© Copyright 2006 Cisco Systems, Inc.
Page 4 of 17
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
The Cisco 7206VXR NPE-G1 and 7301 routers incorporate the VPN Acceleration Module 2+ (VAM2+)
cryptographic accelerator card. The VAM2+ is a single-width acceleration module that provides high-
performance, hardware-assisted tunneling and encryption services suitable for virtual private network
(VPN) remote access, site-to-site intranet, and extranet applications and is installed in an available port
adapter slot. It also provides platform scalability and security while working with all services necessary for
successful VPN deployments--security, quality of service (QoS), firewall and intrusion detection, and
service-level validation and management. The VAM2+ off-loads IPSec processing from the main processor,
thus freeing resources on the processor engines for other tasks.
Module Validation Level
The following table lists the level of validation for each area in the FIPS PUB 140-2.
No.
Area Title
Level
1
Cryptographic Module Specification
2
2
Cryptographic Module Ports and Interfaces
2
3
Roles, Services, and Authentication
2
4
Finite State Model
2
5
Physical Security
2
6
Operational Environment
N/A
7
Cryptographic Key management
2
8
Electromagnetic Interface/Electromagnetic Compatibility
2
9
Self-Tests
2
10
Design Assurance
2
11
Mitigation of Other Attacks
N/A
Table 1 Validation Level by Section
The Cryptographic Module
The cryptographic boundary for the 7206VXR NPE-G1 with VAM2+ is defined as encompassing the "top,"
"front," "left," "right," and "bottom" surfaces of the case; all portions of the "backplane" of the case which are
not designed to accommodate a removable port adapter; and the inverse of the three-dimensional space
within the case that would be occupied by an installed port adapter. The cryptographic boundary includes
the connection apparatus between the port adapter and the motherboard/daughterboard that hosts the port
adapter, but the boundary does not include the port adapter itself (except when a VAM2+ is inserted into an
available port adapter slot). In other words, the cryptographic boundary encompasses all hardware
components within the case of the device except any installed modular port adapter (except when a
VAM2+ is inserted into an available port adapter interface).
The cryptographic boundary for the 7301 with VAM2+ is the module case. The 7301 has one port adapter
slot, which is populated with the VAM2+. The 7206VXR NPE-G1 can support single and dual VAM2+
modules in FIPS mode of operation.
All of the functionality discussed in this document is provided by components within this cryptographic
boundary. Each module is a multi-chip standalone module.