When you have a VPN concentrator terminating lots of tunnels from various remote devices, there are usually a few different ways of assigning the IP address the client receives. These include static assignment by the concentrator or an authentication server. You can usually request an address from a DHCP server or even allow the client to specify an address. A popular option is for the address to come from a pool of addresses administered by the concentrator. Further, the address can logically reside on a locally connected subnet or it can be on a "virtual" subnet. Deciding which method to use can be an art form, but here are some things to consider so that you can make a more educated decision.
One important point to remember is that in most vendors' equipment, you can choose more than one of the above. For instance, it may make sense to have administrators always receive a specific address. This could be important if they need to get through an access-list somewhere to reach restricted resources. At the same time, all the regular users could receive addresses dynamically from a pool.
Whether you own a DHCP or authentication server (e.g. RADIUS) obviously plays a big part in whether or not you plan use one, but generally these come in handy in larger environments because they facilitate redundancy and scalability. Even so, they offer features for environments of any size, such as the potential for name-resolution through an LDAP or Dynamic DNS system, as well as extra security features.
Finally, you still need to decide whether the addresses will come from a virtual subnet or a subnet on a directly connected interface. The key to remember here is that while using the directly connected interface is easier to configure, for connectivity, it requires the concentrator to respond to ARPs from the router or firewall on that subnet. That means that if you have a couple thousand users, your router connected to the VPN concentrator will have a couple thousand entries in its ARP cache. This eats up memory unnecessarily and all those ARPs have to be processed by every device on that subnet. Thus, using the virtual subnet is a more scalable alternative.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
