activityccdp

CorporateHeadquarters:Copyright2001.
CiscoSystems,Inc.
Allrightsreserved.
CiscoSystems,Inc.
,170WestTasmanDrive,SanJose,CA95134-1706USACisco7206VXRRouterSecurityPolicyIntroductionThisnonproprietaryCryptographicModuleSecurityPolicydescribeshowthe7206VXRNPE-400routersmeetthesecurityrequirementsofFederalInformationProcessingStandards(FIPS)140-1,andhowtheyoperateinasecureFIPS140-1mode.
ThepolicywaspreparedaspartoftheLevel2FIPS140-1certificationofthe7206VXRNPE-400router.
NoteThisdocumentmaybecopiedinitsentiretyandwithoutmodification.
Allcopiesmustincludethecopyrightnoticeandstatementsonthelastpage.
TheFIPS140-1publication,"SecurityRequirementsforCryptographicModules"detailstheU.
S.
Governmentrequirementsforcryptographicmodules.
MoreinformationabouttheFIPS140-1standardandvalidationprogramisavailableatthefollowingNationalInstituteofStandardsandTechnology(NIST)website:http://csrc.
nist.
gov/cryptval/Thisdocumentcontainsthefollowingsections:Introduction,page1The7206VXRNPE-400Router,page2SecureOperationoftheCisco7206VXRNPE-400Router,page10ObtainingDocumentation,page12ObtainingTechnicalAssistance,page132Cisco7206VXRRouterSecurityPolicyThe7206VXRNPE-400RouterReferencesThisdocumentdealswithoperationsandcapabilitiesofthe7206VXRNPE-400routerinthetechnicaltermsofaFIPS140-1cryptographicmodulesecuritypolicy.
FormoreinformationonCisco7206VXRNPE-400routerandtheentire7200series,checkthefollowingsources:TheCiscoSystemswebsitecontainsinformationonthefulllineofCiscoSystemsproducts.
Refertothefollowingwebsite:www.
cisco.
com.
The7200seriesproductdescriptionscanbefoundatthefollowingwebsite:www.
cisco.
com/warp/public/cc/pd/rt/7200/Foranswerstotechnicalorsalesrelatedquestions,pleaserefertothecontactslistedonthefollowingwebsite:www.
cisco.
com.
TerminologyInthisdocument,thecryptographicmoduleisreferredtoasthe7206VXRrouter,therouter,orthesystem.
DocumentOrganizationThesecuritypolicydocumentispartofthecompleteFIPS140-1SubmissionPackage.
Inadditiontothisdocument,thecompletesubmissionpackagecontains:VendorevidencedocumentFinitestatemachineModulesoftwarelistingOthersupportingdocumentationasadditionalreferencesThisdocumentprovidesanoverviewofthe7206VXRNPE-400routerandexplainsthesecureconfigurationandoperationofthecryptographicmodule.
Italsoexplainsthegeneralfeaturesandfunctionalityofthe7206VXRNPE-400routersandaddressestherequiredconfigurationfortheFIPSmodeofoperation.
NoteThissecuritypolicyandothercertificationsubmissiondocumentationwasproducedbyCorsecSecurity,Inc.
undercontracttoCiscoSystems.
Withtheexceptionofthisnonproprietarysecuritypolicy,theFIPS140-1CertificationSubmissiondocumentationisCisco-proprietaryandcanbereleasedonlyunderappropriatenondisclosureagreements.
Foraccesstothesedocuments,pleasecontactCiscoSystems.
The7206VXRNPE-400RouterCisco7200VXRroutersaredesignedtosupportgigabitcapabilitiesandtoimprovedata,voice,andvideointegrationinbothserviceproviderandenterpriseenvironments.
Cisco7200VXRrouterssupportahigh-speednetworkservicesengine(NSE)aswellasthehigh-speednetworkprocessingengine,NPE-400,andallotheravailablenetworkprocessingengines.
3Cisco7206VXRRouterSecurityPolicyThe7206VXRNPE-400RouterCisco7200VXRroutersaccommodateavarietyofnetworkinterfaceportadaptersandanI/Ocontroller.
