Concentrator Models

The Cisco VPN 3000 series concentrators, commonly referred to as VPN hardware appliances, originally were built by Altiga. Cisco acquired Altiga in 2000. These concentrators were built primarily to handle large numbers of remote access sessions, but they also support site-to-site connectivity.

Of all of the Cisco VPN offerings, the Cisco VPN 3000 series concentrators provide the most flexible and scalable remote access solution: IPsec, L2TP over IPsec, PPTP, and WebVPN VPN implementations are supported. And Cisco has added many enhanced features to their concentrators to meet their customers' remote access needs. Cisco currently sells six different models of the 3000 series:

• 3005 small branch office
• 3015 small branch office
• 3020 medium branch office or small company
• 3030 small company or medium corporation
• 3060 medium or enterprise corporation
• 3080 enterprise corporation or ISP

The 3005 can perform VPN functions only in software, whereas the other concentrators support Scalable Encryption Process (SEP) modules that can perform VPN functions in hardware. SEP modules are upgradeable and can be added easily to increase capacity and throughput. All of the concentrators are software-upgradeable and have a Motorola PowerPC processor, NVRAM (this is where critical system parameters are stored, such as management passwords), and Flash memory for files. The following sections will cover the different concentrator models.

Note

Cisco doesn't charge their customers for using the Cisco VPN client software; instead, limits are placed on the Easy VPN server side. In other words, the Easy VPN server product you buy will affect how many simultaneous clients (or users) you can terminate on it.

 

3005 Concentrator

The 3005 is for small businesses with a small-bandwidth Internet connection. The 3005 supports up to 4 Mbps VPN performance, so it's ideal for sites that have a T1, cable modem, or DSL connection. You can have up to 200 IPsec remote access sessions terminated on the 3005 or 50 WebVPN sessions with Version 4.7 of the operating system installed.

The 3005 is not hardware-upgradeable, but you can upgrade the software. The 3005 does only software-based encryption and supports a single power supply. Figure 6-1 shows the rear of the 3005 chassis. It has two autosensing 10/100BaseTX Ethernet interfaces. The left-hand interface is a private interface, connected to the internal network, and the right-hand interface is the public interface, connected to the external network. The only item of interest on the front of the 3005 chassis is a system LED; hence, the front of the chassis is not shown in the diagram.

Figure 6-1. 3005 Chassis

 

3015 Concentrator

Like the 3005, the 3015 is for small businesses that have a small-bandwidth Internet connection. Unlike the 3005, however, the 3015 is hardware-upgradeable; therefore, it should be targeted for locations that expect growth (the number of remote access users will increase). By default, it doesn't contain any SEP modules; however, you can add these easily.

Without any SEP modules, the 3015 supports 4 Mbps of VPN throughput by performing encryption in software. It can support up to 100 IPsec remote access sessions or 75 WebVPN sessions. Figure 6-2 shows the rear of the chassis for the 3015 (this is the same chassis used by the 3020, 3030, 3060, and 3080 concentrators). The 3015 can be upgraded to a 3030 or 3060 by adding one or two SEP modules, respectively.

Figure 6-2. 3015, 3020, 3030, 3060, and 3080 Chassis Rear

You'll notice some differences between the 3015 and 3005 chassis. First, the 3015 is a 2-unit height chassis, unlike the 3005, which is a 1-unit height chassis. Second, the 3015 has one modular power supply, but you can also install an additional one. Third, the 3015 has four slots for SEP modules; however, on the 3015, no SEP modules ship with the concentrator. Fourth, below the SEP modules are three 10/100BaseTX Ethernet interfaces (from left to right): Private, Public, and External. The private interface connects to the internal network, the public interface connects to the outside world, and the external interface connects to a DMZ or another company's network.

Another difference between the two chassis can be seen on the front. The 3005 only has a system LED, but the other concentrators, as shown in Figure 6-3, have many LEDs:

Figure 6-3. 3015, 3020, 3030, 3060, and 3080 Partial Chassis Front

Here's a brief description of the LEDs:

• System LED status of hardware diagnostics and whether or not the operating system has completed loading
• Ethernet Link Status LEDs status for all 3 Ethernet interfaces
• Expansion Module Insertion Status LEDs indicates whether or not an SEP module is installed in a slot
• Expansion Module Run Status LEDs indicates whether or not an SEP module is an active module processing VPN traffic
• Fan Status LED the status of the RPMs of the fans
• Power Supplies LEDs the status of the power voltage of the power supplies

At the front of these chassis is one other unique item: a meter bar, on the right-hand side. The meaning of the meter bar is determined by which of the three LEDs below it is currently lit: CPU Utilization, Active Sessions, and Throughput. By pressing the Toggle button, you can cycle through the three different LEDs, affecting the statistical information shown by the LED meter bar.

