The Cisco VPN 3000 Series Concentrator is a growing family of VPN devices specifically designed and built to provide fast, reliable, and secure remote access to organization network resources. These devices combine with Cisco VPN client software and hardware to incorporate high availability, high performance, and scalability, plus advanced encryption and authentication technologies to allow customers to implement the latest VPN technology, while protecting and persevering in their communications investments.
The VPN 3000 platform offers customer-upgradeable and field-swappable components to increase capacity dramatically, while maintaining the original device, rack space, and power requirements. Scalable Encryption Processing (SEP) modules can be added to the 3015 to 3060 model case to enable users to add capacity and throughput easily.
The Cisco VPN 3000 Concentrator series comes in several models to meet organization capacity requirements and applications. The platform includes models to support customers with 100 or fewer remote access users to large organizations with up to 10,000 simultaneous remote connections. The latest Cisco VPN Software Client is provided at no additional charge with unlimited distribution licensing with all versions of the Cisco VPN 3000 Concentrator.
The Cisco VPN 3000 Concentrator platform offers models that can be implemented in both redundant and nonredundant configurations, offering the organization flexibility in design and budget management. In addition, advanced routing support, such as OSPF, RIP, and NAT, are available.
The VPN 3000 Concentrators create virtual private networks (VPNs) by creating secure connection across a TCP/IP network, such as the Internet, that allows remote end users to connect to the corporate network. The VPN Concentrator can be used to create single-user-to-LAN connections for connecting traveling employees or telecommuters, plus LAN-to-LAN connections for connecting remote sites. The VPN 3000 family of VPN concentrators currently come in the following five models, offering support for a few secure connections up to 10,000 sessions:
Cisco VPN 3005
Cisco VPN 3015
Cisco VPN 3030
Cisco VPN 3060
Cisco VPN 3080
The 3005 is a unique 1U rack-mountable nonupgradeable device. The others share a common 2U rack-mountable chassis that allows choices in number of power supplies and SEP units. These units support after purchase upgrade options that allow the VPN security architecture to grow with the organization.
The following features are common to all Cisco VPN 3000 Concentrator Models:
10/100 Ethernet autosensing interfaces:
Model 3005: Two interfaces
Models 3015-3080: Three interfaces
Motorola PowerPC CPU
SDRAM memory for normal operation
Nonvolatile memory (NVRAM) for critical system parameters
Flash memory for file management
Note? |
While each 3000 series device still specifies a T1/E1 optional interface, a Cisco Systems announcement is of the end of sale of Cisco VPN 3000 WAN Interface products, including all T1 and E1 WAN modules for VPN 3000 Concentrator Series products. |
The 3005 is a fixed-configuration VPN platform designed for small-to-medium networks with bandwidth requirements up to full-duplex T1/E1 (4 Mbps maximum performance) and up to 100 simultaneous sessions. Figure 13-3 shows the front and rear views of a VPN 3005. The basic configuration and expansion capabilities include the following:
Software-based encryption
Single power supply
Expansion capabilities:
Optional WAN interface module with dual T1/E1 ports
Figure 13-3: VPN 3005 front and rear views
Like the Cisco VPN 3005, the 3015 is a VPN platform designed for small-to-medium networks with bandwidth requirements up to full-duplex T1/E1 (4 Mbps maximum performance) and up to 100 simultaneous sessions. Also, like the 3005, the default encryption processing is performed in software. Unlike the 3005, the 3015 is field-upgradeable to the VPN 3030 and 3060 models by adding memory and SEP modules. Figure 13-4 shows the front and rear view of a VPN 3015. The larger units look the same except that SEP modules and the redundant power supply replace the blank covers. The basic configuration and expansion capabilities include the following:
Software-based encryption
Single power supply
Expansion capabilities:
Optional WAN interface module with dual T1/E1 ports
Up to four Cisco SEP hardware encryption modules
Optional redundant power supply
Figure 13-4: VPN 3015 front and rear views
The 3030 is a VPN platform designed for medium-to-large networks with bandwidth requirements from full T1/E1 through fractional T3, up to 50 Mbps maximum performance. The 3030 can support up to 1,500 simultaneous sessions. The basic configuration and expansion capabilities include the following:
One SEP module for hardware-based encryption
Single power supply
Expansion capabilities:
Optional WAN interface module with dual T1/E1 ports
Up to three additional SEP hardware-based encryption modules
Optional redundant power supply
The 3060 is a VPN platform designed for large networks requiring the highest level of performance and reliability, with high-bandwidth requirements from fractional T3 through full T3/E3 or greater connections. The 3060 can support up to 5,000 simultaneous sessions. The basic configuration and expansion capabilities include the following:
Two SEP modules for hardware-based encryption
Optional dual redundant power supplies (hot swappable)
Expansion capabilities:
Optional WAN interface module with dual T1/E1 ports
Up to two additional SEP hardware-based encryption modules
The 3080 is a top-of-the-line platform fully optimized to support large enterprise networks requiring the highest level of performance with support for up to 10,000 simultaneous remote access sessions. The basic configuration and expansion capabilities include the following:
Four SEP modules for hardware-based encryption
Dual redundant power supplies (hot swappable)
Expansion capabilities:
Optional WAN interface module with dual T1/E1 ports
The following table summarizes the key features of the Cisco VPN 3000 Concentrator series of devices.