ACisco7200VXRrouterequippedwithanNPE-400cansupportuptosixhigh-speedportadaptersandcanalsosupporthigher-speedportadapterinterfacesincludingGigabitEthernetandOC-12ATM.
Cisco7200VXRroutersalsocontainbaysforuptotwoAC-inputorDC-inputpowersupplies.
Cisco7200VXRrouterssupportthefollowingfeatures:Onlineinsertionandremoval(OIR)—Add,replace,orremoveportadapterswithoutinterruptingthesystem.
Dualhot-swappable,load-sharingpowersupplies—Providesystempowerredundancy;ifonepowersupplyorpowersourcefails,theotherpowersupplymaintainssystempowerwithoutinterruption.
Also,whenonepowersupplyispoweredoffandremovedfromtherouter,thesecondpowersupplyimmediatelytakesovertherouterpowerrequirementswithoutinterruptingnormaloperationoftherouter.
Environmentalmonitoringandreportingfunctions—Maintainnormalsystemoperationbyresolvingadverseenvironmentalconditionspriortolossofoperation.
Downloadablesoftware—LoadnewimagesintoFlashmemoryremotely,withouthavingtophysicallyaccesstherouter.
The7206VXRNPE-400CryptographicModuleCisco7206VXRrouterssupportmultiprotocolroutingandbridgingwithawidevarietyofprotocolsandportadaptercombinationsavailableforCisco7200seriesrouters.
Themetalcasingthatfullyenclosesthemoduleestablishesthecryptographicboundaryfortherouter.
Allthefunctionalitydiscussedinthisdocumentisprovidedbycomponentswithinthecasing.
Cisco7206VXRroutershavesixslotsforportadapters,oneslotforaninput/output(I/O)controller,andoneslotforanetworkprocessingengineornetworkservicesengine.
Figure1The7206VXRNPE-400RouterCisco7206VXRNPE-400usesanRM7000microprocessorthatoperatesataninternalclockspeedof350MHz.
TheNPE-400usesSDRAMforstoringallpacketsreceivedorsentfromnetworkinterfaces.
TheSDRAMmemoryarrayinthesystemallowsconcurrentaccessbyportadaptersandtheprocessor.
H5997ETHERNET10BTENABLED0213LINK0123FASTSERIALENTDTCRDRCLBCDTDTCRDRCLBCDTDTCRDRCLBCDTDTCRDRCLBCDENABLEDMIILINKRJ45FASTETHERNET0TOKENRING0123MIIENRJ45ENRJ45LINK1OPWROKRJ-45CPURESETFASTETHERNETINPUT/OUTPUTCONTROLLERENABLEDPCMCIAEJECTSLOT0SLOT1FEMIIAuxiliaryportConsoleportPortadapterleverI/Ocontroller0241356ETHERNET-10BFLENRX01234TXRXTXRXTXRXTXRXTXPortadaptersCisco7200SeriesPCcardslotsOptionalFastEthernetport(MIIreceptacleandRJ-45receptacle)4Cisco7206VXRRouterSecurityPolicyThe7206VXRNPE-400RouterTheNPE-400hasthreelevelsofcache:aprimaryandasecondarycachethatareinternaltothemicroprocessor,andatertiary4-MBexternalcachethatprovidesadditionalhigh-speedstoragefordataandinstructions.
Cisco7206VXRrouterscomeequippedwithone280WAC-inputpowersupply.
(A280WDC-inputpowersupplyoptionisavailable.
)Apowersupplyfillerplateisinstalledoverthesecondpowersupplybay.
AfullyconfiguredCisco7206VXRrouteroperateswithonlyoneinstalledpowersupply;however,asecond,optionalpowersupplyofthesametypeprovideshot-swappable,load-sharing,redundantpower.
ModuleInterfacesInput/OutputControllerTheinterfacesfortherouterarelocatedonthefrontpanelInput/Output(I/O)Controller,withtheexceptionofthepowerswitchandpowerplug.
ThemodulehastwoFastEthernet(10/100RJ-45)connectorsfordatatransfersinandout.
ThemodulealsohastwootherRJ-45connectorsforaconsoleterminalforlocalsystemaccessandanauxiliaryportforremotesystemaccessordialbackupusingamodem.
Figure2showsthefrontpanelLEDs,whichprovideoverallstatusoftherouteroperation.