3020 Concentrator

The 3020 concentrator is targeted at medium-sized branch offices and small companies. It supports 50 Mbps VPN throughput and can support up to 750 IPsec remote access sessions or 200 WebVPN sessions. It ships with a single SEP module. The 3020 cannot be hardware-upgraded, but as with the 3005, you can upgrade its software. Therefore, the 3020 is targeted for locations that expect little growth in the number of remote access users or VPN throughput.

3030 Concentrator

The 3030 is targeted at small companies and medium-sized corporations. It supports 50 Mbps VPN throughput and can support 1,500 simultaneous IPsec remote access sessions or 500 WebVPN sessions. Because of its VPN throughput, it is ideal for sites that have T3 connections. It ships with a single SEP module. You can upgrade it to a 3060 by buying a second SEP module. Therefore, it is a good choice if you expect growth at the location where the 3030 will be deployed.

3060 Concentrator

The 3060 is targeted at medium-sized or enterprise corporations. It supports 100 Mbps VPN throughput, and can support 5,000 simultaneous IPsec remote access sessions or 500 WebVPN sessions. It ships with two SEP modules. Unfortunately, the 3060 cannot be field-upgraded to a 3080; therefore, it is best used in a location where you don't expect to exceed the 3060's specifications.

Note

Once enhanced feature of the concentrators is that they support load balancingeach member of the cluster will handle VPN sessions; therefore, you don't necessarily have to buy a new, higher-end concentrator, if your current concentrator cannot handle the current number of simultaneous remote access sessionsyou can buy a more suitable concentrator model to handle the additional connections and cluster it with your current concentrator.

 

3080 Concentrator

The 3080 is targeted at large enterprise corporations or ISPs. Like the 3060, it supports 100 Mbps VPN throughput. It can support up to 10,000 simultaneous IPsec remote access sessions or 500 WebVPN sessions. It ships with four SEP modules. The 3080 is the only concentrator that, by default, ships with two power supplies and four SEP modules.

Comparison of Concentrator Models

Now that you have a basic idea of the different 3000 series concentrators that Cisco sells, I'll pull all of this information into a table that more easily shows the differences between the various models. Table 6-1 shows a comparison between the different 3000 VPN concentrators. This table is based on the concentrators running 4.7 code (earlier code releases restricted the amount of RAM to a lower number with some of the concentrators).

Table 6-1. 3000 Series Concentrators Comparison

Model	Total Simultaneous Remote Access Sessions	Total Simultaneous Site-to-Site Sessions	Total Simultaneous WebVPN Sessions	VPN Throughput (Encryption) in Mbps	RAM in MB
3005	200	100	50	4 (SW[1])	64
3015	100	100	75	4 (SW[1])	128
3020	750	250	200	50 (HW[1])	256
3030	1,500	500	500	50 (HW[1])	256
3060	5,000	1,000	500	100 (HW[1])	512
3080	10,000	1,000	500	100 (HW[1])	512

[1] SW indicates that VPN encryption is done in software. HW indicates that it is done in hardware with the SEP module(s).

There are a few important items to point out concerning the information in Table 6-1:

• The 3005 can support 200 remote access connections in Version 4.1; in Version 4.0 and earlier, it can only support 100 because at that time, only 32 MB of RAM could be installed and used.
• The column labeled "Total Simultaneous Remote Access Sessions" really encompasses both remote access and site-to-site sessions.
• An IPsec session includes the management (ISAKMP/IKE Phase 1) and two data (ISAKMP/IKE Phase 2) connections.
• Cisco considers a WebVPN session a client retrieving a web page over a 60-second period; not the total number of simultaneous SSL sessions the concentrator has to remote clients.
• The maximum number of sessions (and throughput) is based on the assumption that the concentrator has the maximum amount of memory installed and is using SEP-E modules (for the concentrators that support them); the next section discusses the different types of SEP modules available for the 3000 series concentrators.