cc/td/doc/product/vpn/vpn3000/4_0
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Understanding the VPN 3000 Concentrator
Hardware Features
Software Features
How the VPN Concentrator Works
Where the VPN Concentrator Fits in Your Network
Physical Specifications

Understanding the VPN 3000 Concentrator


The VPN 3000 Concentrator (also known as the VPN Concentrator) creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. The VPN Concentrator can create single-user-to-LAN connections and LAN-to-LAN connections.


Figure 1-1   The Cisco VPN 3000 Concentrator Model 3005


Model 3015 to 3080


Hardware Features

Current VPN Concentrator Models: 3005, 3015, 3030, 3060, and 3080.

Previous VPN Concentrator Models: C10, C20, and C50.

All systems feature:

In addition, individual models have the following hardware features:

VPN Concentrator Model Hardware Features

Model 3005

  • Software-based encryption
  • Single power supply

Model 3015

  • Software-based encryption
  • Single power supply
  • Expansion capabilities:
    • Up to four Cisco Scalable Encryption Processing modules for maximum system throughput and redundancy
    • Optional redundant power supply

Model 3030

  • One Scalable Encryption Processing module for hardware-based encryption
  • Single power supply
  • Expansion capabilities:
    • One additional SEP module for maximum system throughput and redundancy
    • Optional redundant power supply

Models 3060 and 3080

  • Two Scalable Encryption Processing modules for hardware-based encryption at maximum system throughput
  • Dual redundant power supplies
  • Expansion capabilities:
    • Up to two additional SEP modules for maximum system redundancy

Software Features

The VPN Concentrator incorporates the following virtual private networking software features:

VPN Feature Description

Management Interfaces

The VPN Concentrator offers multiple management interfaces. Each interface provides complete capabilities and can be used to fully configure, administer, and monitor the device.

  • The VPN Concentrator Manager is an HTML-based interface that lets you manage the system remotely with a standard web browser using either of the following:
    • HTTP connections
    • HTTPS (HTTP over SSL) secure connections
  • The VPN Concentrator command-line interface is a menu- and command-line based interface that you can use with the local system console or remotely using any of the following:
    • Telnet connections
    • Telnet over SSL secure connections
    • SSH (Secure Shell), including SCP (Secure Copy)

Tunneling Protocols

  • IPSec (IP Security) Protocol
    • Remote access, using Cisco VPN Client or other select IPSec protocol-compliant clients
    • LAN-to-LAN, between peer VPN Concentrators or between a VPN Concentrator and another IPSec protocol-compliant secure gateway
  • L2TP over IPSec (for native Windows 2000 and Windows XP client compatibility)
  • PPTP (Point-to-Point Tunneling Protocol) with encryption
  • L2TP (Layer 2 Tunneling Protocol)

Encryption Algorithms

  • 56-bit DES (Data Encryption Standard)
  • 168-bit Triple DES
  • Microsoft Encryption (MPPE): 40- and 128-bit RC4
  • 128-, 192-, and 256-bit AES

Authentication Algorithms

  • MD5 (Message Digest 5)
  • SHA-1 (Secure Hash Algorithm)
  • HMAC (Hashed Message Authentication Coding) with MD5
  • HMAC with SHA-1

Key Management

  • IKE (Internet Key Exchange), formerly called ISAKMP/Oakley, with Diffie-Hellman key technique
  • Diffie-Hellman Group 1, Group 2, Group 5, and Group 7 (ECC)
  • Perfect Forward Secrecy (PFS)

Network Addressing Support

  • DNS (Domain Name System)
  • Client address assignment:
    • DHCP (Dynamic Host Configuration Protocol), including DDNS host name population and configurable giaddr
    • Internally configured client IP address pools
    • RADIUS

Authentication and Accounting Servers

  • Internal authentication server
  • Support for external authentication servers:
    • RADIUS
    • RADIUS with Password Expiration (MSCHAPv2)
    • NT Domain
    • Kerberos (Active Directory)
    • RSA Security SecurID
    • TACACS (administrator only)
  • LDAP Authorization
  • Authentication server testing
  • X.509 Digital Certificates
  • RADIUS accounting