Thefrontpaneldisplayswhetherornottherouterisbooted,iftheredundantpowerisattachedandoperational,andoverallactivity/linkstatus.
Figure2I/OControllerTable1providesdetailedinformationconveyedbytheLEDsonthefrontpaneloftheI/OController.
DUALFASTETHERNETINPUT/OUTPUTCONTROLLERCONSOLEAUX100MbpsLINK100MbpsLINKSLOT0EJECTPCMCIASLOT1ENABLEDCPURESETIOPWROK33444CPURESETIOPWROK100MbpsLINKSLOT0SLOT1C7200-I/O-2FE/EENABLEDFE/E0FE/E15Cisco7206VXRRouterSecurityPolicyThe7206VXRNPE-400Router.
AllofthesephysicalinterfacesareseparatedintothelogicalinterfacesfromFIPSasdescribedinTable2.
Table1FrontPanelLEDsandDescriptionsLEDIndicationDescriptionEnabledGreenIndicatesthatthenetworkprocessingengineornetworkservicesengineandtheI/Ocontrollerareenabledforoperationbythesystem;however,itdoesnotmeanthattheFastEthernetportontheI/Ocontrollerisfunctionalorenabled.
ThisLEDgoesonduringasuccessfulrouterbootandremainsonduringnormaloperationoftherouter.
IOPOWEROKAmberIndicatesthattheI/OcontrollerisonandreceivingDCpowerfromtheroutermidplane.
ThisLEDcomesonduringasuccessfulrouterbootandremainsonduringnormaloperationoftherouter.
OffPoweredofforfailed.
Slot0Slot1GreenTheseLEDsindicatewhichPCCardslotisinusebycomingonwheneitherslotisbeingaccessedbythesystem.
TheseLEDsremainoffduringnormaloperationoftherouter.
LinkGreenIndicatesthattheEthernetRJ-45receptaclehasestablishedavalidlinkwiththenetwork.
OffThisLEDremainsoffduringnormaloperationoftherouterunlessthereisanincomingcarriersignal100MbpsGreenIndicatesthattheportisconfiguredfor100-Mbpsoperation(speed100),orifconfiguredforautonegotiation(speedauto),theporthasdetectedavalidlinkat100Mbps.
OffIftheportisconfiguredfor10-Mbpsoperation,orifitisconfiguredforautonegotiationandtheporthasdetectedavalidlinkat10Mbps,theLEDremainsoff.
Table2FIPS140-1LogicalInterfacesRouterPhysicalInterfaceFIPS140-1LogicalInterface10/100BASE-TXLANPortPortAdapterInterfaceServiceModuleInterfaceConsolePortAuxiliaryPort*PCMCIASlot*DataInputInterface10/100BASE-TXLANPortPortAdapterInterfaceServiceModuleInterfaceConsolePortAuxiliaryPort*PCMCIASlot*DataOutputInterface6Cisco7206VXRRouterSecurityPolicyThe7206VXRNPE-400Router*DisabledinFIPSmode.
Seethe"SecureOperationoftheCisco7206VXRNPE-400Router"sectioninthisdocumentformoreinformation.
Inadditiontothebuilt-ininterfaces,therouteralsohasadditionalportadaptersthatcanoptionallybeplacedinanavailableslot.
Theseportadaptershavemanyembodiments,includingmultipleEthernet,tokenring,andmodemcardstohandleframerelay,ATM,andISDNconnections.
RolesandServicesTherearetwomainrolesintherouter(asrequiredbyFIPS140-1)thatoperatorscanassume:cryptoofficeroradministratorroleanduserrole.
Theadministratoroftherouterassumesthecryptoofficerroleinordertoconfigureandmaintaintherouterusingcryptoofficerservices,whiletheusersexerciseonlythebasicuserservices.
CryptographicOfficerServicesDuringinitialconfigurationoftherouter,acryptographicofficer(cryptoofficer)password(the"enable"password)isdefinedandallmanagementservicesareavailablefromthisrole.
Thecryptoofficerconnectstotherouterthroughtheconsoleportthroughtheterminalprogram.
Acryptoofficercanassignpermissiontoaccessthecryptoofficerroletoadditionalaccounts,therebycreatingadditionalcryptoofficers.
