET 0 ACT CONSOLE AUX 10/100BASE-T 99494 Ethernet 0/1 (RJ-45) Network 10/100BASE-T Auxiliary port module Ethernet 0/0 Console (RJ-45) (RJ-45) port (RJ-45) Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 10 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers The Cisco 2621XM and 2651XM routers feature a console port, an auxiliary port, dual fixed LAN interfaces, a Network Module slot, and two WIC slots. LAN support includes single and dual Ethernet options; 10/100 Mbps auto-sensing Ethernet; mixed Token-Ring and Ethernet; and single Token Ring chassis versions. WAN interface cards support a variety of serial, ISDN BRI, and integrated CSU/DSU options for primary and backup WAN connectivity. Available Network Modules support multi-service voice/data/fax integration, departmental dial concentration, and high-density serial options All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial-On-Demand Routing, ideal for back-up WAN connectivity. When a Network Module is inserted, it fits into an adapter called the Network Module expansion bus. The expansion bus interacts with the PCI bridge in the same way that the fixed LAN ports do; therefore, no critical security parameters pass through the Network Module (just as they don't pass through the LAN ports). Network modules do not perform any cryptographic functions. WICs are similar to Network Modules in that they greatly increase the router's flexibility. A WIC is inserted into one of two slots, which are located above the fixed LAN ports. WICs interface directly with the processor. They do not interface with the cryptographic card; therefore no security parameters will pass through them. WICs cannot perform cryptographic functions; they only serve as a data input and data output physical interface. The physical interfaces include a power plug for the power supply and a power switch. The router has two Fast Ethernet (10/100 RJ-45) connectors for data transfers in and out. The module also has two other RJ-45 connectors on the back panel for a console terminal for local system access and an auxiliary port for remote system access or dial backup using a modem. The 10/100Base-T LAN ports have Link/Activity, 10/100Mbps, and half/full duplex LEDs. Figure 8 shows the LEDs located on the rear panel with descriptions detailed in Table 5: Figure 8 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps 100 Mbps LED LED Link FDX Link FDX LED LED LED LED SERIAL 1 SERIAL 1 SERIAL 0 Cisco 2621 CONN WIC SERIAL 0 CONN 2A/S CONN WIC SEE MANUAL BEFORE INSTALLA CONN 2A/S TION SEE MANUAL BEFORE INSTALLA TION 100 Mbps Link W1 FDX 100 Mbps Link FDX W0 10/100 ETHERNET 0/1 99495 10/100 ETHERNET 0/0 CONSOLE AUX 10/100BASE-T 10/100BASE-T Auxiliary Ethernet 0/1 Ethernet 0/0 port (RJ-45) (RJ-45) (RJ-45) Console port (RJ-45) Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 11 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Table 5 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs and Descriptions LED Indication Description LINK Green An Ethernet link has been established Off No Ethernet link established FDX Green The interface is transmitting data in full-duplex mode Off When off, the interface is transmitting data in half-duplex mode 100 Mbps Green The speed of the interface is 100 Mbps Off The speed of the interface is 10 Mbps or no link is established Figure 9 shows the front panel LEDs, which provide overall status of the router's operation. The front panel displays whether or not the router is booted, if the redundant power is (successfully) attached and operational, and overall activity/link status. Figure 9 Cisco 2621XM and Cisco 2651XM Front Panel LEDs POWER RPS ACTIVITY 99496 Table 6 provides more detailed information conveyed by the LEDs on the front panel of the router: Table 6 Cisco 2621XM and Cisco 2651XM Front Panel LEDs and Descriptions LED Indication Description Power Green Power is supplied to the router and the router is operational Off The router is not powered on 1 RPS Green RPS is attached and operational Off No RPS is attached Blink RPS is attached, but has a failure Activity Off In the Cisco IOS software, but no network activity Blink (500 ms ON, 500 ms OFF) In ROMMON, no errors Blink (500 ms ON, 500 ms OFF, In ROMMON, error detected 2 sec between codes) Blink (less than 500 ms) In the Cisco IOS software, the blink rate reflects the level of activity 1. RPS = Redundant Power System All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 7: Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 12 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Table 7 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface FIPS 140-2 Logical Interface 10/100BASE-TX LAN Port Data Input Interface WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE-TX LAN Port Data Output Interface WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE-TX LAN Port Control Input Interface WIC Interface Network Module Interface Power Switch Console Port Auxiliary Port 10/100BASE-TX LAN Port Status Output Interface WIC Interface Network Module Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED Redundant Power LED Activity LED Console Port Auxiliary Port Power Plug Power Interface The Cisco 2691 Cryptographic Module Figure 10 The Cisco 2691 Router NM-HDV AL BANK 4 VWIC 2MFT-E1 LP BANK 3 CD SEE BANK 2 CTRLR MANUAL BEFORE BANK 1 E2 INSTALLATI BANK 0 TD RD CTRLR ON LP E1 AL CD V0 SEE MANU AL BEFO DSU TD RE INSTA RD LLATION LP 56K EN AL CD SEE MANU AL BEFO DSU RE INSTA LLATION 56K SEE MANU AL BEFO RE INSTA LLATION 99499 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 13 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers The cryptographic boundary is defined as encompassing the "top," "front," "left," "right," and "bottom" surfaces of the case; all portions of the "backplane" of the case which are not designed to accommodate a WIC or Network Module; and the inverse of the three-dimensional space within the case that would be occupied by an installed WIC or Network Module. The cryptographic boundary includes the connection apparatus between the WIC or Network Module and the motherboard/daughterboard that hosts the WIC or Network Module, but the boundary does not include the WIC or Network Module itself. In other words, the cryptographic boundary encompasses all hardware components within the case of the device except any installed modular WICs or Network Modules. All of the functionality discussed in this document is provided by components within this cryptographic boundary. Cisco IOS features such as tunneling, data encryption, and termination of Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 2600 an ideal platform for building virtual private networks or outsourced dial solutions. Cisco 2600`s RISC-based processor provides the power needed for the dynamic requirements of the remote branch office, achieving wire speed Ethernet to