Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf
98 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
The administration functions available from this menu are as follows:
•Administer Sessions—View statistics for logout and ping sessions.
•Software Update—Update concentrator and client software images to the most current versions using the appropriate choice from these two selections:
—Concentrator—Upload and update the VPN concentrator software image.
—Clients—Upload and update the VPN client software image.
•System Reboot—Set options for VPN concentrator shutdown and reboot.
•Ping—Use Internet Control Message Protocol (ICMP) ping to determine connectivity.
•Monitoring Refresh—Enable automatic refresh of status and statistics in the Monitoring section of the Manager.
•Access Rights—Configure administrator profiles, access, and sessions. The Access Rights option provides these four selections:
—Administrators—Configure administrator usernames, passwords, and rights.
—Access Control List—Configure IP addresses for workstations with access rights.
—Access Settings—Set administrative session idle timeout and limits.
—AAA Servers—Set administrative authentication using TACACS+.
•File Management—Manage system files in flash memory. The File Management option provides these four selections:
—Files—Copy, view, and delete system files.
—Swap Configuration Files—Swap backup and boot configuration files.
—TFTP Transfer—Use TFTP to transfer files to and from the VPN concentrator.
—File Upload—Use HTTP to transfer files to the VPN concentrator.
•Certificate Management—Install and manage digital certificates. The Certificate Management option provides these three selections:
—Enrollment—Create a certificate request to send to a Certificate Authority.
—Installation—Install digital certificates.
—Certificates—View, modify, and delete digital certificates.
Monitoring
The Monitoring screen is shown in Figure 3-12.
Major Advantages of Cisco VPN 3000 Series Concentrators 99
Figure 3-12 VPN Concentrator Manager—Monitoring
The monitoring functions available from this menu are as follows:
•Routing Table—Current valid routes, protocols, and metrics.
•Filterable Event Log—Current event login memory, filterable by event class, severity, IP address, and so on. Within this monitoring section, you also find access to current log entries from the following selection:
—Live Event Log—Current event log, continuously updated.
•System Status—Current software revisions, uptime, SEP modules, system power supplies, Ethernet interfaces, front-panel LEDs, and hardware sensors. To monitor the LED status indicator panel, select the following System Status option:
—LED Status—Current status of the VPN Concentrator front-panel LED indicators.
•Sessions—Currently active sessions sorted by protocol, SEP, and encryption. “Top ten” sessions sorted in descending order by data (total bytes transmitted and received), duration (total time connected), and throughput (average bytes per second).
•Statistics—Current statistics for PPTP, L2TP, IPSec, HTTP, events, Telnet, DNS, authentication, accounting, filtering, VRRP, SSL, DHCP, address pools, SSH, load balancing, and data compression. MIB-II statistics for interfaces, TCP/UDP, IP, RIP, OSPF, ICMP, the ARP table, Ethernet traffic, and SNMP.
Ease of Upgrades
There are only two basic chassis for the Cisco VPN 3000 Series Concentrators: the 1U-high fixed-configuration box, used for the 3005 Concentrator, and the 2U-high modular box, used for all others. The 3005 is not upgradeable, but it is still a powerful performer capable of supporting up to 100 simultaneous sessions.
100 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
The 2U-high modular system used for the other four concentrator models is clever. If you begin with the 3015 Concentrator, it is progressively upgradeable to the 3030 and then to the 3060 simply by adding additional memory and SEP modules. This elegant migration approach allows you to go from supporting 100 sessions at 4-Mbps encrypted throughput to 5000 sessions at 100-Mbps encrypted throughput. The Cisco VPN 3080 Concentrator is the top of the line and cannot be upgraded.
Cisco Secure VPN Concentrators: Comparison
and Features
6 Cisco VPN 3000 Concentrator Series models
Now that you’ve learned about some of the features of the Cisco VPN 3000 Series Concentrators, this section takes a closer look at the individual products in the series. Each of the concentrators in this series is shipped with the Cisco VPN Client, with unlimited distribution licensing.
Additionally, each of these concentrators contains the powerful Cisco VPN Manager software in memory. These systems come as a complete package, ready to drop into your network. Figure 3-13 shows one of the 3015–3080 systems.