Atthehighestlevel,cryptoofficerservicesincludethefollowing:Configuretherouter:definenetworkinterfacesandsettings,createcommandaliases,settheprotocolstherouterwillsupport,enableinterfacesandnetworkservices,setsystemdateandtime,andloadauthenticationinformation.
Definerulesandfilters:createpacketfiltersthatareappliedtouserdatastreamsoneachinterface.
EachfilterconsistsofasetofRules,whichdefineasetofpacketstopermitordenybasedoncharacteristicssuchasprotocolID,addresses,ports,TCPconnectionestablishment,orpacketdirection.
PowerSwitchConsolePortAuxiliaryPort*ControlInputInterface10/100BASE-TXLANPortLEDsPwrLEDSysRdyLEDConsolePortAuxiliaryPort*StatusOutputInterfacePowerPlugPowerInterfaceTable2FIPS140-1LogicalInterfaces(continued)RouterPhysicalInterfaceFIPS140-1LogicalInterface7Cisco7206VXRRouterSecurityPolicyThe7206VXRNPE-400RouterStatusfunctions:viewtherouterconfiguration,routingtables,andactivesessions;viewSNMPMIBIIstatistics,health,temperature,memorystatus,voltage,andpacketstatistics;reviewaccountinglogs,andviewphysicalinterfacestatus.
Managetherouter:logoffusers,shutdownorreloadtherouter,manuallybackuprouterconfigurations,viewcompleteconfigurations,manageruserrights,andrestorerouterconfigurations.
Setencryption/bypass:setuptheconfigurationtablesforIPtunneling.
SetkeysandalgorithmstobeusedforeachIPrangeorallowplaintextpacketstobesetfromspecifiedIPaddresses.
Changeportadapters:insertandremoveadaptersinportadapterslotsasdescribedinthe"InitialSetup"sectioninthisdocument.
UserServicesAuserentersthesystembyaccessingtheconsoleportwithaterminalprogram.
TheIOSpromptstheuserfortheirpassword.
IfitmatchestheplaintextpasswordstoredinIOSmemory,theuserisallowedentrytotheIOSexecutiveprogram.
Atthehighestlevel,userservicesincludethefollowing:StatusFunctions:viewstateofinterfaces,stateoflayer2protocols,versionofIOScurrentlyrunningNetworkFunctions:connecttoothernetworkdevicesthroughoutgoingtelnetorPPP,andinitiatediagnosticnetworkservices(forexample,pingandmtrace)TerminalFunctions:adjusttheterminalsession(thatis,locktheterminalandadjustflowcontrol)DirectoryServices:displaydirectoryoffileskeptinflashmemoryPhysicalSecurityTherouterisentirelyencasedbyathicksteelchassis.
Thefrontoftherouterprovides4portadapterslots,on-boardLANconnectors,PCCardslots,andConsole/Auxiliaryconnectors.
Thepowercableconnection,apowerswitch,andtheaccesstotheNetworkProcessingEngineareattherearoftherouter.
OncetherouterhasbeenconfiguredtomeetFIPS140-1Level2requirements,theroutercannotbeaccessedwithoutsignsoftampering.
Tosealthesystem,applyserializedtamper-evidencelabelsasfollows:Cleanthecoverofanygrease,dirt,oroilbeforeapplyingthetamperevidencelabels.
Alcohol-basedcleaningpadsarerecommendedforthispurpose.
Theambientairmustbeabove10C,otherwisethelabelsmaynotproperlycure.
Thetamperevidencelabelshouldbeplacedsothattheonehalfofthelabelcoverstheenclosureandtheotherhalfcoversthe7206VXRNPE-400Input/OutputController.
ThetamperevidencelabelshouldbeplacedovertheFlashPCCardslotsontheInput/OutputController.
Thetamperevidencelabelshouldbeplacedsothatonehalfofthelabelcoverstheenclosureandtheotherhalfcoverstheportadapterslot1.
Thetamperevidencelabelshouldbeplacedsothatonehalfofthelabelcoverstheenclosureandtheotherhalfcoverstheportadapterslot2.
Thetamperevidencelabelshouldbeplacedsothatonehalfofthelabelcoverstheenclosureandtheotherhalfcoverstheportadapterslot3.