? |
3005 |
3015 |
3030 |
3060 |
3080 |
Simultaneous Users |
100 |
100 |
1,500 |
5,000 |
10,000 |
Encryption Throughput |
4 Mbps |
4 Mbps |
50 Mbps |
100 Mbps |
100 Mbps |
Encryption Method |
Software |
Software |
Hardware |
Hardware |
Hardware |
Encryption (SEP) Module |
0 |
0 |
1 |
2 |
4 |
Expansion Slots Available |
0 |
4 |
3 |
2 |
0 |
Redundant SEP |
N/A |
N/A |
Option |
Option |
Yes |
System Memory |
32MB fixed |
64MB |
128MB |
256MB |
256MB |
T1 WAN Module |
Fixed Option |
Option |
Option |
Option |
Option |
Dual Power Supply |
Single |
Option |
Option |
Option |
Yes |
Client License |
Unlimited |
Unlimited |
Unlimited |
Unlimited |
Unlimited |
Hardware |
1U, Fixed |
2U, Scalable |
2U, Scalable |
2U, Scalable |
2U |
To support fast, easy, and reliable deployment and scalability to thousands of remote users and sites, the Cisco VPN 3000 Concentrators are full-featured VPN devices that incorporate IPSec and other industry standards. The 3000 series support the following standards and protocols. Any details for configuring these features are covered in Chapter 14.
Tunneling Protocols: IPSec, PPTP, L2TP, and L2TP/IPSec
Encryption/Authentication: IPSec Encapsulating Security Payload (ESP) using DES/3DES (56/168 bit) or AES (128, 192, 256 bit) with MD5 or SHA, MPPE using 40/128 bit RC4
Key Management: Internet Key Exchange (IKE) and Diffie–Hellman (DH) Groups 1, 2, 5, 7 (ECDH)
NAT: NAT Transparent IPSec, IPSec/TCP, Ratified IPSec/UDP (with autodetection and fragmentation avoidance). Ratified IPSec/UDP support for NAT-T provides autodetection behind a NAT/PAT device, such as a small or home office router, and adds multivendor interoperability
Routing: RIP, RIP2, OSPF, reverse route injection (RRI), static, automatic endpoint discovery, classless interdomain routing (CIDR)
Release 3.6 includes DHCP relay/proxy for customers using the Cisco VPN 3000 Concentrator as an edge device in wireless configurations because it removes the need for an additional DHCP server
Dynamic Domain Naming System (DNS) population (DDNS/DHCP) allows administrators to associate a remote access computer with its current IP address
IPSec fragmentation policy control, including support for Path MTU Discovery (PMTUD)
PPPoE Automatic Maximum Transmission Unit (MTU) adjustment for the network driver interface specification WAN (NDISWAN) during install improves remote access client operation in PPPoE DSL environments
MovianVPN (Certicom) Handheld VPN Client with ECC
The following summarizes the features and benefits provided by the Cisco VPN 3000 Concentrator devices. Chapter 14 addresses those that require configuration.
The Cisco SEP modules provide hardware-based encryption, ensuring consistent performance throughout the rated capacity for models 3030 through 3080. With multiple SEP modules, the devices became distributed-processing architecture, providing enhanced performance and increased reliability through redundancy. This modular design provides investment protection, redundancy, and a simple upgrade path, plus it minimizes the impact on rack space and power supply allocation.