Certificate Authorities

  • Entrust
  • VeriSign
  • Microsoft Windows 2000
  • RSA Keon
  • Netscape
  • Baltimore

Security Management

  • Group and user profiles
  • Data traffic management, by means of:
    • Filters and rules (including RADIUS-based Access Control Lists)
    • IPSec Security Associations
    • NAT (Network Address Translation), many-to-one, also called PAT (Port Address Translation)
    • Network lists

Routing Protocols

  • IP
  • RIP v1, RIP v2
  • OSPF
  • Static routes
  • Private network autodiscovery for LAN-to-LAN connections
  • Reverse Route Injection (RRI) allows client, LAN-to-LAN, and network extension networks to be announced via RIPv2/OSPF

Clustering

  • Load Balancing
  • System redundancy via VRRP

System Administration

  • Session monitoring and management
  • Software image update
  • File upload
  • System reset and reboot
  • Ping
  • Configurable system administrator profiles
  • File management, including SCP and TFTP transfer
  • Digital certificate enrollment and management
  • Session limit setting

Monitoring

  • Event logging and notification via system console, syslog, SNMP traps, and email
  • FTP backup of event logs
  • SNMP MIB-II support
  • System status
  • Session data
  • Memory usage
  • Extensive statistics

Client Software Compatibility

  • Cisco VPN Client (IPSec):
    • Windows 98 and Windows ME
    • Windows NT® 4.0, Windows 2000, and Windows XP
    • MAC OS X 10.1 and 10.2 Jaguar
    • Linux Intel v2.2/v2.4 kernels and Solaris ULTRASparc 32-bit (command-line interfaces only)
  • Microsoft VPN Clients:
    • Windows 95, Windows 98, and Windows ME (PPTP)
    • Windows NT 4.0 (PPTP)
    • Windows® 2000 and Windows XP (PPTP, L2TP over IPSec)
  • Certicom movianVPN Client (ECC, handheld)

Other Features

  • Software data compression
  • Split tunneling
  • Bandwidth management

How the VPN Concentrator Works

The VPN Concentrator creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. It can create single-user-to-LAN connections and LAN-to-LAN connections.

The secure connection is called a tunnel, and the VPN Concentrator uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The VPN Concentrator functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination.

The VPN Concentrator performs the following functions:

The VPN Concentrator invokes various standard protocols to accomplish these functions.

Where the VPN Concentrator Fits in Your Network

Enterprise network configurations vary widely, but the VPN Concentrator is flexible and functional enough to satisfy most applications. Figure 1-2 shows a typical installation, with the VPN Concentrator configured in parallel with a firewall, and supporting both low-speed and high-speed remote users. In some cases, the VPN Concentrator may be deployed behind the firewall; such a configuration is firewall-vendor dependent and might require additional firewall configuration.

LAN-to-LAN or branch office applications are also supported by placing a second VPN Concentrator, or other IPSec protocol-compliant secure gateway, at the remote office.


Figure 1-2   A Typical VPN Concentrator Network Installation


Physical Specifications

The VPN Concentrator has the following physical specifications:

Width

17.25 inches (43.8 cm); 19-inch (48.26-cm), rack mountable

Depth

  • 3005 = 11.75 inches (29.85 cm)
  • 3015-3080 = 17 inches (43.2 cm)

Height

  • 3005 = 1.75 inches (4.45 cm); 1U high form factor
  • 3015-3080 = 3.5 inches (8.89 cm); 2 U high form factor

Weight

  • 3005 = 8.5 lbs (3.9 kg)
  • 3015-3080 = 27 to 33 lbs (12.25 to 15 kg), depending on model and options

Cooling

Normal operating environment, 32o to 122oF (0o to 50oC)

Power

100 to 240 VAC at 50/60 Hz (autosensing)

  • 3005 = maximum 25 W (0.2A @ 120 VAC)
  • 3015-3080 = maximum 50 W (0.42A @ 120 VAC)

Cabling distances from an active network device

Approx. 328 feet (100 meters)

UL approved

Electrical, mechanical, and construction

Standards compliance

FCC, E.U., and VCCI Class A compliance


hometocprevnextglossaryfeedbacksearchhelp
Posted: Fri Apr 18 16:49:18 PDT 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.