Home > Articles > Cisco > CCNP Security

  • Print
  • + Share This
This chapter is from the book

Cisco VPN 3000 Concentrator Fault Tolerance

The VPN 3000 series of concentrators have capabilities to do SEP load balancing, as well as provide concentrator redundancy. Models 3015 and above have the capabilities to support up to 4 SEP modules. Maximum throughput can be achieved with two of these modules, while the other two serve as redundant SEPs in case of SEP failure. SEP redundancy is a top-down function: In instances where the top SEP fails, the bottom one takes over. In such instances, sessions are automatically transitioned to the bottom SEP and sessions remain connected. If both the top and bottom SEP modules fail, the SEP processing is handled by the other top SEP module. If there are no more additional redundant modules, the sessions will be handled by the concentrator's software. In both of these instances, however, sessions are lost and users need to reconnect. SEP redundancy is automatic and does not need to be configured. Figure 3.4 displays SEP redundancy.

Figure 3.4Figure 3.4 Cisco VPN 3080 Concentrator with SEP redundancy.

Concentrator redundancy comes into play when multiple concentrators are running in parallel with each other at the same site. For this fault tolerance to work correctly, all parallel concentrators must have their private interfaces in the same LAN and the public interfaces must be in their own LANs (different from the private interface's LAN).

The VPN 3000 Concentrators achieve this fault tolerance via a protocol called Virtual Router Redundancy Protocol (VRRP). With this protocol, the concentrators maintain a virtual router to which all VPN services are being forwarded. One concentrator is the master of the VRRP group, which is dedicated to maintain requests to the virtual router's IP address. If the master fails, the other concentrators stop receiving VRRP hellos on both interfaces. When this occurs, an idle backup concentrator becomes the master within three to ten seconds and continues forwarding requests being sent to the virtual router's IP. Remote access sessions are disconnected and require the far-end devices to reconnect. For LAN-to-LAN (site-to-site) tunnels, the switchover is automatic and no reconnection is required.

  • + Share This
  • 🔖 Save To Your Account