The all-digital design of the VPN 3000 device provides high-degree reliability with solid, long-term performance, while providing 24-hour continuous operation. Incorporated into each unit is a robust instrumentation package for real-time monitoring and alerts.
The VPN 3000 series’ close support for Microsoft hosts, including Windows 2000/XP clients, makes large-scale client deployment and seamless integration with related network systems. The VPN 3000 supports the following Microsoft protocols:
Microsoft PPTP/MPPE/MPPC, MSCHAPv1/v2, and EAP/RADIUS pass-through for EAP/TLS and EAP/GTC support
Microsoft L2TP/IPsec for Windows 2000/XP (including XP DHCP option for route population)
Microsoft L2TP/IPsec for Windows 98, Windows Millennium (Me), and Windows NT Workstation 4.0
VPN 3000 Release 3.6 added three improvements to support Microsoft’s Integrated VPN Client including
Microsoft L2TP/IPSec Extensible Authentication Protocol (EAP) pass-through support (TLS and GTX/SDI) for working from behind a PAT/NAT device with the VPN Client
DHCP—XP route list population (split tunneling)
IPSec/User Datagram Protocol (UDP) NAT-T compatibility (expected release by Microsoft in 2003)
Support for Windows Installer (MSI) installation (Windows NT/20000XP only), providing the system administrator with the capability to customize installation packages and track system changes made during client installation
The VPN 3000 Series support for current and emerging security standards, including RADIUS, NT Domain Authentication, RSA SecurID, one-time passwords (OTP), and digital certificates offering large-scale client deployment and seamless integration with external authentication systems, as well as interoperability with third-party products.
VPN 3000 release 3.6 offers two notable enhancements to concentrator encryption and security, including
Advanced Encryption Standard (AES) addition to the concentrator offers a stronger encryption option and provides performance benefits for both the Cisco VPN 3002 Hardware Client and the Cisco VPN Client.
RSA SecurID (SDI) Version 5.0 support. Users can now take advantage of the load balancing and resiliency features found in the RSA SecurID Version 5.0.
Advanced packet-filtering capabilities provide additional network security. Filtering options include source and destination IP address (Layer 3), port and protocol type (Layer 4), fragment protection, time and day access control, and FTP session filtering.
User and group-level policy management can be implemented for maximum flexibility and granularity in controlling network and feature access control.
The VPN 3000 Series’ redundant subsystems and multichassis failover capabilities help to ensure maximum system uptime and remote user connectivity. Redundant SEP and power supply options within individual devices promote reliability in a single or multidevice configuration. Multiple concentrators can be configured for both load-balancing and failover redundancy, providing protection and capacity to high-volume critical systems.
Extensive instrumentation and monitoring capabilities, as well as support for Cisco network management software applications, provide network managers with real-time system status and early-warning alerts.
A new feature in Release 3.6 is improved bandwidth limiting and traffic-shaping capabilities on the Cisco VPN 3000 Concentrators. This allows network administrators to assign minimum and maximum bandwidth parameters on a per-user basis. The administrator can establish limits on users with high-bandwidth use.
The Cisco VPN 3000 Concentrator can be managed using web-based applications from any standard web browser using HTTP or HTTPS. The VPN 3000s also support CLI commands using Telnet, Secure HTTP, SSH, and via a console port.
The VPN concentrator devices support configuration and monitoring capabilities for both the enterprise user and the service provider.
VPN concentrator device access levels can be configured per user and/or per group allowing configuration and maintenance control consistent with the organization security policies.
The Cisco VPN 3000 Concentrators support the following technologies for providing monitoring and logging services:
Syslog output
Configurable SNMP traps
Event logging and notification via e-mail (SMTP) and, therefore, pager
Automatic FTP backup of event logs
SNMP MIB-II support
General Statistics
System Status
Session Data (including Client Assigned IP, Encrypted Type Connection Duration, Client OS, Version, and so forth)
Remote access VPN clients use the three following common connectivity techniques to reach the central site:
VPN client software installed on PCs or workstations
Hardware VPN routers
Firewalls and hardware clients
Cisco Easy VPN could be the perfect solution for all three techniques, particularly with large implementations and limited local support.
