Concentrator Modules

The 3015, 3020, 3030, 3060, and 3080 support modular slots for additional cards. Currently, the only two cards that you can put into these slots are SEP-2 and SEP-E modules. SEP modules perform VPN functions, such as encryption, in hardware.

When Cisco acquired Altiga, there were three cards you could put in these slots: an SEP module (Version 1), a T1 module, or an E1 module. Cisco no longer sells these cards: only the SEP-2 and SEP-E modules are available.

SEP Modules

The SEP-2 modules will perform encryption for DES and 3DES only. The SEP-E module has replaced the SEP-2 module. It allows the concentrator to perform DES, 3DES, and AES encryption. To perform AES encryption in hardware, the concentrator also needs to be running at least Version 4.0 of the software.

You cannot use both SEP-2 and SEP-E modules in the same chassis. If you have a concentrator that has both, the SEP-2 modules are disabled automatically and only the SEP-E module(s) will be active.

To determine the kind of SEP module you have installed, you can either log in to the concentrator to see the type of module (the Monitor > System Status screen) or you can examine the module itself. In the lower right corner of the SEP card's cover plate will be a label with one of these pieces of information:

  • SEP 200U indicates an SEP-2 module
  • SEP-E indicates an SEP-E module


The SEP modules are not hot-swappable; failing to turn off and unplug the concentrator when inserting or removing an SEP module can destroy the box and possibly cause electrocution.


SEP Operation

Each SEP module supports between 1,500 and 5,000 simultaneous remote access sessions, depending on the 3000 series model the module is plugged into. Placement of the SEP modules in the chassis of the concentrator is important. Referring back to Figure 6-2, the top two slots, by default, are the active slots. They process VPN sessions. The slot beneath a top slot provides redundancy for the slot above it. Redundancy is top-down, as follows:

  • If a top SEP module fails and there is an SEP module installed beneath it, no VPN sessions are lost because the bottom module has a replication of all VPN information of the module above it.
  • If you have only two SEP modules in the chassis and they are installed in the top two slots, sessions will be split between the two modules. If one of the modules fails all VPN sessions are dropped. Site-to-site sessions will be rebuilt to the other SEP module automatically; however, remote access users will have to reinitiate their VPN session manually (unless their client supports the auto-initiation feature).

Part I: VPNs

Overview of VPNs

VPN Technologies




Part II: Concentrators

Concentrator Product Information

Concentrator Remote Access Connections with IPsec

Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN

Concentrator Site-to-Site Connections

Concentrator Management

Verifying and Troubleshooting Concentrator Connections

Part III: Clients

Cisco VPN Software Client

Windows Software Client

3002 Hardware Client

Part IV: IOS Routers

Router Product Information

Router ISAKMP/IKE Phase 1 Connectivity

Router Site-to-Site Connections

Router Remote Access Connections

Troubleshooting Router Connections

Part V: PIX Firewalls

PIX and ASA Product Information

PIX and ASA Site-to-Site Connections

PIX and ASA Remote Access Connections

Troubleshooting PIX and ASA Connections

Part VI: Case Study

Case Study


The Complete Cisco VPN Configuration Guide
The Complete Cisco VPN Configuration Guide
ISBN: 1587052040
EAN: 2147483647
Year: 2006
Pages: 178
Authors: Richard Deal © 2008-2020.
If you may any questions please contact us: