Summary

The concentrator's versatility is exemplified in all the advanced features that it supports. One such feature is the ability to filter protocols, hosts, and networks. To define filters on the concentrator, you first have to define a set of rules that can then be applied to a filter. The filter processes each rule until a match occurs. If there are no matching criteria in the rules, the concentrator either permits or denies the packet based on the setting in the filter.

When connecting to other networks, the VPN 3000 Concentrator must have means to reach the remote networks. To enable this functionality, the VPN 3000 Concentrator can have static or dynamic routes populate its routing table. Static routes are manual entries that specify the destination network and the interface that packets must exit to reach that network. For the concentrator to forward packets that are not on a network directly connected to its interfaces, you must specify a default gateway, which is usually the Internet router's Ethernet interface. The VPN Concentrator supports OSPF and RIP for dynamic routing protocols. These parameters are primarily configured on the interfaces that will be participating in the routing protocol.

When several concentrators are running in parallel, you can choose to enable either concentrator redundancy or load balancing. In both features, clients connect to a group IP address that is maintained by the master of the cluster. Concentrator redundancy uses the VRRP protocol to determine whether the master concentrator is no longer operational. Load balancing uses the VCA protocol to report the utilization of all the concentrators. When clients connect to the group IP address, the master can send a redirect message in the IKE establishment phase that redirects the client to connect to concentrators with less load capacity. Both concentrator redundancy and load balancing cannot be enabled on the same concentrator.

Reverse route injection is a method to populate the concentrator's routing table with connected networks to distribute that routing update to downstream routing devices on its interfaces. LAN-to-LAN peers and Cisco 3002 Hardware Clients in Network Extension mode can inject their entire internal network into the concentrator's routing table. Cisco 3002 Hardware Clients in Client mode and Cisco Unity clients populate their internal IP address that was assigned by the concentrator into the concentrator's routing table. You can also manually configure hold-down routes in the concentrator that will always be injected into the routing table.

In VPN Concentrators running software version 3.6.1 and up, you can implement bandwidth management for groups, interfaces, and LAN-to-LAN sessions. To use this advanced function, you must define a bandwidth policy that can reserve a determined amount of bandwidth or police the tunnel to have a maximum bandwidth cap.

LAN-to-LAN tunnels are used to connect the concentrator's LAN to another concentrator, firewall, router, or other IPSec-compliant device. With LAN-to-LAN tunnels, you can use preshared keys or certificates for peer authentication. In addition, these tunnels can contain filters, bandwidth policies, and NAT-T. LAN-to-LAN routing features support RRI, in addition to a versatile function known as Network Autodiscovery. This convenient feature automatically discovers the neighbor's networks by using RIP.

To configure LAN-to-LAN tunnels, you have to identify the peer's public IP address (or IP addresses if using backup LAN-to-LAN). In addition, you have to define the local and remote inside IP addresses for which this LAN-to-LAN session is utilized. The remote peer's internal network configuration should be the inverse of your configuration.

When IP addresses that traverse the concentrator need to be translated, the concentrator can perform PAT and translate those internal IP addresses to the public interface's IP address. In addition, you can define NAT rules for the concentrator if you are connecting to a LAN-to-LAN network that is using overlapping IP networks.

In instances where the concentrator and clients are behind a NAT- or PAT-capable device, the VPN 3000 Concentrator is capable of encapsulating IPSec messages in UDP or TCP. In version 3.6, the concentrator also can support the ratified standard of UDP- encapsulated NAT called NAT Traversal which uses port 4500.