CCNP Security VPN FAQ: Cisco VPN 3000 Concentrator Series Hardware Overview

CCNP Security VPN FAQ: Cisco VPN 3000 Concentrator Series Hardware Overview

Question. What models are available in the Cisco VPN 3000 Concentrator Series?

Answer: Five models are available in the Cisco VPN 3000 Concentrator Series: VPN 3005, VPN 3015, VPN 3030, VPN 3060, and VPN 3080.

Question. What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3015 Concentrator?

Answer: The Cisco VPN 3015 Concentrator supports up to 100 simultaneous sessions

Question. What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3080 Concentrator?

Answer: The Cisco VPN 3080 Concentrator supports up to 10,000 simultaneous sessions.

Question. On a Cisco VPN 3005 Concentrator, what does a blinking green system LED indicate?

Answer: On a Cisco VPN 3005 Concentrator, a blinking green system LED indicates that the system is in a shutdown (halted) state and is ready to be powered off.

Question. What is the maximum encryption throughput rate for the VPN 3000 series?

Answer: The VPN 3000 series of concentrators can sustain a maximum encryption throughput of 100 Mbps.

Question. What tunneling protocols do Cisco VPN 3000 Concentrators support?

Answer: The Cisco VPN 3000 Concentrators support the following tunneling protocols: Internet Protocol Security (IPSec), Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), L2TP/IPSec, and Network Address Translation (NAT) Transp

Question. How do VPN concentrators reduce communications expenses?

Answer: VPN concentrators reduce communications expenses by allowing remote users to connect to the corporate network through the Internet by dialing into local ISP connections rather than by using expensive long-distance or 800 numbers. Digital subscriber line (DSL) or cable modem users can also use broadband connections with VPN concentrators to gain security for their high-speed data circuits.
3-1
the VPN concentrator placed behind the firewall.

Question. What other authentication capability exists if standard authentication servers are not available?

Answer: When authentication servers are not available, the VPN concentrators have the ability to authenticate users from an internal database.

Question. What routing protocols do the Cisco VPN 3000 Concentrators support?

Answer: The Cisco VPN 3000 Concentrators support Routing Information Protocol 1 (RIP1),
RIP2, and Open Shortest Path First (OSPF). In addition to these dynamic routing protocols, the concentrators also support static routing.

Question. What protocol permits multichassis redundancy and failover?

Answer: The Virtual Router Redundancy Protocol (VRRP) permits multichassis redundancy and failover support.

Question. List some of the methods that can be used to interface with the embedded Cisco VPN Manager software on VPN concentrators?

Answer: You can access the Cisco VPN Manager through the console port, Telnet, SSH, HTTP, and Secure HTTP.

Question. What four options are available under the Configuration menu of the VPN Manager?

Answer: The four options on the Configuration menu are Interfaces, System, User Management, and Policy Management.

Question. What mechanism is used by Cisco VPN Clients to monitor firewall activity between the client and the concentrator?

Answer: The Cisco VPN Clients use the Are You There (AYT) mechanism to monitor firewall activity.

Question. What optional feature on the Cisco VPN 3002 Hardware Client allows you to connect Ethernet devices to the client?

Answer: The Cisco VPN 3002 Hardware Client can be configured with an optional 8-port Ethernet switch.

Question. During large-scale implementations, how can VPN 3000 Concentrators be configured to simplify client configuration?

Answer: Cisco VPN 3000 Concentrators can push the client policies and configurations to the
clients upon initial login to the system.

Question. Which of Cisco’s client offerings has no limitations with regard to the types of client operating systems it can support?

Answer: The Cisco VPN 3002 Hardware Client works with every type of client operating system, as long as the system speaks TCP/IP.

Question. What two operating modes can a Cisco VPN 3002 Hardware Client be configured to support?

Answer: The Cisco VPN 3002 Hardware Client can be configured to support either Client mode or Network Extension mode.

Question. What operating systems does the Cisco VPN Client support?

Answer: The Cisco VPN Client supports the full range of Microsoft Windows operating systems, including Windows 95, 98, Me, NT 4.0, 2000, and XP. The Cisco VPN Client also supports Linux (Intel), Solaris (UltraSparc-32bit), and MAC OS X 10.1.

Question. How do VPN concentrators reduce communications expenses?

Answer: VPN concentrators reduce communications expenses by allowing remote users to connect to the corporate network through the Internet by dialing into local ISP connections rather than by using expensive long-distance or 800 numbers. Digital subscriber line (DSL) or cable modem users can also use broadband connections with VPN concentrators to gain security for their high-speed data circuits.

Question. What are two of the standard authentication servers that Cisco VPN 3000 Concentrators can use for authentication?

