Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco XR 12000 Series Router

Cisco XR 12000 Series Virtual Firewall

Downloads

The Cisco® XR 12000 Series virtual firewall application builds on the secure virtualization, continuous system operation, and multiservice scale provided by the Cisco XR 12000 Series. The Cisco XR 12000 virtual firewall application uses the advanced hardware processing capabilities of the Cisco XR 12000 Multiservice Blade (MSB) to provide a flexible, scalable, and feature-rich implementation (Figure 1). The transparent integration of virtual firewall into the Cisco XR 12000 Series Routers facilitates the deployment of advanced services that require a combination of Layer 2 and Layer 3 functions (quality of service [QoS], security, VPN interconnect, and so on).

The Cisco network-based virtual firewall service solution helps service providers to deliver cost-effective, scalable, integrated security services for enterprise customers using Cisco platforms. With the centrally managed Cisco network-based security services solution, service providers can expand their service portfolio with secure on-net and off-net remote access, remote site-to-site services, and firewall capabilities. Service providers can use this Cisco solution to evolve network foundations for enabling additional value-added services, maintaining long-term competitive advantages, increasing return on investment (ROI), and reducing operating expenses.

Figure 1. Cisco XR 12000 MSB

Primary Features and Benefits

Table 1 lists the primary features of the Cisco XR 12000 virtual firewall.

Table 1. Features of Cisco XR 12000 Virtual Firewall

Feature

Description

Performance and Scalability per Cisco XR 12000 MSB
• Up to 250 vFW contexts
• 8 gigabits per second throughput
• 2 million packets per second
• 150,000 Layer 4 connections per second
• 15,000 connections per second with Layer 7 inspection
• 2 million concurrent bidirectional connections
• Up to 512,000 translates for dynamic Network Address Translation (NAT)
• Up to 250,000 access list entries (ACEs)

High Availability
• Intrachassis stateful failover
• Active-standby stateful failover
• Active-active stateful failover

Virtualization

Single MSB can be partitioned into multiple logical firewalls with support for up to 250 security contexts.

Each security context has its own set of:

• Policies (access control lists [ACLs], NAT, fixups)
• Management IP address
• Authentication, authorization, and accounting (AAA), Simple Network Management Protocol (SNMP), syslog server

Resource management controls resource usage per security context with guaranteed rates and memory allocation:

• Throughputs
• New connection per second
• ACL memory

Management
• SNMP v1, v2c, v3
SNMP is virtualized to allow SNMP setting per virtual context
• Extensible Markup Language (XML) interface configuration, provisioning, and monitoring
• Role-Based Access Control (RBAC) with management domains
• Modular policy commands
• AAA: LDAP, TACACS, RADIUS

Jumbo Frame Support

The Cisco XR 12000 virtual firewall supports jumbo frames of up to 9180 bytes without the need for fragmentation.

Inspection Engines
• Advanced HTTP inspection: RFC compliance checking for anomaly detection, HTTP misuse, HTTP command filtering, MIME type validation and filtering, and more
• RTSP inspection
• ICMP inspection and fixup
• DNS inspection and fixup
• FTP
• TCP/IP normalization with Adaptive Security algorithm to monitor TCP handshake

The features listed in Table 1 provide the following benefits for service providers and enterprises:

• Security integrated into network infrastructure: The Cisco XR 12000 MSB firewall inspects traffic flows and prevents unauthorized access to protected resources of the enterprise (networks, servers, and so on). The intelligent network integration allows the MSB firewall to provide greater investment protection, a lower total cost of ownership, and a reduced footprint where power and rack space are at a premium. The broad range of Cisco XR 12000 Series interfaces and services (including Session Border Control and IPsec VPN) can be used within the same platform. The innovative Router Service Packet Path (RSPP) scheme and the VRF-aware service infrastructure (VASI) enable transparent insertion of services to interfaces and on inter-VRF traffic, similar to any other inline features such as quality of service. This scheme enables smooth integration of the vFW to the broad services set of the Cisco XR 12000.

• High performance and scalability: The MSB virtual firewall provides performance of 150,000 connections per second, 8 Gbps of throughput, and 2 million concurrent bidirectional connections per MSB. This superior performance helps organizations meet future growing requirements without requiring a system overhaul. A single MSB firewall can support up to 250 security contexts. Multiple MSBs can be installed to scale the number of vFWs supported.

• Robust stateful inspection and application-layer security: The virtual firewall is based on the MSB hardware and provides enhanced security features and offers rich stateful inspection firewall services, with efficient inspection, filtering, and fixup of protocols such as HTTP, Real-Time Streaming Protocol (RTSP), Domain Name System (DNS), FTP, and Internet Control Message Protocol (ICMP). The firewall application creates a connection table entry for a session flow based on the source and destination addresses, randomized TCP sequence numbers, port numbers, and additional TCP flags, and applies security policy to these connections.

• Service virtualization to reduce cost and complexity of management: The MSB service virtualization allows service providers and large enterprises to implement separate policies for different customers or functional areas, such as multiple demilitarized zones (DMZs), over the same physical infrastructure. Virtualization helps reduce the cost and complexity of managing multiple devices and makes it easier to add or delete security contexts as the number of subscribers grows. A single MSB can be partitioned into a maximum of 250 virtual firewalls (security contexts) and provides the option to limit the resources on a per-context basis. The combination of virtual partition and RBAC enables simplified workflow by delegation of functional responsibility.

Virtual Firewall Deployment Scenario Examples

The Cisco XR 12000 MSB firewall can be deployed in different topologies serving service providers, and with VASI, enables transparent integration of the virtual firewall at the public IP peering point or as a shared services facing router (Figures 2 through 4).

Figure 2. Virtual Firewall at the Point of Presence

Figure 3. Virtual Firewall at the Peering Point

Figure 4. Virtual Firewall as a Shared Services Router

Ordering Information

To place an order, visit the Cisco Ordering Homepage. Table 2 lists ordering information for the Cisco XR 12000 MSB firewall.

Table 2. Ordering Information

Product Name

Part Number

Cisco XR 12000 Multi-Service Blade

XR-12K-MSB

Cisco XR 12000 Multi-Service Blade Spare

XR-12K-MSB=

Cisco XR 12000 Firewall Application RTU

XR-12K-FW-RTU

Licensing for 50 Virtual FW Contexts

XR-12K-MSB-FW-50

Licensing for 50 Virtual FW Contexts Spare

XR-12K-MSB-FW-50=

Licensing for 250 Virtual FW Contexts

XR-12K-MSB-FW-250

Licensing for 250 Virtual FW Contexts Spare

XR-12K-MSB-FW-250=

Service and Support

Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services, refer to Cisco Technical Support Services or Cisco Advanced Services.

For More Information

For more information about Cisco service and support programs and benefits, visit www.cisco.com/public/Support_root.shtml.
For more information about the Cisco XR 12000 Series, visit www.cisco.com/go/12000.