Ethernet routing with up to 70 thousand packets per second (Kpps) throughput capacity. Cisco 2691 Module Interfaces The interfaces for the router are located on the rear panel as shown in Figure 11. Figure 11 Cisco 2691 Physical Interfaces 4 6 9 NM-HDV AL BANK 4 VWIC 2MFT-E1 LP BANK 3 CD SEE BANK 2 CTRLR MANUAL BEFORE BANK 1 E2 INSTALLATI BANK 0 TD RD CTRLR ON LP E1 AL CD V0 SEE MANU AL BEFO DSU TD RE INSTA RD LLATION LP 56K EN AL CD SEE MANU AL BEFO DSU RE INSTA LLATION 56K SEE MANU AL BEFO RE INSTA LLATION 99500 1 2 7 3 5 8 The Cisco 2691 router features console and auxiliary ports, dual fixed LAN interfaces, a Network Module slot, two Cisco WAN interface card (WIC) slots, and a Compact Flash slot. LAN support includes single and dual Ethernet options; 10/100 Mbps auto-sensing Ethernet; mixed Token-Ring and Ethernet; and single Token Ring chassis versions. WAN interface cards support a variety of serial, ISDN BRI, and integrated CSU/DSU options for primary and backup WAN connectivity, while available Network Modules support multi-service voice/data/fax integration, departmental dial concentration, and high-density serial options. The AIM slot supports integration of advanced services such as hardware-assisted data compression and encryption. All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial-On-Demand Routing, ideal for back-up WAN connectivity. When a Network Module is inserted, it fits into an adapter called the Network Module expansion bus. The expansion bus interacts with the PCI bridge in the same way that the fixed LAN ports do; therefore, no critical security parameters pass through the Network Module (just as they don't pass through the LAN ports). Network modules do not perform any cryptographic functions. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 14 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers WICs are similar to Network Modules in that they greatly increase the router's flexibility. A WIC is inserted into one of two slots, which are located above the fixed LAN ports. WICs interface directly with the processor. They do not interface with the cryptographic card; therefore no security parameters will pass through them. WICs cannot perform cryptographic functions; they only serve as a data input and data output physical interface. The physical interfaces include a power plug for the power supply and a power switch. The router has two Fast Ethernet (10/100 RJ-45) connectors for data transfers in and out. The module also has two other RJ-45 connectors on the back panel for a console terminal for local system access and an auxiliary port for remote system access or dial backup using a modem. The 10/100Base-T LAN ports have Link/Activity, 10/100Mbps, and half/full duplex LEDs. Figure 12 shows the LEDs located on the rear panel with descriptions detailed in Table 8: Figure 12 Cisco 2691 Rear Panel LEDs TD RD LP AL CD SEE MA NUAL BE DSU FO TD RE INSTA RD LLATION LP 56K AL CD ACT 100 Mbps SEE MA NUAL BE DSU FO RE INSTA LINK ACT LLATION 56K CF1 100 Mbps FAST ETH ERNET LINK 0/1 FAST ETH SEE MA ERNET NUAL BE 0/0 FORE INSTA LLATION CF1 CISCO2 691 FastEthernet 0/1 LED CONSOL E 99501 AUX FastEthernet 0/0 Compact ACT LED Flash Console 100 Mbps LED slot port LINK LED Auxiliary port Table 8 Cisco 2691 Rear Panel LEDs and Descriptions LED Indication Description LINK On An Ethernet link has been established Off No Ethernet link established ACT On The interface is transmitting or receiving packets Off The interface is not transmitting or receiving packets 100 Mbps On The speed of the interface is 100 Mbps Off The speed of the interface is 10 Mbps or no link is established CF1 On The Flash device is being accessed in either READ or WRITE mode Off The Flash device is not being accessed Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 15 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Figure 13 shows the front panel LEDs, which provide overall status of the router's operation. The front panel displays whether or not the router is booted, if the redundant power is (successfully) attached and operational, and overall activity/link status. Figure 13 Cisco 2691 Front Panel LEDs PWR SYS ACT RPS 99502 Table 9 provides more detailed information conveyed by the LEDs on the front panel of the router: Table 9 Cisco 2691 Front Panel LEDs and Descriptions LED Indication Description PWR On Power is supplied to the router Off The router is not powered on SYS/RPS Rapid blinking System is booting Slow blinking System error On System OK ACT Off No system activity Blinking System activity All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 10: Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 16 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Table 10 Cisco 2691 FIPS 140-2 Logical Interfaces Router Physical Interface FIPS 140-2 Logical Interface 10/100BASE-TX LAN Port Data Input Interface WIC Interface Network Module Interface Console Port Auxiliary Port Compact Flash slot 10/100BASE-TX LAN Port Data Output Interface WIC Interface Network Module Interface Console Port Auxiliary Port Compact Flash slot 10/100BASE-TX LAN Port Control Input Interface WIC Interface Network Module Interface Power Switch Console Port Auxiliary Port 10/100BASE-TX LAN Port Status Output Interface WIC Interface Network Module Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED Activity LED Console Port Auxiliary Port Power Plug Power Interface Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 17 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers The Cisco 3725/3745 Cryptographic Module Figure 14 The Cisco 3725 and Cisco 3745 Routers NM-HDV AL BANK 4 VWIC 2MFT-E1 LP BANK 3 CD SEE BANK 2 CTRLR MANUAL BEFORE BANK 1 E2 INSTALLATI BANK 0 TD RD CTRLR ON LP E1 AL CD V0 SEE MANU AL BEFO DSU TD RE INSTA RD LLATION LP 56K EN AL CD SEE MANU AL BEFO DSU RE INSTA LLATION 56K SEE MANU AL BEFO RE INSTA LLATION SERIAL CONN 1 SERIAL SEE MANU 0 AL BEFO WIC RE INST CONN 2T ALLATION TD RD LP AL CD SEE MANU AL BEFOR E INSTA DSU LLATIO N 56K SERIAL CONN 1 NM-HDV SERIAL SEE MANU 0 AL BEFO WIC RE INST CONN 2T ALLATION AL BANK VWIC 4 BAN 2MFT- LP K 3 BAN E1 SEE NM-HDV K 2 BAN CTRLR E2 CD MANUA L K 1 BAN BEFOR INSTAL E K0 CTRLR E1 LATION NM-HDV V0 EN AL BANK VWIC 4 BAN 2MFT- LP K 3 BAN E1 SEE AL K 2 BAN CTRLR CD MANUA L BANK VWIC K 1 BAN E2 BEFOR E 4 BAN 2MFT- LP K0 CTRLR INSTAL LATION K 3 BAN E1 SEE NM-HDV E1 K 2 BAN CTRLR E2 CD MANUA L K 1 BAN BEFOR INSTAL E K0 CTRLR E1 LATION V0 EN V0 EN AL BANK VWIC 4 BAN 2MFT- LP K 3 BAN E1 SEE K 2 BAN CTRLR E2 CD MANUA L K 1 BAN BEFOR INSTAL E K0 CTRLR E1 LATION 99504 V0 EN The cryptographic boundary is defined as encompassing the "top," "front," "left," "right," and "bottom" surfaces of the case; all portions of the "backplane" of the case which are not designed to accommodate a WIC or Network Module; and the inverse of the three-dimensional space within the case that would be occupied by an installed WIC or Network Module. The cryptographic boundary includes the connection apparatus between the WIC or Network Module and the motherboard/daughterboard that hosts the WIC or Network Module, but the boundary does not include the WIC or Network Module itself. In other words, the cryptographic boundary encompasses all hardware components within the case of the device except any installed modular WICs or Network Modules. All of the functionality discussed in this document is provided by components within this cryptographic boundary. Cisco IOS features such as tunneling, data encryption, and termination of Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 3700 an ideal platform for building virtual private networks or outsourced dial solutions. Cisco 3700`s RISC-based processor provides the power needed for the dynamic requirements of the remote branch office, achieving wire speed Ethernet to Ethernet routing with up to 100 thousand packets per second (Kpps) throughput capacity for the 3725, and 225 Kpps for the 3745. Cisco 3725 and 3745 Module Interfaces The interfaces for the router are located on the rear panel as shown in Figure 15. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 18 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Figure 15 Cisco 3725 and Cisco 3745 Physical Interfaces 2 1 3 NM-HDV AL BANK 4 VWIC 2MFT-E1 LP BANK 3 CD SEE BANK 2 CTRLR MANUAL BEFORE BANK 1 E2 INSTALLATI BANK 0 TD RD CTRLR ON LP E1 AL CD V0 SEE MANU AL BEFO DSU TD RE INSTA RD LLATION LP 56K EN AL CD SEE MANU AL BEFO DSU RE INSTA LLATION 56K SEE MANU AL BEFO 9 RE INSTA LLATION 7 6 8 4 5 1 10 SERIAL CONN 1 SERIAL SEE MANU 0 AL BEFO WIC RE INST CONN 2T ALLATION TD RD LP AL CD SEE MANU AL BEFOR E INSTA DSU LLATIO N 56K SERIAL CONN 1 NM-HDV SERIAL SEE MANU 0 AL BEFO WIC RE INST CONN 2T ALLATION AL BANK VWIC 4 BAN 2MFT- LP K 3 BAN E1 SEE NM-HDV K 2 BAN CTRLR E2 CD MANUA L K 1 BAN BEFOR INSTAL E K0 CTRLR E1 LATION NM-HDV V0 EN AL BANK VWIC 4 BAN 2MFT- LP K 3 BAN E1 SEE AL K 2 BAN CTRLR CD MANUA L BANK VWIC K 1 BAN E2 BEFOR E 4 BAN 2MFT- LP K0 CTRLR INSTAL LATION K 3 BAN E1 SEE NM-HDV E1 K 2 BAN CTRLR E2 CD MANUA L K 1 BAN BEFOR INSTAL E K0 CTRLR E1 LATION V0 EN V0 EN AL BANK VWIC 4 BAN 2MFT- LP K 3 BAN E1 SEE K 2 BAN CTRLR E2 CD MANUA L K 1 BAN BEFOR INSTAL E K0 CTRLR E1 LATION V0 9 8 EN 7 5 6 99505 4 3 2 1 Interface Card Slots 5 FastEthernet 0/1 2 Network Modules 6 Compact Flash Slot 3 Power Supply 7 Auxiliary Port 4 FastEthernet 0/0 8 Console Port The Cisco 3725 and 3745 routers feature console and auxiliary ports, dual fixed LAN interfaces, two network module slots on the 3725 and four on the 3745, three Cisco WAN interface card (WIC) slots, and a Compact Flash slot. LAN support includes single and dual Ethernet options; 10/100 Mbps auto-sensing Ethernet; mixed Token-Ring and Ethernet; and single Token Ring chassis versions. WAN interface cards support a variety of serial, ISDN BRI, and integrated CSU/DSU options for primary and backup WAN connectivity, while available network modules support multi-service voice/data/fax integration, departmental dial concentration, and high-density serial options. All Cisco 3700 series routers include an auxiliary port supporting 115Kbps Dial-On-Demand Routing, ideal for back-up WAN connectivity. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 19 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers When a network module is inserted, it fits into an adapter called the network module expansion bus. The expansion bus interacts with the PCI bridge in the same way that the fixed LAN ports do; therefore, no critical security parameters pass through the network module (just as they don't pass through the LAN ports). Network modules do not perform any cryptographic functions. WICs are similar to network modules in that they greatly increase the router's flexibility. A WIC is inserted into one of two slots, which are located above the fixed LAN ports. WICs interface directly with the processor. They do not interface with the cryptographic card; therefore no security parameters will pass through them. WICs cannot perform cryptographic functions; they only serve as a data input and data output physical interface. The physical interfaces include a power plug for the power supply and a power switch. The router has two Fast Ethernet (10/100 RJ-45) connectors for data transfers in and out. The module also has two other RJ-45 connectors on the back panel for a console terminal for local system access and an auxiliary port for remote system access or dial backup using a modem. The 10/100Base-T LAN ports have Link/Activity, 10/100Mbps, and half/full duplex LEDs. Figure 16 shows the LEDs located on the rear panel with descriptions detailed in Table 11 and Table 12: Figure 16 Cisco 3725 and Cisco 3745 Rear Panel LEDs NM-HDV AL BANK 4 VWIC 2MFT-E1 LP BANK 3 CD SEE BANK 2 CTRLR MANUAL BEFORE BANK 1 E2 INSTALLATI BANK 0 TD RD CTRLR ON LP E1 AL CD V0 SEE MANU AL BEFO DSU TD RE INSTA RD LLATION LP 56K EN AL CD SEE MANU AL BEFO DSU RE INSTA LLATION 56K SEE MANU AL BEFO RE INSTA LLATION FastEthernet 0/1 FastEthernet 0/0 CF ETM NPA AIM1 AIM0 FastEthernet 0/0 FastEthernet 0/1 CF POWER SYSTEM SERIAL CONN 1 SERIAL SEE MAN 0 UAL BEFO WIC RE INST CONN 2T ALLATION TD RD LP AL CD SEE MANU AL BEFOR POWER E INSTA LLATI DSU SYSTEM ON 56K SERIAL CONN 1 NM-HDV SERIAL SEE MAN 0 UAL BEFO WIC RE INST CONN 2T ALLATION AL BANK VWIC 4 BAN 2MFT- LP K 3 BAN E1 SEE SYSTEM K 2 BAN CD MANU NM-HDV CTRLR AL E2 K 1 BAN BEFOR INSTA E K0 CTRLR E1 LLATIO N NM-HDV ETM NPA V0 AIM1 AIM0 EN AL BANK VWIC 4 BAN 2MFT- LP K 3 BAN E1 SEE 99506 AL K 2 BAN CTRLR CD MANU AL BANK VWIC K 1 BAN E2 BEFOR E 4 BAN 2MFT- LP K0 CTRLR INSTA LLATIO K 3 BAN E1 SEE NM-HDV E1 N K 2 BAN CTRLR E2 CD MANU AL K 1 BAN BEFOR INSTA E K0 CTRLR E1 LLATIO N V0 EN V0 EN AL BANK VWIC 4 BAN 2MFT- LP K 3 BAN E1 SEE K 2 BAN CTRLR E2 CD MANU AL K 1 BAN BEFOR INSTA E K0 CTRLR E1 LLATIO N V0 EN Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 20 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Table 11 Cisco 3725 Rear Panel LEDs and Descriptions LED Indication Description CF Solid or blinking green Do not eject Compact Flash (CF); device is busy Off CF can be ejected; device is idle FastEthernet 0/0 ACT Solid or blinking green Interface receiving packets and Off Interface not receiving packets FastEthernet 0/1 ACT FastEthernet 0/0 LINK Solid green An Ethernet link has been established and Off No Ethernet link established FastEthernet 0/1 LINK FastEthernet 0/0 100Mbps Solid green The speed of the interface is 10 Mbps or no link is established and Off The speed of the interface is 100 Mbps FastEthernet 0/1 100Mbps Table 12 Cisco 3745 Rear Panel LEDs and Descriptions LED Indication Description POWER Solid green Operating voltages on mainboard are within acceptable ranges Off Error condition is detected in