The Cisco Easy VPN is a software enhancement for existing Cisco routers and security appliances that can simplify VPN deployment for remote offices and telecommuters. Easy VPN is based on the Cisco Unified Client Framework using a centrally located Easy VPN Server, which is configured with all parameters required of remote device. The remote Easy VPN client can be preconfigured for mass deployments and initial logins require little user intervention. The full client configuration is “pushed” down from the Easy VPN Server when the client connects.
Cisco Easy VPN centralizes VPN configuration and management, thereby reducing the complexity of VPN deployments. The Cisco Easy VPN strategy incorporates all Cisco VPN client implementations into a single deployment, including IOS routers, PIX Firewalls, the VPN 3002 Hardware Client, and software VPN clients. This system offers consistent policy and key management methods, thus simplifying remote side setup and administration.
Using this feature, security policies defined and updated at the head-end are pushed to the remote VPN client, ensuring those connections have current policies in place before any connection is established. In addition, a Cisco Easy VPN Server-enabled device can terminate VPN tunnels initiated by mobile remote workers running Cisco VPN client software on PCs. This flexibility makes it possible for traveling workers or telecommuters to access the corporate intranet for critical data and applications.
The Cisco Easy VPN client on a hardware device supports both the VPN Client and Network Extension modes discussed earlier.
The Cisco Easy VPN client feature currently supports the following hardware platforms. It might be necessary to upgrade the IOS on older devices to have the feature. Be sure to check the Cisco web site to see if other models have been added.
Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers
Cisco uBR905 and Cisco uBR925 cable access routers
Cisco 1700 series routers
PIX 500 Series Firewalls
Cisco VPN 3002 Hardware Client
The Cisco Easy VPN Server feature supports the following hardware platforms. As with the client, it might be necessary to upgrade the IOS have the feature. Be sure to check the Cisco web site to see if other models have been added.
Cisco VPN 3000 Concentrators
PIX 500 Series Firewalls
Most Cisco IOS routers
The Cisco Easy VPN Remote feature provides for automatic management of the following details:
Negotiating tunnel parameters—Addresses, algorithms, lifetimes, and so on
Establishing tunnels according to the defined parameters
Automatically creating the NAT/PAT translation and any associated access lists
Authenticating users—Making sure users are who they say they are, by way of user names, group names, and passwords
Managing security keys for encryption and decryption
Authenticating, encrypting, and decrypting data through the tunnel
Client software upgrades for the VPN 3002
The Cisco VPN Client provides support for Windows 95, 98, Me, NT 4.0, 2000, XP, Linux (Intel), Solaris (UltraSparc-32bit), and MAC OS X 10.1, including centralized split-tunneling control and data compression. VPN client configuration was covered in Chapter 12.
The Cisco VPN 3002 Hardware Client was designed for organizations with many remote office environments. The 3002 combines the ease of use and scalability of a software client with the reliability and stability of a hardware platform. The 3002 client supports Easy VPN Remote, allowing it to connect to any Easy VPN server site concentrator. The VPN 3002 Hardware Client works invisibly with any OS supporting IP, including Solaris, Mac, and Linux.
The VPN 3002 is available with or without a built-in 8-port switch and allows up to 253 station connections in a single network.
Release 3.6 included two significant feature enhancements for the VPN 3002 Hardware Client device:
Software-based AES providing an enhanced security option through stronger encryption capabilities. As with the Cisco VPN Client, enhanced remote access performance also exists on the Cisco VPN 3002 Hardware Client.
H.323 Fixup feature allows remote access users—in Client mode—behind the Cisco VPN 3002 Hardware Client, to use NetMeeting or other H.323 applications. H.323 requires no configuration on either the VPN Concentrator or the VPN 3002.
With release 3.0, all Cisco VPN 3000 Concentrators support ECC. This is a new Diffie–Hellman Group, which allows for much faster processing of keying information by devices with limited processing power, such as PDAs and smart phones. Cisco VPN 3000 Concentrators can now securely terminate tunnels from IP-enabled wireless devices, allowing a whole new class of users to access enterprise information securely, while preserving the investment in VPN termination equipment in the enterprise data center.
The Cisco VPN 3000 Series Concentrator, Cisco VPN 3002 Hardware Client, and the Cisco VPN Client work together with the Cisco Internet Mobile Office to provide mobile professionals with secure, high-speed broadband connectivity to their networks in airports, convention centers, hotels, and a growing number of other public spaces.