Concentrator Modules

The 3015, 3020, 3030, 3060, and 3080 support modular slots for additional cards. Currently, the only two cards that you can put into these slots are SEP-2 and SEP-E modules. SEP modules perform VPN functions, such as encryption, in hardware.

When Cisco acquired Altiga, there were three cards you could put in these slots: an SEP module (Version 1), a T1 module, or an E1 module. Cisco no longer sells these cards: only the SEP-2 and SEP-E modules are available.

SEP Modules

The SEP-2 modules will perform encryption for DES and 3DES only. The SEP-E module has replaced the SEP-2 module. It allows the concentrator to perform DES, 3DES, and AES encryption. To perform AES encryption in hardware, the concentrator also needs to be running at least Version 4.0 of the software.

You cannot use both SEP-2 and SEP-E modules in the same chassis. If you have a concentrator that has both, the SEP-2 modules are disabled automatically and only the SEP-E module(s) will be active.

To determine the kind of SEP module you have installed, you can either log in to the concentrator to see the type of module (the Monitor > System Status screen) or you can examine the module itself. In the lower right corner of the SEP card's cover plate will be a label with one of these pieces of information:

• SEP 200U indicates an SEP-2 module
• SEP-E indicates an SEP-E module

Caution

The SEP modules are not hot-swappable; failing to turn off and unplug the concentrator when inserting or removing an SEP module can destroy the box and possibly cause electrocution.

SEP Operation

Each SEP module supports between 1,500 and 5,000 simultaneous remote access sessions, depending on the 3000 series model the module is plugged into. Placement of the SEP modules in the chassis of the concentrator is important. Referring back to Figure 6-2, the top two slots, by default, are the active slots. They process VPN sessions. The slot beneath a top slot provides redundancy for the slot above it. Redundancy is top-down, as follows:

• If a top SEP module fails and there is an SEP module installed beneath it, no VPN sessions are lost because the bottom module has a replication of all VPN information of the module above it.
• If you have only two SEP modules in the chassis and they are installed in the top two slots, sessions will be split between the two modules. If one of the modules fails all VPN sessions are dropped. Site-to-site sessions will be rebuilt to the other SEP module automatically; however, remote access users will have to reinitiate their VPN session manually (unless their client supports the auto-initiation feature).