Table Of Contents
Understanding the VPN 3000 Concentrator
Hardware Features
Software Features
How the VPN Concentrator Works
Where the VPN Concentrator Fits in Your Network
Physical Specifications
Understanding the VPN 3000 Concentrator
The VPN 3000 Concentrator (also known as the VPN Concentrator) creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. The VPN Concentrator can create single-user-to-LAN connections and LAN-to-LAN connections.
Figure 1-1 The Cisco VPN 3000 Concentrator
Model 3005
Model 3015 to 3080
Hardware Features
Current VPN Concentrator Models: 3005, 3015, 3020, 3030, 3060, and 3080.
Previous VPN Concentrator Models: C10, C20, and C50.
All systems feature:
•
10/100Base-T Ethernet interfaces (autosensing)
–3005: Two interfaces
–3015-3080: Three interfaces
•Motorola® PowerPC CPU
•SDRAM memory for normal operation
•Nonvolatile memory for critical system parameters
•Flash memory for file management
In addition, individual models have the following hardware features:
VPN Concentrator Model
|
Hardware Features
|
Model 3005
|
•Software-based encryption
•Single power supply
•64 MB memory (versions prior to 4.1 have 32MB memory)
|
Model 3015
|
•Software-based encryption
•Single power supply
•Expansion capabilities:
–Up to two Enhanced Cisco Scalable Encryption Processing (SEP-E) modules for hardware-based encryption
–Up to two SEP-E modules for redundancy
–Optional redundant power supply
•128 MB memory
|
Model 3020
|
•One SEP-E module for hardware-based encryption
•Single power supply
•Expansion capabilities:
–One additional SEP-E module for hardware-based encryption
–Up to two additional SEP-E modules for redundancy
–Optional redundant power supply
•256 MB memory
|
Model 3030
|
•One SEP-E module for hardware-based encryption
•Single power supply
•Expansion capabilities:
–One additional SEP-E module for hardware-based encryption
–Up to two additional SEP-E modules for redundancy
–Optional redundant power supply
•512 MB memory
|
Models 3060
|
•Two SEP-E modules for hardware-based encryption
•Expansion capabilities:
–Up to two additional SEP-E modules for system redundancy
–Optional redundant power supply
•512 MB memory
|
Model 3080
|
•Two SEP-E modules for hardware-based encryption
•Two SEP-E modules for system redundancy
•Dual redundant power supplies
•512 MB memory
|
Software Features
The VPN Concentrator incorporates the following virtual private networking software features:
VPN Feature
|
Description
|
Management Interfaces
|
The VPN Concentrator offers multiple management interfaces. Each interface provides complete capabilities and can be used to fully configure, administer, and monitor the device.
•The VPN Concentrator Manager is an HTML-based interface that lets you manage the system remotely with a standard web browser using either of the following:
–HTTP connections
–HTTPS (HTTP over SSL) secure connections
•The VPN Concentrator command-line interface is a menu- and command-line based interface that you can use with the local system console or remotely using any of the following:
–Telnet connections
–SSHv1 (Secure Shell), including SCP (Secure Copy)
|
Tunneling Protocols
|
•IPSec (IP Security) Protocol
–Remote access, using Cisco VPN Client or other select IPSec protocol-compliant clients
–LAN-to-LAN, between peer VPN Concentrators or between a VPN Concentrator and another IPSec protocol-compliant secure gateway
•L2TP over IPSec (for native Windows 2000, Windows NT, and Windows XP client compatibility)
•WebVPN (clientless access using an HTTPS web browser)
•PPTP (Point-to-Point Tunneling Protocol) with encryption
•L2TP (Layer 2 Tunneling Protocol)
|
Encryption Algorithms
|
•56-bit DES (Data Encryption Standard)
•168-bit Triple DES
•Microsoft Encryption (MPPE): 40-bit and 128-bit RC4
•128-bit, 192-bit, and 256-bit AES
|
Authentication Algorithms
|
•MD5 (Message Digest 5)
•SHA-1 (Secure Hash Algorithm)
•HMAC (Hashed Message Authentication Coding) with MD5
•HMAC with SHA-1
|
Key Management
|
•IKE (Internet Key Exchange), formerly called ISAKMP/Oakley, with Diffie-Hellman key technique
•Diffie-Hellman Group 1, Group 2, Group 5, and Group 7 (ECC)
•Perfect Forward Secrecy (PFS)
|
Network Addressing Support
|
•DNS (Domain Name System)
•Client address assignment:
–DHCP (Dynamic Host Configuration Protocol), including DDNS host name population and configurable giaddr
–Internally configured client IP address pools
–RADIUS
|
Authentication and Accounting Servers
|
•Internal authentication server
•Support for external authentication servers:
–RADIUS
–RADIUS with Password Expiration (MSCHAPv2)
–NT Domain
–Kerberos (Active Directory)
–RSA Security SecurID
–TACACS (administrator only)
•LDAP Authorization
•Authentication server testing
•X.509 Digital Certificates
•RADIUS accounting
|
Certificate Authorities
|
•Entrust
•VeriSign
•Microsoft Windows 2000
•RSA Keon
•Netscape
•Baltimore
|
Security Management
|
•Group and user profiles
•Data traffic management, by means of:
–Filters and rules (including RADIUS-based Access Control Lists)
–IPSec Security Associations
–NAT (Network Address Translation), many-to-one, also called PAT (Port Address Translation)
–Network lists
–WebVPN
–Access Control List, including file shares and Web URL filtering
|
Routing Protocols
|
•IP
•RIP v1, RIP v2
•OSPF
•Static routes
•Private network autodiscovery for LAN-to-LAN connections
•Reverse Route Injection (RRI) allows client, LAN-to-LAN, and network extension networks to be announced via RIPv2/OSPF
|
Clustering
|
•Load Balancing
•System redundancy via VRRP
|
System Administration
|
•Session monitoring and management
•Software image update
•Boot code upgrade
•File upload
•System reset and reboot
•Ping
•Configurable system administrator profiles
•File management, including SCP and TFTP transfer
•Digital certificate enrollment and management
•Session limit setting
•Traceroute
|
Monitoring
|
•Event logging and notification via system console, syslog, SNMP traps, and email
•FTP backup of event logs
•SNMP MIB-II support
•System status
•Session data
•Memory usage
•Extensive statistics
|
Client Software Compatibility
|
•Cisco VPN Client (IPSec):
–Windows 98 and Windows ME
–Windows NT® 4.0, Windows 2000, and Windows XP
–MAC OS X 10.1 and 10.2 Jaguar
–Linux Intel v2.2/v2.4 kernels and Solaris ULTRASparc 32-bit and 64-bit (command-line interfaces only)
•Microsoft VPN Clients:
–Windows® 95, Windows 98, Windows ME, Windows NT 4.0, Windows 2000, and Windows XP (PPTP)
–Windows 98, Windows ME, Windows NT 4.0, Windows 2000 and Windows XP (L2TP over IPSec)
•Certicom movianVPN Client (ECC, handheld)
|
Other Features
|
•Software data compression
•Split tunneling
•Bandwidth management
|
How the VPN Concentrator Works
The VPN Concentrator creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. It can create single-user-to-LAN connections and LAN-to-LAN connections.
The secure connection is called a tunnel, and the VPN Concentrator uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The VPN Concentrator functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination.
The VPN Concentrator performs the following functions:
•Establishes tunnels
•Negotiates tunnel parameters
•Authenticates users
•Assigns user addresses
•Encrypts and decrypts data
•Manages security keys
•Manages data transfer across the tunnel
•Manages data transfer inbound and outbound as a tunnel endpoint or router
The VPN Concentrator invokes various standard protocols to accomplish these functions.
Where the VPN Concentrator Fits in Your Network
Enterprise network configurations vary widely, but the VPN Concentrator is flexible and functional enough to satisfy most applications. Figure 1-2 shows a typical installation, with the VPN Concentrator configured in parallel with a firewall, and supporting both low-speed and high-speed remote users. In some cases, the VPN Concentrator may be deployed behind the firewall; such a configuration is firewall-vendor dependent and might require additional firewall configuration.
For LAN-to-LAN or branch office applications, place a second VPN Concentrator or other IPSec protocol-compliant secure gateway at the remote office.
Figure 1-2 A Typical VPN Concentrator Network Installation
Physical Specifications
The VPN Concentrator has the following physical specifications:
Width
|
17.25 inches (43.8 cm); 19-inch (48.26-cm), rack mountable
|
Depth
|
•3005 = 11.75 inches (29.85 cm)
•3015-3080 = 17 inches (43.2 cm)
|
Height
|
•3005 = 1.75 inches (4.45 cm); 1U high form factor
•3015-3080 = 3.5 inches (8.89 cm); 2 U high form factor
|
Weight
|
•3005 = 8.5 lbs (3.9 kg)
•3015-3080 = 27 to 33 lbs (12.25 to 15 kg), depending on model and options
|
Cooling
|
Normal operating environment, 32o to 122oF (0o to 50oC)
|
Power
|
100 to 240 VAC at 50/60 Hz (autosensing)
•3005 = maximum 25 W (0.2A @ 120 VAC)
•3015-3080 = maximum 50 W (0.42A @ 120 VAC)
|
Cabling distances from an active network device
|
Approx. 328 feet (100 meters)
|
UL approved
|
Electrical, mechanical, and construction
|
Standards compliance
|
FCC, E.U., and VCCI Class A compliance
|
