Home > Articles > Certification > Cisco Certification > CCNP Security / CCSP

  • Print
  • + Share This
This chapter is from the book

Summary

Precluding the actual configuration of the VPN 3000 Concentrator series, it is imperative to understand the hardware aspects of these VPN devices.

The VPN 3002 Hardware Client supports a single VPN tunnel in which it can either act as a client to the head-end concentrator or initiate a site-to-site connection. When acting in Client mode, the 3002 Hardware Client hides the devices behind it by utilizing PAT. In Network Extension mode, the 3002 creates a tunnel to bridge the two networks together.

In a small branch office, the VPN 3005 and 3015 Concentrators both offer software-based encryption for up to 100 remote access and site-to-site sessions. The 3005 is a fixed design with 32MB of SRAM, whereas the 3015 has 64MB of SRAM inside a larger, modular design, which can be upgraded with a hardware encryption SEP module and an optional redundant power supply.

A medium-sized branch office should contain the Cisco VPN 3030 Concentrator, which can sustain up to 1,500 remote access sessions and 500 site-to-site sessions. The 3030 comes standard with 128MB of SRAM and one SEP module to support hardware encryption.

The large main office and service provider arena requires enterprise-size models of concentrators. The 3060 and 3080 can provide robust performance and throughput for this sized solution. Both models come standard with 256MB of SRAM and can support up to 1,000 site-to-site tunnels. The 3060 Concentrator has an optional bay for a redundant power supply and two SEP modules for hardware-based encryption support of up to 5,000 sessions. The Cisco VPN 3080 Concentrator ships standard with a redundant power supply and utilizes four SEP modules for support of up to 10,000 remote access sessions.

Cisco VPN 3000 Concentrators offer a great deal of versatility in the form of redundancy, load balancing, and bandwidth management. SEP redundancy is achieved in a top-down method in which sessions are saved as long as both the top and bottom SEP do not fail. If such a failure occurs, the sessions are lost and subsequent sessions are offloaded to the next-top SEP or to the concentrator's software if no redundant SEPs are active.

When concentrators are running in parallel, you can achieve load balancing or redundancy. The latter is provided via the VRRP protocol, in which a master concentrator is responsible for servicing datagrams addressed to a virtual router IP address. If the master should happen to fail, a backup assumes the role of the master and continues to service the VPN traffic. Load balancing shares a similar concept; however, load-balanced concentrators utilize the VCA protocol to offload VPN sessions to underutilized concentrators. It is the master's responsibility to send redirect messages to connecting clients during the IKE negotiations.

Bandwidth management is available in software version 3.6. The VPN 3000 Concentrators enable you to create policies to either police the amount of bandwidth being utilized or to reserve bandwidth during high utilization.

  • + Share This
  • 🔖 Save To Your Account