Figure 3-13 Cisco VPN Concentrator
This section covers the following topics:
•
•
•
•
•
•
Cisco VPN 3005 Concentrator
Cisco VPN 3015 Concentrator
Cisco VPN 3030 Concentrator
Cisco VPN 3060 Concentrator
Cisco VPN 3080 Concentrator
Cisco VPN 3000 Concentrator Series LED indicators
Cisco Secure VPN Concentrators: Comparison and Features 101
Cisco VPN 3005 Concentrator
Designed for smallto medium-sized organizations, the Cisco VPN 3005 Concentrator can deliver up to full-duplex T1/E1, 4 Mbps of encryption throughput, and support for up to 100 simultaneous sessions. Figure 3-14 shows front and rear views of the 3005 chassis.
Figure 3-14 Cisco VPN 3005 Concentrator
CISCO VPN 3005 CONCENTRATOR Series
Table 3-3 shows the major features of the Cisco VPN 3005 Concentrator. Notice that encryption is performed in software on this system and that the system is not upgradeable.
Table 3-3 |
Cisco VPN 3005 Concentrator |
|
|
|
|
|
Feature |
Cisco 3005 |
|
|
|
|
Typical application |
Small to medium |
|
|
|
|
Simultaneous sessions |
100 |
|
|
|
|
Encryption throughput |
4 Mbps |
|
|
|
|
Encryption method |
Software |
|
|
|
|
Encryption (SEP) module |
0 |
|
|
|
|
Redundant SEP |
N/A |
|
|
|
|
Available expansion slots |
0 |
|
|
|
|
Upgrade capability |
No |
|
|
|
|
System memory |
32 MB (fixed) |
|
|
|
|
Hardware |
1U, fixed |
|
|
|
|
Power supply |
Single |
|
|
|
|
Client license |
Unlimited |
|
|
|
|
Processor |
Motorola PowerPC |
|
|
|
|
Console port |
Async DB9 |
|
|
|
|
Flash |
32 MB SRAM |
|
|
|
|
Memory |
Fixed |
|
|
|
102 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
Cisco VPN 3015 Concentrator
Also designed for smallto medium-sized organizations, the Cisco VPN 3015 Concentrator can deliver up to full-duplex T1/E1, 4 Mbps of encryption throughput, and support for up to 100 simultaneous sessions. The biggest difference between the 3005 and 3015 concentrators is the fact that the 3015 is upgradeable, whereas the 3005 is not. Figure 3-15 shows front and rear views of the 3015, 3030, 3060, and 3080 chassis. These models all share the same case.
Figure 3-15 Cisco VPN 3015 Concentrator
CISCO VPN 3015 CONCENTRATOR Series
Table 3-4 shows the major features of the Cisco VPN 3015 Concentrator. Notice that, like the VPN 3005 Concentrator, encryption is performed in software on this system; however, this system is upgradeable.
Table 3-4 |
Cisco VPN 3015 Concentrator |
|
|
|
|
|
Feature |
Cisco 3015 |
|
|
|
|
Typical application |
Small to medium |
|
|
|
|
Simultaneous sessions |
100 |
|
|
|
|
Encryption throughput |
4 Mbps |
|
|
|
|
Encryption method |
Software |
|
|
|
|
Encryption (SEP) module |
0 |
|
|
|
|
Redundant SEP |
N/A |
|
|
|
|
Available expansion slots |
4 |
|
|
|
|
Upgrade capability |
Yes |
|
|
|
|
System memory |
128 MB |
|
|
|
|
Hardware |
2U, scalable |
|
|
|
|
Power supply |
Single or dual |
|
|
|
Cisco Secure VPN Concentrators: Comparison and Features 103
Table 3-4 Cisco VPN 3015 Concentrator (Continued)
Feature |
Cisco 3015 |
|
|
Client license |
Unlimited |
|
|
Processor |
Motorola PowerPC |
|
|
Console port |
Async DB9 |
|
|
Flash |
Redundant |
|
|
Memory |
Variable |
|
|
Cisco VPN 3030 Concentrator
Designed for mediumto large-sized organizations, the Cisco VPN 3030 Concentrator can deliver from full-duplex T1/E1 through T3/E3, 50 Mbps of encryption throughput, and support for up to 1500 simultaneous sessions.
Table 3-5 shows the major features of the Cisco VPN 3030 Concentrator. The 3030 VPN Concentrator uses SEPs to perform hardware encryption and can be purchased in either redundant or nonredundant configurations. This system is field-upgradeable to the Cisco 3060 Concentrator.