8Cisco7206VXRRouterSecurityPolicyThe7206VXRNPE-400RouterThetamperevidencelabelshouldbeplacedsothatonehalfofthelabelcoverstheenclosureandtheotherhalfcoverstheportadapterslot4.
Thetamperevidencelabelshouldbeplacedsothatonehalfofthelabelcoverstheenclosureandtheotherhalfcoverstheportadapterslot5.
Thetamperevidencelabelshouldbeplacedsothatonehalfofthelabelcoverstheenclosureandtheotherhalfcoverstheportadapterslot6.
Thetamperevidencelabelshouldbeplacedsothatonehalfofthelabelcoverstheenclosureandtheotherhalfcoversthenetworkprocessingengine.
Thetamperevidencelabelshouldbeplacedsothatonehalfofthelabelcoverstheenclosureandtheotherhalfcoversthepowersupplyplate.
Thetamperevidencelabelshouldbeplacedsothatonehalfofthelabelcoverstheenclosureandtheotherhalfcoverstheredundantpowersupplyplate.
Thelabelscompletelycurewithinfiveminutes.
Figure3showsthetamperevidencelabelplacements.
9Cisco7206VXRRouterSecurityPolicyThe7206VXRNPE-400RouterFigure3TamperEvidenceLabelPlacementThetamperevidencesealsareproducedfromaspecialthingaugevinylwithself-adhesivebacking.
Anyattempttoremoveportadaptersorservicemoduleswilldamagethetamperevidencesealsorthepaintedsurfaceandmetalofthemodulecover.
Sincethetamperevidencelabelshavenonrepeatedserialnumbers,thelabelscanbeinspectedfordamageandcomparedagainsttheappliedserialnumberstoverifythatthemodulehasnotbeentamperedwith.
Tamperevidencelabelscanalsobeinspectedforsignsoftampering,whichincludethefollowing:curledcorners,bubbling,crinkling,rips,tears,andslices.
Theword"Opened"canappearifthelabelwaspeeledback.
NoteTheCisco7206routersupportsthefollowingFIPS-approvedalgorithms:DES,3DES,andSHA-1.
Thesealgorithmsreceivedcertificationnumbers74,17,and26respectively.
61228ETHERNET10BTENABLED0213LINK0123FASTSERIALENTDTCRDRCLBCDTDTCRDRCLBCDTDTCRDRCLBCDTDTCRDRCLBCDENABLEDMIILINKRJ45FASTETHERNET0TOKENRING0123MIIENRJ45ENRJ45LINK1OPWROKRJ-45CPURESETFASTETHERNETINPUT/OUTPUTCONTROLLERENABLEDPCMCIAEJECTSLOT0SLOT1FEMIIAuxiliaryportConsoleportPortadapterleverI/Ocontroller0241356ETHERNET-10BFLENRX01234TXRXTXRXTXRXTXRXTXPortadaptersBlankportadapterPCCardslotsOptionalFastEthernetport(MIIreceptacleandRJ-45receptacle)Cisco7200SeriesVXR61229NETWORKPROCESSINGENGINE-150InternalfansNetworkprocessingengineornetworkservicesengineAC-inputpowersupplyAC-inputreceptaclePowersupplyfillerplateChassisgroundingreceptaclesPowerswitch10Cisco7206VXRRouterSecurityPolicySecureOperationoftheCisco7206VXRNPE-400RouterCryptographicKeyManagementTheroutersecurelyadministersbothcryptographickeysandothercriticalsecurityparameterssuchaspasswords.
Thetamperevidencesealsprovidephysicalprotectionforallkeys.
Keysarealsopasswordprotectedandcanbezeroizedbythecryptoofficer.
KeysareexchangedmanuallyandenteredelectronicallyviamanualkeyexchangeorInternetKeyExchange(IKE).
Self-TestsInordertopreventanysecuredatafrombeingreleased,itisimportanttotestthecryptographiccomponentsofasecuritymoduletoinsureallcomponentsarefunctioningcorrectly.
Therouterincludesanarrayofself-teststhatarerunduringstartupandperiodicallyduringoperations.
