Filter
Top Products
4-6
Data Center High Availability Clusters Design Guide
OL-12518-01
Chapter 4 FCIP over IP/MPLS Core
Typical Customer Requirements
• SPs providing VPN service to transport FCIP traffic to provide additional security
• Using an MPLS extranet for application-specific security
Cisco Encryption Solutions
For selecting compression solutions for FCIP SAN extension, a user needs to determine the requirements
for the encryption solution. These requirements may include the speed of the link that needs encryption,
the type of encryption required, and the security requirements of the network. Cisco offers three
hardware-based encryption solutions in the data center environment. The SA-VAM and SA-VAM2
service modules for the Cisco 7200 VXR and 7400 series routers and the IPSec VPN Services Module
(VPNSM) for the Catalyst 6500 switch and the Cisco 7600 router.
Each of these solutions offers the same configuration steps, although the SA-VAM2 and IPSec VPNSM
have additional encryption options. The SA-VAM and SA-VAM2 are used only in WAN deployments,
whereas the IPSec VPNSM can support 1.6 Gb/sec throughput, making it useful in WAN, LAN, and
MAN environments.
The SA-VAM is supported on the 7100, 7200 VXR, and 7401 ASR routers with a minimum Cisco IOS
version of 12.1(9)E or 12.1(9)YE. For use in the 7200 VXR routers, the SA-VAM has a bandwidth cost
of 300 bandwidth points. The SA-VAM has a maximum throughput of 140 Mps, making it suitable for
WAN links up to DS3 or E3 line rates.
The SA-VAM2 is supported on the 7200 VXR routers with a minimum Cisco IOS version of 12.3(1).
The SA-VAM2 has a bandwidth cost of 600 bandwidth points. The SA-VAM2 has a maximum
throughput of 260 Mps, making it suitable for WAN links up to OC-3 line rates.
The IPSec VPNSM is supported on the Catalyst 6500 switch and the Cisco 7600 router with a minimum
Native IOS level of 12.2(9)YO. For increased interoperability with other service modules and additional
VPN features, it is recommended that a minimum of 12.2(14)SY be used when deploying this service
module.
The choice between these solutions should be based primarily on the following two factors:
• Available link speed or bandwidth
• Security encryption policies and encryption methods required
The Cisco MDS 9000 with MLS14/2 and the Cisco 9216i support encryption with no performance
impact. The MPS Service Module and the Cisco 9216i support line rate Ethernet throughput with AES
encryption.
The following are encryption methods supported per module:
• SA-VAM—DES, 3DES
• SA-VAM2—DES, 3DES, AES128, AES192, AES256
• VPNSM—DES, 3DES
• MDS MPS—DES, 3DES, AES192
Note An encrypted data stream is not compressible because it results in a bit stream that appears random. If
encryption and compression are required together, it is important to compress the data before encrypting
it.