Table 3-5 |
Cisco VPN 3030 Concentrator |
|
|
|
|
|
Feature |
Cisco 3030 |
|
|
|
|
Typical application |
Medium to large |
|
|
|
|
Simultaneous users |
1500 |
|
|
|
|
Encryption throughput |
50 Mbps |
|
|
|
|
Encryption method |
Hardware |
|
|
|
|
Encryption (SEP) module |
1 |
|
|
|
|
Redundant SEP |
Option |
|
|
|
|
Available expansion slots |
3 |
|
|
|
|
Upgrade capability |
Yes |
|
|
|
|
System memory |
128 MB |
|
|
|
|
Hardware |
2U, scalable |
|
|
|
|
Power supply |
Single or dual |
|
|
|
|
Client license |
Unlimited |
|
|
|
|
Processor |
Motorola PowerPC |
|
|
|
|
Console port |
Async DB9 |
|
|
|
|
Flash |
Redundant |
|
|
|
|
Memory |
Variable |
|
|
|
104 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
Cisco VPN 3060 Concentrator
Designed for large organizations requiring high performance and reliability, the Cisco VPN 3060 Concentrator can deliver from fractional T3 through T3/E3 or greater, 100 Mbps of encryption throughput, and support for up to 5000 simultaneous sessions.
Table 3-6 shows the major features of the Cisco VPN 3060 Concentrator. The 3060 VPN Concentrator uses SEPs to perform hardware encryption and can be purchased in either redundant or nonredundant configurations. This system is field-upgradeable to the Cisco 3080 Concentrator.
Table 3-6 |
Cisco VPN 3060 Concentrator |
|
|
|
|
|
Feature |
Cisco 3060 |
|
|
|
|
Typical application |
Large |
|
|
|
|
Simultaneous users |
5000 |
|
|
|
|
Encryption throughput |
100 Mbps |
|
|
|
|
Encryption method |
Hardware |
|
|
|
|
Encryption (SEP) module |
2 |
|
|
|
|
Redundant SEP |
Option |
|
|
|
|
Available expansion slots |
2 |
|
|
|
|
Upgrade capability |
N/A |
|
|
|
|
System memory |
256 MB |
|
|
|
|
Hardware |
2U, scalable |
|
|
|
|
Power supply |
Single or dual |
|
|
|
|
Client license |
Unlimited |
|
|
|
|
Processor |
Motorola PowerPC |
|
|
|
|
Console port |
Async DB9 |
|
|
|
|
Flash |
Redundant |
|
|
|
|
Memory |
Variable |
|
|
|
Cisco VPN 3080 Concentrator
Designed for large organizations demanding the highest level of performance and reliability, the Cisco VPN 3080 Concentrator delivers 100 Mbps of encryption throughput and support for up to 10,000 simultaneous sessions.
Table 3-7 shows the major features of the Cisco VPN 3080 Concentrator. The 3080 VPN Concentrator uses SEPs to perform hardware encryption and is available only in a fully redundant configuration. The 3080 is the top of the line and is not upgradeable.
|
Cisco Secure VPN Concentrators: Comparison and Features 105 |
|
|
|
|
Table 3-7 |
Cisco VPN 3080 Concentrator |
|
|
|
|
|
Feature |
Cisco 3080 |
|
|
|
|
Typical application |
Large |
|
|
|
|
Simultaneous users |
10,000 |
|
|
|
|
Encryption throughput |
100 Mbps |
|
|
|
|
Encryption method |
Hardware |
|
|
|
|
Encryption (SEP) module |
4 |
|
|
|
|
Redundant SEP |
Yes |
|
|
|
|
Available expansion slots |
N/A |
|
|
|
|
Upgrade capability |
N/A |
|
|
|
|
System memory |
256 MB |
|
|
|
|
Hardware |
2U |
|
|
|
|
Power supply |
Dual |
|
|
|
|
Client license |
Unlimited |
|
|
|
|
Processor |
Motorola PowerPC |
|
|
|
|
Console port |
Async DB9 |
|
|
|
|
Flash |
Redundant |
|
|
|
|
Memory |
Variable |
|
|
|
Cisco VPN 3000 Concentrator Series LED Indicators
While the LED indicator panel for the 3005 Concentrator only provides information for system status, the front panel on the 3015 through 3080 Concentrators, shown in Figure 3-16, has numerous LEDs that you can use to quickly check the health of the unit.
Figure 3-16 Cisco VPN Concentrator 3015–3080 Front LED Display Panel
System |
Ethernet Link Status |
Expansion Modules |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Insertion Status |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Run Status |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
2 |
3 |
4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||||||||
CPU Utilization
Fan Status
Active Sessions
A
Throughput
B
106 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
A description of the LEDs on the front panel of the Cisco 3000 Series Concentrators is given in Table 3-8.