Theself-testrunatpower-upincludesacryptographicknownanswertests(KAT)ontheFIPS-approvedcryptographicalgorithms(DES,3DES),onthemessagedigest(SHA-1),andontheDiffie-Hellmanalgorithm.
AlsoperformedatstartupareasoftwareintegritytestusinganEDC,andasetofStatisticalRandomNumberGenerator(RNG)tests.
Thefollowingtestsarealsorunperiodicallyorconditionally:abypassmodetestperformedconditionallypriortoexecutingIPSec,asoftwareloadtestforupgrades,andthecontinuousrandomnumbergeneratortest.
Ifanyoftheseself-testsfail,theroutertransitionsintoanerrorstate.
Withintheerrorstate,allsecuredatatransmissionishaltedandtherouteroutputsstatusinformationindicatingthefailure.
SecureOperationoftheCisco7206VXRNPE-400RouterCisco7206VXRNPE-400routermeetsalltheLevel2requirementsforFIPS140-1.
FollowthesettinginstructionsprovidedbelowtoplacethemoduleinFIPSmode.
OperatingthisrouterwithoutmaintainingthefollowingsettingswillremovethemodulefromtheFIPSapprovedmodeofoperation.
InitialSetupThecryptoofficermustapplytamperevidencelabelsasdescribedinthe"PhysicalSecurity"sectionofthisdocument.
Thecryptoofficermustsecurelystoretamperevidencelabelsbeforeuse,andanytamperevidencelabelsnotusedshouldalsobestoredsecurely.
Onlyacryptoofficercanaddandremoveportadapters.
Whenremovingthetamperevidencelabel,thecryptoofficershouldremovetheentirelabelfromtherouterandcleanthecoverofanygrease,dirt,oroilwithanalcohol-basedcleaningpad.
Thecryptoofficermustreapplytamperevidencelabelsontherouterasdescribedinthe"PhysicalSecurity"sectioninthisdocument.
SystemInitializationandConfigurationThecryptoofficermustperformtheinitialconfiguration.
TheIOSversionshippedwiththerouter,version12.
1(9)E,istheonlyallowableimage.
Nootherimagecanbeloaded.
Thevalueofthebootfieldmustbe0x0101(thefactorydefault).
ThissettingdisablesthebreakfromtheconsoletotheROMmonitorandautomaticallybootstheIOSimage.
Fromtheconfigureterminalcommandline,thecryptoofficerentersthefollowingsyntax:config-register0x010111Cisco7206VXRRouterSecurityPolicySecureOperationoftheCisco7206VXRNPE-400RouterThecryptoofficermustcreatethe"enable"passwordforthecryptoofficerrole.
Thepasswordmustbeatleast8charactersandisenteredwhenthecryptoofficerfirstengagestheenablecommand.
Thecryptoofficerentersthefollowingsyntaxatthe"#"prompt:enablesecret[PASSWORD]Thecryptoofficermustalwaysassignpasswords(ofatleast8characters)tousers.
IdentificationandauthenticationoftheconsoleportisrequiredforUsers.
Fromtheconfigureterminalcommandline,thecryptoofficerentersthefollowingsyntax:linecon0password[PASSWORD]loginlocalThecryptoofficershallonlyassignuserstoaprivilegelevel1(thedefault).
Thecryptoofficershallnotassignacommandtoanyprivilegelevelotherthanitsdefault.
ThePCMCIAFlashmemorycardslotisnotconfiguredinFIPSmode.
Itsuseisrestrictedviatamperevidencelabels.
Seethe"PhysicalSecurity"sectionformoredetails.
NonFIPS-ApprovedAlgorithmsThefollowingalgorithmsarenotFIPSapprovedandshouldbedisabled:–RSAforencryption–MD-5forsigning–AH-SHA-HMAC–ESP-SHA-HMAC–HMACSHA-1ProtocolsThefollowingnetworkservicesaffectthesecuritydataitemsandmustnotbeconfigured:NTP,TACACS+,RADIUS,Kerberos.
SNMPv3overasecureIPSectunnelcanbeemployedforauthenticated,secureSNMPGetsandSets.
SinceSNMPv2Cusescommunitystringsforauthentication,onlygetsareallowedunderSNMPv2C.
RemoteAccessAuxiliaryterminalservicesmustbedisabled,exceptfortheconsole.
