NIAP: Compliant Product

»»

Compliant Product

Compliant Product - Cisco Aggregation Services Router 1000 Series (ASR1K), Cisco Integrated Services Router 4000 Series (ISR4K), Cisco Catalyst 8300 and 8500 Series Edge Routers (Cat8300, Cat8500) running IOS-XE version 17.3

Certificate Date: 2022.02.18

Validation Report Number: CCEVS-VR-VID11208-2022

Product Type: Virtual Private Network
Network Device

Conformance Claim: Protection Profile Compliant

PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
PP-Module for Virtual Private Network (VPN) Gateways Version 1.1
Extended Package for MACsec Ethernet Encryption Version 1.2

CC Testing Lab: Acumen Security

Maintenance Release:

2022.07.27 - Cisco Aggregation Services Router 1000 Series (ASR1K), Cisco Integrated Services Router 4000 Series (ISR4K), Cisco Catalyst 8300 and 8500 Series Edge Routers (Cat8300, Cat8500) running IOS-XE version 17.6

CC Certificate [PDF]

Security Target [PDF]

* Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

* This is the Security Target (ST) associated with the latest Maintenance Release. To view previous STs for this TOE, click here.

Product Description

Cisco Aggregation Services Router 1000 Series (ASR1K)

The TOE consists of one or more physical device as specified in section 1.7 below and includes Cisco IOS-XE version 17.3 software. The ASR1K hardware models included in this evaluation are the ASR1001-X, ASR1001-HX, ASR1002-HX, ASR1006-X, ASR1009-X, and ASR1013 with supporting MACsec hardware ASR1000-MIP100, EPA-18X1GE, EPA-10X10GE, EPA-1X100GE, EPA-CPAK-2X40GE, EPA-1X100GE QSFP+, EPA-2X40GE QSFP+, and EPA-1X40GE QSFP+. Table 1 adds additional details on the physical characteristics of the models. The TOE has two or more network interfaces and is connected to at least one internal and one external network. The Cisco IOS-XE configuration determines how packets are handled to and from the TOE’s network interfaces. The router configuration will determine how traffic flows received on an interface will be handled. Typically, packet flows are passed through the internetworking device and forwarded to their configured destination.

Cisco Integrated Services Router 4000 Series (ISR4K)

The TOE consists of one or more physical device as specified in section 1.7 below and includes Cisco IOS-XE version 17.3 software. The hardware models included in the evaluation are the ISR4321, ISR4331, ISR4351, ISR4431, ISR4451-X, ISR4461 with MACsec network interface modules (NIM): NIM-1GE-CU-SFP and NIM-2GE-CU-SFP. Table 1 adds additional details on the physical characteristics of the two models. The TOE has two or more network interfaces and is connected to at least one internal and one external network. The Cisco IOS-XE configuration determines how packets are handled to and from the TOE’s network interfaces. The router configuration will determine how traffic flows received on an interface will be handled. Typically, packet flows are passed through the internetworking device and forwarded to their configured destination.

Cisco Catalyst 8300 Series Edge Routers (Cat8300)

The TOE consists of one or more physical device as specified in section 1.7 below and includes Cisco IOS-XE version 17.3 software. The Cat8300 hardware models included in this evaluation are the CAT8300-1N1S-6T (1-RU), CAT8300-1N1S-4T2X (1-RU), CAT8300-2N2S-6T (2-RU), CAT8300-2N2S-4T2X (2-RU). Table 4 adds additional details on the physical characteristics of the models.

The TOE has two or more network interfaces and is connected to at least one internal and one external network. The Cisco IOS-XE configuration determines how packets are handled to and from the TOE’s network interfaces. The router configuration will determine how traffic flows received on an interface will be handled. Typically, packet flows are passed through the internetworking device and forwarded to their configured destination.

Cisco Catalyst 8500 Series Edge Routers (Cat8500)

The TOE consists of one physical device as specified in section 1.7 below and includes Cisco IOS-XE version 17.3 software. The hardware models included in the evaluation are the C8500-12X4QC, C8500-12X. Table 4 adds additional details on the physical characteristics of the two models. The TOE has two or more network interfaces and is connected to at least one internal and one external network. The Cisco IOS-XE configuration determines how packets are handled to and from the TOE’s network interfaces. The router configuration will determine how traffic flows received on an interface will be handled. Typically, packet flows are passed through the internetworking device and forwarded to their configured destination.

Evaluated Configuration

The following figure provides a visual depiction of an example ASR1K, ISR4K, Cat8300, and Cat8500 TOE deployment:

Figure 1 TOE Example Deployment for ASR1K, ISR4K, Cat8300, Cat8500

The Figure 1 includes the following:

· Examples of TOE models

· The following are considered to be in the IT Environment:

- VPN Peer

- MACSec Peer

- Management Workstation

- Radius AAA (Authentication) Server

- Audit (Syslog) Server

- Local Console

- Certificate Authorty (CA)

NOTE: While the previous figure includes several non-TOE IT environment devices, the TOE is only the ASR1K, ISR4K, Cat8300 and Cat8500 devices. Only one TOE device is required for deployment of the TOE in the evaluated configuration.

The TOE is comprised of the following physical specifications as described in Table 4 below:

Table 1 Hardware Models and Specifications