Table 3-8 |
Cisco VPN Concentrator Front Panel LEDs |
|
|
||
|
|
|
|
|
|
|
LED Indicator |
Green |
|
Amber |
Off |
|
|
|
|
|
|
|
The following details pertain to Model 3005. |
|
|
||
|
|
|
|
|
|
|
System |
Power on. Normal. |
|
System has crashed |
Power off. (All other LEDs are |
|
|
Blinking green— |
|
and halted. Error. |
also off.) |
|
|
|
|
|
|
|
|
System is in a |
|
|
|
|
|
shutdown (halted) |
|
|
|
|
|
state, ready to power |
|
|
|
|
|
off. |
|
|
|
|
|
|
|
|
|
|
The following details pertain to Models 3015–3080. |
|
|||
|
|
|
|
|
|
|
Ethernet Link Status |
Connected to network |
|
N/A |
Not connected to network or |
|
1 2 3 |
and enabled. |
|
|
not enabled. |
|
|
Blinking green— |
|
|
|
|
|
Connected to network |
|
|
|
|
|
and configured, but |
|
|
|
|
|
disabled. |
|
|
|
|
|
|
|
|
|
|
Expansion Modules |
SEP module installed |
|
N/A |
Module not installed in system. |
|
Insertion Status |
in system. |
|
|
|
|
1 2 3 4 |
|
|
|
|
|
|
|
|
|
|
|
Expansion Modules |
SEP module |
|
Module failed during |
If installed, module failed |
|
Run Status |
operational. |
|
operation. Error. |
diagnostics, or encryption code |
|
1 2 3 4 |
|
|
|
is not running. Error. |
|
|
|
|
|
|
|
Fan Status |
Operating normally. |
|
Not running or RPM |
N/A |
|
|
|
|
below normal range. |
|
|
|
|
|
Error. |
|
|
|
|
|
|
|
|
Power Supplies |
Installed and |
|
Voltage(s) outside of |
Not installed. |
|
A B |
operating normally. |
|
normal ranges. |
|
|
|
|
|
Error. |
|
|
|
|
|
|
|
|
CPU Utilization |
This statistic selected |
|
N/A |
Not selected. |
|
|
for usage gauge |
|
|
|
|
|
display. |
|
|
|
|
|
|
|
|
|
|
Active Sessions |
This statistic selected |
|
N/A |
Not selected. |
|
|
for usage gauge |
|
|
|
|
|
display. |
|
|
|
|
|
|
|
|
|
|
Throughput |
This statistic selected |
|
N/A |
Not selected. |
|
|
for usage gauge |
|
|
|
|
|
display. |
|
|
|
|
|
|
|
|
|
Cisco Secure VPN Concentrators: Comparison and Features 107
The rear panel on the 3015 through 3080 Concentrators also has numerous indicator LEDs that you can use to quickly check the health of the unit. Figure 3-17 shows the typical LED indicator configuration that is associated with each Ethernet port on a concentrator.
Figure 3-17 Cisco VPN Concentrator Ethernet Port LEDs
Private |
|
|
|
||
|
Link |
|
|
Tx |
|
|
|
|
|||
|
Coll |
|
|
100 |
|
|
|
|
|||
A description of the LEDs on this display is given in Table 3-9.
Table 3-9 |
Cisco VPN Concentrator Rear Panel LEDs |
|
|
|
|
|
|
|
|
|
LED Indicator |
Green |
Amber |
Off |
|
|
|
|
|
|
Link |
Carrier detected. Normal. |
N/A |
No carrier detected. Error. |
|
|
|
|
|
|
Tx |
Transmitting data. Normal. |
N/A |
Not transmitting data. Idle. |
|
|
Intermittent on. |
|
Intermittent off. |
|
|
|
|
|
|
Coll |
N/A |
Data collisions |
No collisions. Normal. |
|
|
|
detected. |
|
|
|
|
|
|
|
100 |
Speed set at |
N/A |
Speed set at |
|
|
100 Mbps. |
|
10 Mbps. |
|
|
|
|
|
SEP modules that are included on VPN Concentrator Models 3015 through 3080 have additional LEDs. Table 3-10 describes those LEDs.
Table 3-10 Cisco VPN Concentrator SEP LEDs
SEP Module LED |
Green |
Amber |
Off |
|
|
|
|
Power |
Power on. Normal. |
N/A |
Power is not reaching the |
|
|
|
module. It might not be |
|
|
|
seated correctly. Error. |
|
|
|
|
Status |
Encryption code is |
Module failed during |
Module failed diagnostics, |
|
running. Normal. |
operation. Error. |
or encryption code is not |
|
|
|
running. Error. |
|
|
|
|