Thefollowingconfigurationdisablesloginservicesontheauxiliaryconsoleline.
lineaux0noexec12Cisco7206VXRRouterSecurityPolicyObtainingDocumentationTelnetaccesstothemoduleisonlyallowedviaasecureIPSectunnelbetweentheremotesystemandthemodule.
ThecryptoofficermustconfigurethemodulesothatanyremoteconnectionsviatelnetaresecuredthroughIPSec.
ObtainingDocumentationThefollowingsectionsprovidesourcesforobtainingdocumentationfromCiscoSystems.
WorldWideWebYoucanaccessthemostcurrentCiscodocumentationontheWorldWideWebatthefollowingsites:http://www.
cisco.
comhttp://www-china.
cisco.
comhttp://www-europe.
cisco.
comDocumentationCD-ROMCiscodocumentationandadditionalliteratureareavailableinaCD-ROMpackage,whichshipswithyourproduct.
TheDocumentationCD-ROMisupdatedmonthlyandcanbemorecurrentthanprinteddocumentation.
TheCD-ROMpackageisavailableasasingleunitorasanannualsubscription.
OrderingDocumentationCiscodocumentationisavailableinthefollowingways:RegisteredCiscoDirectCustomerscanorderCiscoProductdocumentationfromtheNetworkingProductsMarketPlace:http://www.
cisco.
com/cgi-bin/order/order_root.
plRegisteredCisco.
comuserscanordertheDocumentationCD-ROMthroughtheonlineSubscriptionStore:http://www.
cisco.
com/go/subscriptionNonregisteredCisco.
comuserscanorderdocumentationthroughalocalaccountrepresentativebycallingCiscocorporateheadquarters(California,USA)at408526-7208or,inNorthAmerica,bycalling800553-NETS(6387).
DocumentationFeedbackIfyouarereadingCiscoproductdocumentationontheWorldWideWeb,youcansubmittechnicalcommentselectronically.
ClickFeedbackinthetoolbarandselectDocumentation.
Afteryoucompletetheform,clickSubmittosendittoCisco.
Youcane-mailyourcommentstobug-doc@cisco.
com.
13Cisco7206VXRRouterSecurityPolicyObtainingTechnicalAssistanceTosubmityourcommentsbymail,usetheresponsecardbehindthefrontcoverofyourdocument,orwritetothefollowingaddress:AttnDocumentResourceConnectionCiscoSystems,Inc.
170WestTasmanDriveSanJose,CA95134-9883Weappreciateyourcomments.
ObtainingTechnicalAssistanceCiscoprovidesCisco.
comasastartingpointforalltechnicalassistance.
Customersandpartnerscanobtaindocumentation,troubleshootingtips,andsampleconfigurationsfromonlinetools.
ForCisco.
comregisteredusers,additionaltroubleshootingtoolsareavailablefromtheTACwebsite.
Cisco.
comCisco.
comisthefoundationofasuiteofinteractive,networkedservicesthatprovidesimmediate,openaccesstoCiscoinformationandresourcesatanytime,fromanywhereintheworld.
ThishighlyintegratedInternetapplicationisapowerful,easy-to-usetoolfordoingbusinesswithCisco.
Cisco.
comprovidesabroadrangeoffeaturesandservicestohelpcustomersandpartnersstreamlinebusinessprocessesandimproveproductivity.
ThroughCisco.
com,youcanfindinformationaboutCiscoandournetworkingsolutions,services,andprograms.
Inaddition,youcanresolvetechnicalissueswithonlinetechnicalsupport,downloadandtestsoftwarepackages,andorderCiscolearningmaterialsandmerchandise.
Valuableonlineskillassessment,training,andcertificationprogramsarealsoavailable.
Customersandpartnerscanself-registeronCisco.
comtoobtainadditionalpersonalizedinformationandservices.
Registereduserscanorderproducts,checkonthestatusofanorder,accesstechnicalsupport,andviewbenefitsspecifictotheirrelationshipswithCisco.
ToaccessCisco.
com,gotothefollowingwebsite:http://www.
cisco.
comTechnicalAssistanceCenterTheCiscoTACwebsiteisavailabletoallcustomerswhoneedtechnicalassistancewithaCiscoproductortechnologythatisunderwarrantyorcoveredbyamaintenancecontract.
