Cisco VPN Equipment and Software Solutions

The following sections look at the specific solutions that Cisco offers for VPN connectivity. Specifically, they examine the Cisco Router IOS, PIX firewall, VPN 3000 Concentrators, and the Cisco 3002 hardware and software clients and considers their functionality in the previously described VPN network types. Also, it is imperative to determine which products should be implemented in small office/home office (SOHO) environments, a remote office/branch office (ROBO) workplace, or enterprise central sites/service providers.

Cisco VPN-Enabled IOS Routers

Cisco offers several different models for VPN connectivity employing Cisco IOS routers, starting from the 800 series SOHO routers all the way up to the 7200 enterprise router. In addition, Cisco offers hardware encryption modules and cards to offload the processing and memory responsibilities for encrypting and decrypting traffic that traverses the VPN tunnel. The VPN routers can terminate several remote access tunnels; however, the Cisco IOS VPN routers are predominantly used for intranet and extranet site-to-site connections. Table 2.1 lists the available Cisco models, along with their features and throughput.

Table 2.1. Cisco VPN Routers

Model

Performance

Hardware Encryption

Site

800

384Kbps/10 Tunnels

NA

SOHO

uBR900

6Mbps/20 Tunnels

Integrated

SOHO

1700

8Mbps/100 Tunnels[*]

MOD1700-VPN

Small ROBO

2600

24Mbps/800 Tunnels[*]

AIM-VPN/BP/EP

Medium ROBO

3600

40Mbps/1800 Tunnels[*]

AIM-VPN/MP/HP

Large ROBO

7100

145Mbps/3200 Tunnels[*]

VAM or ISM/ISA

Central Site

7200

145Mbps/5000 Tunnels[*]

VAM or ISA

Central Site

[*] Actual performance is based upon VPN hardware accelerated models using 1400 byte packets. Software performance is considerably less.

graphics/tip_icon.gif

Cisco has simplified remote policy administration with the creation of its Easy VPN (EzVPN) configurations. This software enhancement, starting with IOS release 12.2(8)T, enables you to define many of the daunting VPN policies at the Easy VPN Server and have them pushed down to Easy VPN clients, thus allowing a minimal configuration for the client sites.


Cisco PIX Firewall Series

When the security administration in the organization controls the VPN deployment, the Cisco PIX firewall might be the solution of choice for any intranet or extranet site-to-site needs. Similar to the Cisco IOS routers, the PIX firewall models can be upgraded with a VPN accelerator card. Table 2.2 lists the various PIX models and their respective features.

Table 2.2. Cisco PIX Firewalls

Model

Performance

Hardware Encryption

Site

PIX 501

3Mbps/5 Tunnels

NA

SOHO

PIX 506

17Mbps/25 Tunnels

NA

Small ROBO

PIX 515

63Mbps/2000 Tunnels[*]

VAC

Small-Medium ROBO

PIX 525

72Mbps/2000 Tunnels[*]

VAC

Central Site/SP

PIX 535

100Mbps/2000 Tunnels[*]

VAC

Central Site/SP

[*] Actual performance is based upon VPN hardware accelerated models using 1400 byte packets. Software performance is considerably less.

Cisco VPN 3000 Concentrator Series

The VPN 3000 Concentrator provides a robust solution for providing termination for remote-access tunnels. Also capable of creating LAN-to-LAN connections to other concentrators or IPSec gateways, the VPN 3000 is a highly versatile device capable of handling up to 10,000 simultaneous sessions.

graphics/alert_icon.gif

The 642-511 exam expects you to know the VPN 3000 Concentrator's capabilities and performance. In addition, be sure you are able to correctly determine which model belongs to a given location.


Many of the 3000 series also support field-swappable hardware encryption modules called scalable encryption processors (SEPs). These SEP modules contain programmable digital signal processing (DSP), which can be updated for future enhancements. Although they are discussed in greater detail later, Table 2.3 familiarizes you with the Cisco VPN 3000 Concentrators and their capabilities.

Table 2.3. Cisco VPN 3000 Concentrators

Model

Performance

Hardware Encryption

Site

3005

4Mbps/100 Remote Sessions

NA

Small ROBO

3015

4Mbps/100 Remote Sessions

NA

Small ROBO

3030

50Mbps/1500 Remote Sessions

1 SEP Module

Medium ROBO

3060

100Mbps/5000 Remote Sessions

2 SEP Modules

Central Site/SP

3080

100Mbps/10,000 Remote Sessions

4 SEP Modules

Central Site /SP

graphics/note_icon.gif

Cisco also produced the 5000 series of concentrators geared toward the enterprise market. At the time of this writing, the Cisco VPN 5000 Concentrator series has reached end-of-life status.


Cisco VPN Software Client

Bundled with the 3000 Concentrator, the Cisco VPN 3000 Software Client (often referred to as the Unity Client) enables end stations with dissimilar operating systems to establish a secure VPN tunnel to the central site's concentrator. The Unity Client is discussed in greater detail in Chapter 10.

Cisco VPN 3002 Hardware Client

When faced with a SOHO with a multitude of clients requiring encrypted tunnels back to the main office, it is superfluous to install the VPN software client on each system in the office. Assuming you do not already own a VPN gateway router or similar VPN-capable device, you can implement the Cisco 3002 Hardware Client to act as a client and encrypt traffic on behalf of the end stations. The Cisco VPN 3002 is available in a single Ethernet LAN model or as the 3002-8E model, which has an embedded 8-port switch in it for LAN connectivity.

Certicom IPSec Client

The Certicom movian Client is a wireless client for devices such as PDAs and other handheld mobile devices. These clients use elliptical curve cryptography (discussed later), which is faster and less processor-intensive for these small processor devices.



CSVPN Exam Cram 2 (Exam 642-511)
CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)
ISBN: 078973026X
EAN: 2147483647
Year: 2002
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net