Answer: These concentrators can work with existing RADIUS, TACACS+, NT Domain, internal authentication, digital certificates, or Security Dynamics servers, which are also known as RSA Security International (SDI) servers. You could choose any two of these for the correct answer.

Question. What other authentication capability exists if standard authentication servers are not available?

Answer: When authentication servers are not available, the VPN concentrators have the ability to authenticate users from an internal database.

Question. With respect to firewalls, where can you install Cisco VPN 3000 Concentrators?

Answer: These powerful concentrators can be installed in front of, behind, or in parallel with existing firewalls, or even in the DMZ when the firewall provides one.

Question. What routing protocols do the Cisco VPN 3000 Concentrators support?

Answer: The Cisco VPN Concentrators support RIP1, RIP2, and OSPF. In addition to these dynamic routing protocols, the concentrators also support static routing

Question. During large-scale implementations, how can Cisco VPN 3000 Concentrators be
configured to simplify client configuration?

Answer: Cisco VPN 3000 Concentrators can push the client policies and configurations to the clients upon initial login to the system.

Question. What is the maximum encryption throughput rate for the VPN 3000 Concentrator Series?

Answer: The Cisco VPN 3000 Concentrator Series can sustain a maximum encryption throughput of 100 Mbps.

Question. What hardware device is required to achieve maximum encryption throughput on the Cisco VPN 3000 Concentrators?

Answer: When Cisco VPN 3000 Concentrators use Scalable Encryption Processors (SEPs), they can attain maximum encryption throughput.

Question. What element on SEPs permits them to be so fast and flexible?

Answer: SEPs are designed around digital signal processors (DSPs), which are programmable, high-speed processors.

Question. Why are Cisco VPN Concentrators so good at supporting VPN communications?

Answer: These VPN concentrators were purposely designed to provide only VPN support. They do not perform any other major network functions. Additionally, Scalable Encryption Processor (SEP) modules can be installed in most models to perform encryption routines, providing further support for VPN processes.

Question. What tunneling protocols do Cisco VPN 3000 Concentrators support?

Answer: The Cisco VPN 3000 Concentrators support the following tunneling protocols: Internet Protocol Security (IPSec), Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), L2TP/IPSec, and Network Address Translation (NAT) Transparent IPSec.

Question. In addition to RIP and OSPF, what other routing capabilities do Cisco VPN Concentrators have?

Answer: Cisco VPN Concentrators also support static routes, automatic endpoint discovery, Network Address Translation (NAT), and classless interdomain routing (CIDR).

Question. What encryption and authentication protocols do Cisco VPN 3000 Concentrators support?

Answer: Cisco VPN 3000 Concentrators support IPSec Encapsulating Security Payload (ESP) using DES/3DES (56/168-bit) with MD5 or SHA, or MPPE using 40/128-bit RC4.

Question. What protocol permits multichassis redundancy and failover?

Answer: The Virtual Router Redundancy Protocol (VRRP) permits multichassis redundancy and failover support.

Question. What hardware items can be made redundant on Cisco VPN 3000 Concentrators?

Answer: Cisco VPN 3000 Concentrators support redundant fans and can have redundant SEP modules and power supplies.

Question. What are some of the methods that can be used to interface with the embedded Cisco VPN Manager software on VPN concentrators?

Answer: You can access the Cisco VPN Manager through the console port, Telnet, SSH, HTTP, and Secure HTTP.

Question. What are the most secure forms of authentication that can be used with Cisco VPN 3000 Series Concentrators?

Answer: Digital certificates and tokens are the most secure form of authentication that can be used with Cisco VPN 3000 Series Concentrators.

Question. What mechanism is used by Cisco VPN Clients to monitor firewall activity between the client and the concentrator?

Answer: The Cisco VPN Clients use the Are You There (AYT) mechanism to monitor firewall activity

Question. What is the rated mean time between failure (MTBF) for Cisco VPN 3000 Concentrators?

Answer: Cisco VPN 3000 Concentrators have an MTBF of 200,000 hours.

Question. You have installed two Cisco VPN 3000 Concentrators in parallel on your network. Both devices have redundant power supplies, fans, and SEPs. You need to ensure 99.9% uptime. How can you achieve this rate of fault tolerance?

Answer: Configure both VPN concentrators into the same VRRP group, permitting one of the devices to become the active unit and the other to take a role as a hot standby concentrator.

Question. During the initial configuration of the VPN concentrators, what management interface must you use?

Answer: You must use the command-line interface (CLI) to configure initial network settings on the concentrator.

Question. What do you need to do to activate configuration changes to Cisco VPN Concentrators that are made through the Cisco VPN Manager?

Answer: Configuration changes are stored within the memory of the VPN concentrator and take effect immediately.