the operating ranges SYS Solid green Router operating normally Blinking green Router running ROM monitor; no errors detected Amber Router receiving power but malfunctioning Off Router not receiving power CF Solid or blinking green Do not eject Compact Flash (CF); device is busy Off CF can be ejected; device is idle FastEthernet 0/0 ACT Solid or blinking green Interface receiving packets and Off Interface not receiving packets FastEthernet 0/1 ACT FastEthernet 0/0 LINK Solid green An Ethernet link has been established and Off No Ethernet link established FastEthernet 0/1 LINK FastEthernet 0/0 100Mbps Solid green The speed of the interface is 10 Mbps or no link is established and Off The speed of the interface is 100 Mbps FastEthernet 0/1 100Mbps ETM Solid green Enhanced timing module (ETM) present and enabled Amber ETM present with failure Off ETM not present NPA Not used Reserved for future development AIM0 Solid green Advanced Integration Module (AIM) present and enabled and Amber AIM present with failure AIM1 Off AIM not present Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 21 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Figure 17 Cisco 3725 and Cisco 3745 Front Panel LEDs ACT LED SYS/RPS LED PWR LED PWR SYS ACT RPS SYS PS2 LED -48 PS2 LED -48V PS1 LED SYS PS1 LED ACT LED SYS LED 99507 Figure 17 shows the front panel LEDs, which provide overall status of the router's operation. The front panel displays whether or not the router is booted, if the redundant power is (successfully) attached and operational, and overall activity/link status. Table 13 and Table 14 provide more detailed information conveyed by the LEDs on the front panel of the routers: Table 13 Cisco 3725 Front Panel LEDs and Descriptions LED Indication Description PWR Solid green Router is receiving power Off Router is not receiving power SYS/RPS Solid green System is operating normally Rapid blinking System is booting up or in ROM monitor mode Blinking once per second Redundant power system has failed Off Router is not receiving power ACT Blinking System is actively transferring packets Off No packet transfers are occurring Table 14 Cisco 3745 Front Panel LEDs and Descriptions LED Indication Description SYS Solid green System is operating normally Blinking green Running ROM monitor with no errors detected Amber Router is receiving power but malfunctioning Off Router is not receiving power Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 22 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Table 14 Cisco 3745 Front Panel LEDs and Descriptions (Continued) LED Indication Description ACT Solid or blinking green System is receiving interrupts, or is actively transferring packets Off No interrupts or packet transfers are occurring SYS PS1 Solid green Power supply installed and operating normally and Amber Power supply installed and powered off, or fault condition SYS PS2 occurred Off Power supply not present, or failed -48V PS1 Solid green -48V power module installed and operating normally and Amber -48V power module installed and powered off, or fault -48V PS2 condition occurred Off -48V power module not present, or failed All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 15: Table 15 Cisco 3725 and Cisco 3745 FIPS 140-2 Logical Interfaces Router Physical Interface FIPS 140-2 Logical Interface 10/100BASE-TX LAN Port Data Input Interface WIC Interface Network Module Interface Console Port Auxiliary Port Compact Flash slot 10/100BASE-TX LAN Port Data Output Interface WIC Interface Network Module Interface Console Port Auxiliary Port Compact Flash slot 10/100BASE-TX LAN Port Control Input Interface WIC Interface Network Module Interface Power Switch Console Port Auxiliary Port Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 23 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Table 15 Cisco 3725 and Cisco 3745 FIPS 140-2 Logical Interfaces (Continued) Router Physical Interface FIPS 140-2 Logical Interface 10/100BASE-TX LAN Port Status Output Interface WIC Interface Network Module Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED System LED Activity LED Console Port Auxiliary Port Power Plug Power Interface In addition to the built-in interfaces, the router also has over 100 network cards that can optionally be placed in an available slot. These networks cards have many embodiments, including multiple Ethernet, token ring, and modem cards to handle frame relay, ATM, and ISDN connections. The Cisco 7206 VXR NPE-400 Cryptographic Module The cryptographic boundary is defined as encompassing the "top," "backplane," "left," "right," and "bottom" surfaces of the case; all portions of the "front" of the case which are not designed to accommodate a port adapter; and the inverse of the three-dimensional space within the case that would be occupied by an installed port adapter. The cryptographic boundary includes the connection apparatus between the port adapter and the motherboard/daughterboard that hosts the port adapter, but the boundary does not include the port adapter itself. In other words, the cryptographic boundary encompasses all hardware components within the case of the device except any installed modular port adapters. All of the functionality discussed in this document is provided by components within this cryptographic boundary. The Cisco 7206VXR supports multi-protocol routing and bridging with a wide variety of protocols and port adapter combinations available for Cisco 7200 series routers. The Cisco 7206VXR has six slots for port adapters, one slot for an input/output (I/O) controller, and one slot for a network processing engine or network services engine. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 24 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Figure 18 The Cisco 7206 VXR NPE-400 Router Port adapters TOKEN RING 6 3 2 1 0 5 FAST ETHERNET ETHERNET 10BT D LE 5 K RJ4 AB LINK 4 LIN D 3 MII 2 1 0 LE EN AB 3 1 EN 3 2 0 0 ETHERNET-10BFL FAST SERIAL EN TX RX EN TX RX TX RX CD RC LB RD TX RX TC TD CD RC LB TX RD RX TC 2 TD CD RC LB RD TC TD CD RC LB RD TC TD 4 3 2 1 0 1 Port adapter Cisco 7200 ET FAST ETHERNET INPUT/OUTPUT CONTROLLER 1 II ES T M O R FE SL PU 45 J- C R H5997 Series 0 D LE lever AB EN K R N 5 T O PW 0 IN 5 IA E J4 E II EC L J4 M T K N C R O R 1O EJ M SL PC I/O controller PC card slots Auxiliary Console Optional Fast Ethernet port port port (MII receptacle and RJ-45 receptacle) The NPE-400 uses an RM7000 microprocessor that operates at an internal clock speed of 350 MHz. The NPE-400 uses SDRAM for storing all packets received or sent from network interfaces. The SDRAM memory array in the system allows concurrent access by port adapters and the processor. The NPE-400 has three levels of cache: a primary and a secondary cache that are internal to the microprocessor, and a tertiary 4-MB external cache that provides additional high-speed storage for data and instructions. The Cisco 7206VXR router comes equipped with one 280W AC-input power supply. (A 280W DC-input power supply option is available.) A power supply filler plate is installed over the second power supply bay. A fully configured Cisco 7206VXR router operates with only one installed power supply; however, a second, optional power supply of the same type provides hot-swappable, load-sharing, redundant power. Cisco 7206 VXR NPE-400 Module Interfaces The interfaces for the router are located on the front panel Input/Output (I/O) Controller, with the exception of the power switch and power plug. The module has two Fast Ethernet (10/100 RJ-45) connectors for data transfers in and out. The module also has two other RJ-45 connectors for a console terminal for local system access and an auxiliary port for remote system access or dial backup using a modem. Figure 19 shows the front panel LEDs, which provide overall status of the router operation. The front panel displays whether or not the router is booted, if the redundant power is attached and operational, and overall activity/link status. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 25 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Figure 19 Cisco 7206 VXR NPE-400 I/O Controller 1 DUAL FAST ETHERNET INPUT/OUTPUT CONTROLLER C7200-I/O-2FE/E OT K K SL LIN LIN 33444 D LE R AB PW EN IO K O U 0 bp s 0 bp s 1 CP ET E IA EC T OT S AU X OL MC M FE /E M FE /E RE NS PC EJ SL 10 0 10 0 CO 1 OT NK SL LI D LE R AB PW EN IO K O U 0 bp s CP ET OT M RE S SL 10 0 Table 16 provides detailed information conveyed by the LEDs on the front panel of the I/O Controller. . Table 16 Cisco 7206 VXR NPE-400 Front Panel LEDs and Descriptions LED Indication Description Enabled Green Indicates that the network processing engine or network services engine and the I/O controller are enabled for operation by the system; however, it does not mean that the Fast Ethernet port on the I/O controller is functional or enabled. This LED goes on during a successful router boot and remains on during normal operation of the router. IO POWER OK Amber Indicates that the I/O controller is on and receiving DC power from the router midplane. This LED comes on during a successful router boot and remains on during normal operation of the router. Off Powered off or failed. Slot 0 Green These LEDs indicate which PC Card slot is in use by coming Slot 1 on when either slot is being accessed by the system. These LEDs remain off during normal operation of the router. Link Green Indicates that the Ethernet RJ-45 receptacle has established a valid link with the network. Off This LED remains off during normal operation of the router unless there is an incoming carrier signal 100 Mbps Green Indicates that the port is configured for 100-Mbps operation (speed 100), or if configured for autonegotiation (speed auto), the port has detected a valid link at 100 Mbps. Off If the port is configured for 10-Mbps operation, or if it is configured for autonegotiation and the port has detected a valid link at 10 Mbps, the LED remains off. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 26 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers All of these physical interfaces are separated into the logical interfaces from FIPS as described in Table 17. Table 17 Cisco 7206 VXR NPE-400 FIPS 140-1 Logical Interfaces Router Physical Interface FIPS 140-1 Logical Interface 10/100BASE-TX LAN Port Data Input Interface Port Adapter Interface Console Port Auxiliary Port PCMCIA Slot 10/100BASE-TX LAN Port Data Output Interface Port Adapter Interface Console Port Auxiliary Port PCMCIA Slot Power Switch Control Input Interface Console Port Auxiliary Port 10/100BASE-TX LAN Port LEDs Status Output Interface Enabled LED PCMCIA LEDs IO Pwr Ok LED Console Port Auxiliary Port Power Plug Power Interface In addition to the built-in interfaces, the router also has additional port adapters that can optionally be placed in an available slot. These port adapters have many embodiments, including multiple Ethernet, token ring, and modem cards to handle frame relay, ATM, and ISDN connections. Roles and Services Authentication is role-based. There are two main roles in the router that operators may assume: the Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. Both roles are authenticated by providing a valid username and password. The configuration of the encryption and decryption functionality is performed only by the Crypto Officer after authentication to the Crypto Officer role by providing a valid Crypto Officer username and password. Once the Crypto Officer has configured the encryption and decryption functionality, the User can use this functionality after authentication to the User role by providing a valid User username and password. The Crypto Officer can also use the encryption and decryption functionality after authentication to the Crypto Officer role. The module supports RADIUS and TACACS+ for authentication and they are used in the FIPS mode. A complete description of all the management and configuration capabilities of the Cisco Routers can be found in the Performing Basic System Management manuals and in the online help for the routers. The User and Crypto Officer passwords and the RADIUS/TACACS+ shared secrets must each be at least 8 alphanumeric characters in length. See the "Secure Operation of the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers" section on page 42 for more information. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 27 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers If only integers 0-9 are used without repetition for an 8 digit PIN, the probability of randomly guessing the correct sequence is 1 in 1,814,400. Including the rest of the alphanumeric characters drastically decreases the odds of guessing the correct sequence. Crypto Officer Services During initial configuration of the router, the Crypto Officer password (the "enable" password) is defined. A Crypto Officer may assign permission to access the Crypto Officer role to additional accounts, thereby creating additional Crypto Officers. The Crypto Officer role is responsible for the configuration and maintenance of the router. The Crypto Officer services consist of the following: · Configure the router--define network interfaces and settings, create command aliases, set the protocols the router will support, enable interfaces and network services, set system date and time, and load authentication information. · Define Rules and Filters--create packet Filters that are applied to User data streams on each interface. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction. · Status Functions--view the router configuration, routing tables, active sessions, use Gets to view SNMP MIB II statistics, health, temperature, memory status, voltage, packet statistics, review accounting logs, and view physical interface status. · Manage the router--log off users, shutdown or reload the outer, manually back up router configurations, view complete configurations, manager user rights, and restore router configurations. · Set Encryption/Bypass--set up the configuration tables for IP tunneling. Set keys and algorithms to be used for each IP range or allow plaintext packets to be set from specified IP address. · Change WAN Interface Cards/Network Modules--insert and remove WICs or NMs as described in the second bullet in the "Initial Setup" section on page 43 of this document. User Services A User enters the system by accessing the console port with a terminal program. The IOS prompts the User for their password. If the password is correct, the User is allowed entry to the IOS executive program. The services available to the User role consist of the following: · Status Functions--view state of interfaces, state of layer 2 protocols, version of IOS currently running · Network Functions--connect to other network devices through outgoing telnet, PPP, etc. and initiate diagnostic network services (i.e., ping, mtrace) · Terminal Functions--adjust the terminal session (e.g., lock the terminal, adjust flow control) · Directory Services--display directory of files kept in flash memory Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 28 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Physical Security The router is entirely encased by a thick steel chassis. WIC slots, on-board LAN connectors, Console/Auxiliary connectors, power cable connections, and power switches are provided on the router. Specific portions of the chassis may be removed to allow access to the motherboard, memory, and expansion slots. Any WIC or other module slot, which is not populated with a WIC or a module, must be populated with an appropriate slot cover in order to operate in a FIPS compliant mode. Slot covers are included with each router, and additional covers may be ordered from Cisco. The same procedure mentioned below to apply tamper evidence labels for WICs and other modules must also be followed to apply tamper evidence labels for the slot covers. Once the router has been configured in to meet FIPS 140-2 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized tamper-evidence labels as follows: To apply serialized tamper-evidence labels to the Cisco 1721: Step 1 Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10°C. Step 2 Place the first label on the router as shown in Figure 20. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the top-half of the right side of the enclosure and the other half covers the bottom-half of the right side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 3 Place the second label on the router as shown in Figure 20. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the top-half of the left side of the enclosure and the other half covers the bottom-half of the left side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 4 Place the third label on the router as shown in Figure 20. The tamper evidence label should be placed so that the half of the label covers the enclosure and the other half covers the left WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 5 Place the fourth label on the router as shown in Figure 20. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the right WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 6 The labels completely cure within five minutes. To apply serialized tamper-evidence labels to the Cisco 1760: Step 1 Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10°C. Step 2 Place the first label on the router as shown in Figure 20. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the right side of the enclosure and the other half covers the right side of the front of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 3 Place the second label on the router as shown in Figure 20. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the left side of the enclosure and the other half covers the left side of the front of the router. Any attempt to remove the enclosure will leave tamper evidence. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 29 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Step 4 Place the third label on the router as shown in Figure 20. The tamper evidence label should be placed so that the half of the label covers the bottom of the enclosure and the other half covers the first WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 5 Place the fourth label on the router as shown in Figure 20. The tamper evidence label should be placed so that the half of the label covers the bottom of the enclosure and the other half covers the second WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 6 Place the fifth label on the router as shown in Figure 20. The tamper evidence label should be placed so that the half of the label covers the bottom of the enclosure and the other half covers the third WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 7 Place the sixth label on the router as shown in Figure 20. The tamper evidence label should be placed so that the half of the label covers the bottom of the enclosure and the other half covers the fourth WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 8 The labels completely cure within five minutes. Figure 20 Cisco 1721 and Cisco 1760 Tamper Evidence Label Placement RD CD TD AL LP PWR DSU WIC0 ACT/CH WIC1 56K 0 ACT/CH 0 ETH ACT Cisco SEE MANUAL BEFORE INSTALLATION OK ACT/CH 1700 1 ACT/CH SER 1 IES COL ROU TER Model 10/100 ETHERNET AUX WIC 0 OK FDX 100 LINK MOD OK WIC 1 OK +5, +12, -12 VDC Cisco 1721 CONSOLE 99394 PWR OK PVDM 0 PVDM 1 OK MOD OK SLOT 0 OK 0 1 OK SLOT 1 0 OK 1 ACT COL Cisco 170 FDX 100 LINK 10/100 ETHE 0 Series RNET AUX SLOT 2 0 1 OK SLOT 3 0 OK 1 To apply serialized tamper-evidence labels to the Cisco 2621XM and Cisco 2651XM: Step 1 Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10°C. Step 2 Place the first label on the router as shown in Figure 21. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 3 Place the second label on the router as shown in Figure 21. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 4 Place the third label on the router as shown in Figure 21. The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the Network Module slot. Any attempt to remove a Network Module will leave tamper evidence. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 30 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Step 5 Place the fourth label on the router as shown in Figure 21. The tamper evidence label should be placed so that the half of the label covers the enclosure and the other half covers the WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 6 Place the fifth label on the router as shown in Figure 21. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 7 The labels completely cure within five minutes. Figure 21 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement SERIAL 1 SERIAL 1 Cisco 2611 100-240V­ 1A CONN SERIAL 0 WIC SERIAL 0 50/60 Hz 47 W CONN 2A/S CONN WIC SEE MANUAL BEFORE INSTALLATION CONN 2T SEE MANUAL BEFORE INSTALLATION W1 W0 LINK ETHERNET 1 ACT LINK ETHERNET 0 ACT CONSOLE AUX POWER Cisco 2600 SERIES RPS ACTIVITY 99498 To apply serialized tamper-evidence labels to the Cisco 2691: Step 1 Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10°C. Step 2 Place the first label on the router as shown in Figure 22. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the right side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 3 Place the second label on the router as shown in Figure 22. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the left side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 4 Place the third label on the router as shown in Figure 22. The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the Network Module slot. Any attempt to remove a Network Module will leave tamper evidence. Step 5 Place the fourth label on the router as shown in Figure 22. The tamper evidence label should be placed so that the half of the label covers the enclosure and the other half covers the left WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 6 Place the fifth label on the router as shown in Figure 22. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the middle WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 7 Place the sixth label on the router as shown in Figure 22. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the right WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 31 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Step 8 Place the seventh label on the router as shown in Figure 22. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the Compact Flash slot. Any attempt to remove a CF card will leave tamper evidence. Step 9 The labels completely cure within five minutes. Figure 22 Tamper Evidence Label Placement NM-HDV AL BANK 4 VWIC 2MFT-E1 LP BANK 3 SEE BANK 2 CTRLR CD MANUA BEFOR L BANK 1 E2 INSTAL E BANK 0 TD LATION RD CTRLR LP E1 AL CD V0 SEE MANUA L BEFOR DSU TD E INSTAL RD LP LATION 56K EN AL CD SEE MANUA L BEFOR DSU E INSTAL LATION 56K SEE MANUA L BEFOR E INSTAL LATION 99503 SERIES SERIES To apply tamper-evidence labels to the Cisco 3725: Step 1 Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10°C. Step 2 Place the first label on the router as shown in Figure 23. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the right side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 3 Place the second label on the router as shown in Figure 23. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the left side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 4 Place the third label on the router as shown in Figure 23. The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the top double-sized Network Module slot. Any attempt to remove a network module will leave tamper evidence. Step 5 Place the fourth label on the router as shown in Figure 23. The tamper evidence label should be placed so that the half of the label covers the enclosure and the other half covers the bottom Network Module slot. Any attempt to remove a network module will leave tamper evidence. Step 6 Place the fifth label on the router as shown in Figure 23. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the left WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 7 Place the sixth label on the router as shown in Figure 23. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the middle WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 32 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Step 8 Place the seventh label on the router as shown in Figure 23. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the right WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 9 Place the eighth label on the router as shown in Figure 23. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the Compact Flash slot. Any attempt to remove a CF card will leave tamper evidence. Step 10 The labels completely cure within five minutes. To apply tamper-evidence labels to the Cisco 3745: Step 1 Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10°C. Step 2 Place the first label on the router as shown in Figure 23. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the right side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 3 Place the second label on the router as shown in Figure 23. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the left side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 4 Place the third label on the router as shown in Figure 23. The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the top-left Network Module slot. Any attempt to remove a network module will leave tamper evidence. Step 5 Place the fourth label on the router as shown in Figure 23. The tamper evidence label should be placed so that the half of the label covers the enclosure and the other half covers the bottom-left Network Module slot. Any attempt to remove a network module will leave tamper evidence. Step 6 Place the fifth label on the router as shown in Figure 23. The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the top-right Network Module slot. Any attempt to remove a network module will leave tamper evidence. Step 7 Place the sixth label on the router as shown in Figure 23. The tamper evidence label should be placed so that the half of the label covers the enclosure and the other half covers the bottom-right Network Module slot. Any attempt to remove a network module will leave tamper evidence. Step 8 Place the seventh label on the router as shown in Figure 23. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the left WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 9 Place the eighth label on the router as shown in Figure 23. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the middle WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 10 Place the ninth label on the router as shown in Figure 23. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the right WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 11 Place the tenth label on the router as shown in Figure 23. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the Compact Flash slot. Any attempt to remove a CF card will leave tamper evidence. Step 12 The labels completely cure within five minutes. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 33 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Figure 23 Cisco 3725 and Cisco 3745 Tamper Evidence Label Placement NM-HDV AL BANK 4 VWIC 2MFT-E1 LP BANK 3 CD SEE BANK 2 CTRLR MANUAL BEFORE BANK 1 E2 INSTALLATI BANK 0 TD RD CTRLR ON LP E1 AL CD V0 SEE MANU AL BEFO DSU TD RE INSTA RD LLATION LP 56K EN AL CD SEE MANU AL BEFO DSU RE INSTA LLATION 56K SEE MANU AL BEFO RE INSTA LLATION SERIAL CONN 1 SERIAL SEE MANU 0 AL BEFO WIC RE INST CONN 2T ALLATION TD RD LP AL CD SEE MANU AL BEFOR E INSTA DSU LLATIO N 56K SERIAL CONN 1 NM-HDV SERIAL SEE MANU 0 AL BEFO WIC RE INST CONN 2T ALLATION AL BANK VWIC 4 BAN 2MFT- LP K 3 BAN E1 SEE NM-HDV K 2 BAN CTRLR E2 CD MANUA L K 1 BAN BEFOR INSTAL E K0 CTRLR E1 LATION NM-HDV V0 EN AL BANK VWIC 4 BAN 2MFT- LP K 3 BAN E1 SEE AL K 2 BAN CTRLR CD MANUA L BANK VWIC K 1 BAN E2 BEFOR E 4 BAN 2MFT- LP K0 CTRLR INSTAL LATION K 3 BAN E1 SEE NM-HDV E1 K 2 BAN CTRLR E2 CD MANUA L K 1 BAN BEFOR INSTAL E K0 CTRLR E1 LATION V0 EN V0 EN AL BANK VWIC 4 BAN 2MFT- LP K 3 BAN E1 SEE K 2 BAN CTRLR E2 CD MANUA L K 1 BAN BEFOR INSTAL E K0 CTRLR E1 LATION 99508 V0 EN To apply tamper-evidence labels to the Cisco 7206 VXR NPE-400: Step 1 Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10°C. Step 2 Place the first label on the router as shown in Figure 24. The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the 7206 VXR NPE-400 Input/Output Controller. Step 3 Place the second label on the router as shown in Figure 24. The tamper evidence label should be placed over the Flash PC Card slots on the Input/Output Controller. Step 4 Place the third label on the router as shown in Figure 24. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the port adapter slot 1. Step 5 Place the fourth label on the router as shown in Figure 24. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the port adapter slot 2. Step 6 Place the fifth label on the router as shown in Figure 24. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the port adapter slot 3. Step 7 Place the sixth label on the router as shown in Figure 24. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the port adapter slot 4. Step 8 Place the seventh label on the router as shown in Figure 24. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the port adapter slot 5. Step 9 Place the eighth label on the router as shown in Figure 24. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the port adapter slot 6. Step 10 Place the ninth label on the router as shown in Figure 24. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the network processing engine. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 34 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Step 11 Place the tenth label on the router as shown in Figure 24. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the power supply plate. Step 12 Place the eleventh label on the router as shown in Figure 24. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the redundant power supply plate. Step 13 The labels completely cure within five minutes. Figure 24 Cisco 7206 VXR NPE-400 Tamper Evidence Label Placement Port adapters Blank port adapter TOKEN RING 6 3 2 1 0 5 FAST ETHERNET ETHERNET 10BT D LE 5 K RJ4 AB LINK 4 LIN D 3 MII 2 1 0 LE EN AB 3 1 EN 3 2 0 0 ETHERNET-10BFL FAST SERIAL EN TX RX EN TX RX TX RX CD RC LB RD TX RX TC TD CD RC LB TX RD RX TC 2 TD CD RC LB RD TC TD CD RC LB RD TC TD 4 3 2 1 0 1 Port adapter Cisco 7200 ET FAST ETHERNET INPUT/OUTPUT CONTROLLER 1 II ES T M O R FE SL PU 45 J- C R Series VXR 0 D 61228 LE lever AB EN K R N 5 T O PW 0 IN 5 IA E J4 E II EC L J4 M T K N C R O R 1O EJ M SL PC I/O controller PC Card slots Auxiliary Console Optional Fast Ethernet port port port (MII receptacle and RJ-45 receptacle) Chassis grounding Internal fans receptacles Power supply AC-input filler plate receptacle 61229 NETWORK PROCESSING ENGINE-150 Network processing engine AC-input or network services engine power supply Power switch The tamper evidence seals are produced from a special thin gauge vinyl with self-adhesive backing. Any attempt to open the router or remove components will damage the tamper evidence seals or the painted surface and metal of the module cover. Since the tamper evidence seals have non-repeated serial numbers, they may be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered. Tamper evidence seals can also be inspected for signs of tampering, which include the following: curled corners, bubbling, crinkling, rips, tears, and slices. The word "OPEN" may appear if the label was peeled back. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01 35 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords. The tamper evidence seals provide physical protection for all keys. All keys are also protected by the password-protection on the Crypto Officer role login, and can be zeroized by the Crypto Officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). The module supports the following critical security parameters (CSPs): Table 18 Critical Security Parameters # CSP Description Storage Name 1 CSP 1 This is the seed key for X9.31 PRNG. This key is stored in DRAM DRAM and updated periodically after the generation of 400 bites; hence, (plaintext) it is zeroized periodically. Also, the operator can turn off the router to zeroize this key. 2 CSP 2 The private exponent used in Diffie-Hellman (DH) exchange. DRAM Zeroized after DH shared secret has been generated. (plaintext) 3 CSP 3 The shared secret within IKE exchange. Zeroized when IKE DRAM session is terminated. (plaintext) 4 CSP 4 Same as above DRAM (plaintext) 5 CSP 5 Same as above DRAM (plaintext) 6 CSP 6 Same as above DRAM (plaintext) 7 CSP 7 The IKE session encrypt key. The zeroization is the same as DRAM above. (plaintext) 8 CSP 8 The IKE session authentication key. The zeroization is the same DRAM as above. (plaintext) 9 CSP 9 The RSA private key. "crypto key zeroize" command zeroizes this NVRAM key. (plaintext) 10 CSP 10 The key used to generate IKE skeyid during preshared-key NVRAM authentication. "no crypto isakmp key" command zeroizes it. This (plaintext) key can have two forms based on whether the key is related to the hostname or the IP address. 11 CSP 11 This key generates keys 3, 4, 5 and 6. This key is zeroized after DRAM generating those keys. (plaintext) Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary 36 OL-6083-01 The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers Table 18 Critical Security Parameters (Continued) 12 CSP 12 The RSA public key used to validate signatures within IKE. These DRAM keys are expired either when CRL (certificate revocation list) (plaintext) expires or 5 secs after if no CRL exists. After above expiration happens and before a new public key structure is created this key is deleted. This key does not need to be zeroized because it is a public key; however, it is zeroized as mentioned here. 13 CSP 13 The fixed key used in Cisco vendor ID generation. This key is NVRAM embedded in the module binary image and can be deleted by (plaintext) erasing the Flash. 14 CSP 14 The IPSec encryption key. Zeroized when IPSec session is DRAM terminated. (plaintext) 15 CSP 15 The IPSec authentication key. The zeroization is the same as DRAM above. (plaintext) 16 CSP 16 The RSA public key of the CA. "no crypto ca trust