ContactingTACbyUsingtheCiscoTACWebsiteIfyouhaveaprioritylevel3(P3)orprioritylevel4(P4)problem,contactTACbygoingtotheTACwebsite:http://www.
cisco.
com/tac14Cisco7206VXRRouterSecurityPolicyObtainingTechnicalAssistanceP3andP4levelproblemsaredefinedasfollows:P3—Yournetworkperformanceisdegraded.
Networkfunctionalityisnoticeablyimpaired,butmostbusinessoperationscontinue.
P4—YouneedinformationorassistanceonCiscoproductcapabilities,productinstallation,orbasicproductconfiguration.
Ineachoftheabovecases,usetheCiscoTACwebsitetoquicklyfindanswerstoyourquestions.
ToregisterforCisco.
com,gotothefollowingwebsite:http://www.
cisco.
com/register/IfyoucannotresolveyourtechnicalissuebyusingtheTAConlineresources,Cisco.
comregistereduserscanopenacaseonlinebyusingtheTACCaseOpentoolatthefollowingwebsite:http://www.
cisco.
com/tac/caseopenContactingTACbyTelephoneIfyouhaveaprioritylevel1(P1)orprioritylevel2(P2)problem,contactTACbytelephoneandimmediatelyopenacase.
Toobtainadirectoryoftoll-freenumbersforyourcountry,gotothefollowingwebsite:http://www.
cisco.
com/warp/public/687/Directory/DirTAC.
shtmlP1andP2levelproblemsaredefinedasfollows:P1—Yourproductionnetworkisdown,causingacriticalimpacttobusinessoperationsifserviceisnotrestoredquickly.
Noworkaroundisavailable.
P2—Yourproductionnetworkisseverelydegraded,affectingsignificantaspectsofyourbusinessoperations.
Noworkaroundisavailable.
AccessPath,AtmDirector,BrowsewithMe,CCIP,CCSI,CD-PAC,CiscoLink,theCiscoPoweredNetworklogo,CiscoSystemsNetworkingAcademy,theCiscoSystemsNetworkingAcademylogo,FastStep,FollowMeBrowsing,FormShare,FrameShare,GigaStack,IGX,InternetQuotient,IP/VC,iQBreakthrough,iQExpertise,iQFastTrack,theiQLogo,iQNetReadinessScorecard,MGX,theNetworkerslogo,Packet,RateMUX,ScriptBuilder,ScriptShare,SlideCast,SMARTnet,TransPath,Unity,VoiceLAN,WavelengthRouter,andWebVieweraretrademarksofCiscoSystems,Inc.
;ChangingtheWayWeWork,Live,Play,andLearn,DiscoverAllThat'sPossible,andEmpoweringtheInternetGeneration,areservicemarksofCiscoSystems,Inc.
;andAironet,ASIST,BPX,Catalyst,CCDA,CCDP,CCIE,CCNA,CCNP,Cisco,theCiscoCertifiedInternetworkExpertlogo,CiscoIOS,theCiscoIOSlogo,CiscoPress,CiscoSystems,CiscoSystemsCapital,theCiscoSystemslogo,Enterprise/Solver,EtherChannel,EtherSwitch,FastHub,FastSwitch,IOS,IP/TV,LightStream,MICA,NetworkRegistrar,PIX,Post-Routing,Pre-Routing,Registrar,StrataViewPlus,Stratm,SwitchProbe,TeleRouter,andVCOareregisteredtrademarksofCiscoSystems,Inc.
and/oritsaffiliatesintheU.
S.
andcertainothercountries.
Byprintingormakingacopyofthisdocument,theuseragreestousethisinformationforproductevaluationpurposesonly.
SaleofthisinformationinwholeorinpartisnotauthorizedbyCiscoSystems.
AllothertrademarksmentionedinthisdocumentorWebsitearethepropertyoftheirrespectiveowners.
TheuseofthewordpartnerdoesnotimplyapartnershiprelationshipbetweenCiscoandanyothercompany.
(0110R)Cisco7206VXRRouterSecurityPolicyCopyright2001,CiscoSystems,Inc.
Allrightsreserved.