Question. What four options are available under the Configuration menu of the VPN Manager?

Answer: The four available options on the Configuration menu are Interfaces, System, User
Management, and Policy Management.

Question. What is the hierarchical order of property inheritance on Cisco VPN Concentrators?

Answer: The Base Group is the root element in the property inheritance hierarchy. Next come specific groups, which inherit default properties from the Base Group. After specific groups come users, who inherit default properties from specific groups or from the Base Group if the user has not been assigned to a specific group.

Question. What options are available on the Administration menu of the Cisco VPN Manager?

Answer: The options available from the Administration menu are Administer Sessions, Software Update, System Reboot, Ping, Monitoring Refresh, Access Rights, File Management, and Certificate Management.

Question. What options are available on the Monitoring menu of the Cisco VPN Manager?

Answer: The options available from the Monitoring menu are Routing Table, Filterable Event Log, System Status, Sessions, and Statistics.

Question. Where in the Cisco VPN Manager could you go to view the current IP address for the private interface on a Cisco VPN 3000 Concentrator?

Answer: To view the current IP settings for all Cisco VPN 3000 Concentrator interfaces, click the Interfaces option from the Configuration menu of the Cisco VPN Manager.

Question. What models are available in the Cisco VPN 3000 Concentrator Series?

Answer: Five models are available in the Cisco VPN 3000 Concentrator Series: VPN 3005, VPN 3015, VPN 3030, VPN 3060, and VPN 3080.

Question. Which of the Cisco VPN 3000 Series Concentrators is a fixed configuration that is not upgradeable?

Answer: The Cisco VPN 3005 Concentrator is a fixed configuration that is not upgradeable.

Question. How can purchasers of a Cisco VPN 3000 Series Concentrator obtain a license for the Cisco VPN Client?

Answer: The Cisco VPN Client configured for unlimited installations is shipped with every Cisco VPN 3000 Series Concentrator sold. Additionally, customers with access to Cisco.com can download upgrades from the CCO website without cost.

Question. What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3005 Concentrator?

Answer: The Cisco VPN 3005 Concentrator supports up to 100 simultaneous sessions.

Question. What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3015 Concentrator?

Answer: The Cisco VPN 3015 Concentrator supports up to 100 simultaneous sessions.

Question. What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3030 Concentrator?

Answer: The Cisco VPN 3030 Concentrator supports up to 1500 simultaneous sessions.

Question. What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3060 Concentrator?

Answer: The Cisco VPN 3060 Concentrator supports up to 5000 simultaneous sessions.

Question. What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3080 Concentrator?

Answer: The Cisco VPN 3080 Concentrator supports up to 10,000 simultaneous sessions

Question. Which of the Cisco VPN 3000 Series Concentrators is only available in a fully redundant configuration?

Answer: The Cisco VPN 3080 Concentrator is the only one of the series that is only available in a fully redundant configuration.

Question. On a Cisco VPN 3005 Concentrator, what does a blinking green system LED indicate?

Answer: On a Cisco VPN 3005 Concentrator, a blinking green system LED indicates that the system is in a shutdown (halted) state and is ready to be powered off.

Question. On a Cisco VPN 3000 Concentrator, what does a blinking amber system LED indicate?

Answer: On any of the Cisco VPN 3000 Concentrators, a blinking amber system LED indicates that the system has crashed and halted.

Question. What does a blinking green Ethernet link status LED indicate on a Cisco VPN
Concentrator?

Answer: A blinking green Ethernet link status LED indicates that the interface is connected to the network and configured, but the interface has been disabled.

Question. What does an amber SEP status LED indicate?

Answer: An amber SEP status LED indicates that the module failed during operation.

Question. Which of Cisco’s client offerings has no limitations with regard to the types of client operating systems it can support?

Answer: The Cisco VPN 3002 Hardware Client works with every type of client operating system, as long as the system speaks TCP/IP.

Question. What optional feature on the Cisco VPN 3002 Hardware Client allows you to connect Ethernet devices to the client?

Answer: The Cisco VPN 3002 Hardware Client can be configured with an optional 8-port Ethernet switch.

Question. What two operating modes can a Cisco VPN 3002 Hardware Client be configured to support?

Answer: The Cisco VPN 3002 Hardware Client can be configured to support either Client mode or Network Extension mode.

Question. What operating systems does the Cisco VPN Client support?

Answer: The Cisco VPN Client supports the full range of Microsoft Windows operating systems, including Windows 95, 98, Me, NT 4.0, 2000, and XP. The Cisco VPN Client also supports Linux (Intel), Solaris (UltraSparc-32bit), and MAC OS X 10.1.

About the author

Scott

Leave a Comment