Cisco debuts tunnelless VPN, modular WAN optimization gear

By Kevin Fogarty, News Director 04 Dec 2006 | SearchNetworkingChannel.com

Channel News Update Digg This!     StumbleUpon     Del.icio.us

Cisco Systems Inc. announced today a new version of its integrated services router with a new feature that could make wide area network configuration easier and more sustainable for both end user companies and value-added resellers (VARs).

Cisco, video, voice Cisco takes sole-sourcing to the next level Video conferencing brings desktop VoIP, app sharing Video conferencing brings desktop VoIP, app sharing

The feature, called a tunnelless virtual private network (VPN), is designed to keep in place the encryption that makes a VPN secure, without the manual labor of setting up one-to-one connections between branch offices or one-to-many connections between a home office and mobile workers.

Tunnel-based VPNs have a limit on their scalability because network integrators have to lay a mesh of encryption points -- tunnels -- on top of existing networks, which adds work for the integrators and prevents users from creating as many direct connections to networked resources as they'd like, according to John Growdon, director of routing and switching worldwide channel sales at Cisco.

See additional TechTarget coverage at SearchNetworking.com.

In normal VPNs all the traffic between two set points is encrypted, keeping the data and the connection safe, he said. That makes quality-of-service features that set priorities on different kinds of network traffic and give priority to time-sensitive content such as audio or video. Because the data and all the addressing information on each packet is encrypted, Growdon said, a switch with QoS features can't adequately identify traffic moving across a VPN.

Using Cisco's tunnelless VPN approach -- which it calls Group Encrypted Transport (GET) -- only the data within the packet is encrypted, according to Inbar Lasser-Raab, director of enterprise marketing of network systems at Cisco. The traffic remains secure because the data part of the packet is encrypted, but the routing information in the header and footer of each packet is in the clear, allowing switching equipment to identify and prioritize that traffic, she said. The approach has a lot of advantages for channel companies other than simplifying configuration, according to Chris Fairbanks, principal network architect at ePlus Technology, the Herndon, Va. VAR subsidiary of cost-management integrator ePlus Inc.

ePlus has been beta testing and implementing the GET VPNs, as well as the latest version of Cisco's Integrated Services Router (ISR), a modular router that allows customers to buy a basic router, then add modules for GET and the networked-application accelerator technology Cisco calls Wide Area Application Services (WAAS).

Encrypting only the payload of each packet can make the network more secure than a normal VPN, even one running across a network using Multi-Protocol Label Switching (MPLS) to identify and accelerate time-sensitive traffic.

GET adds "IPsec-like encryption, with about the same amount of overhead," Fairbanks said. "5%, 10%, 15% overhead -- not a ton," he said.

"[MPLS] is still a shared network, what's to prevent someone from misconfiguring a circuit into your MPLS cloud?" Fairbanks asked. "It's an entirely shared network; once you're in, you're in. If the payload is encrypted, that's not a problem."

What is a problem is routing GET VPNs across the public Internet, Fairbanks said. GET is geared toward private networks connected via Frame Relay, metro Ethernet or MPLS, so it can only connect across a public network if each node of the network uses a "real" IP address. Most networks use public IP addresses only for Internet gateways, giving nodes inside the firewall "private" IP addresses that are understood by internal routers and switches, but are inaccessible to the public Net.

Both the ISR and GET compete with products from F5 Networks Inc. and Riverbed Technology, whose devices are designed to improve performance for video, voice and other time-sensitive applications across wide area networks whose bandwidth limitations frequently make that difficult, according to Zeus Kerravala, analyst at the Yankee Group.

F5's technology specifically allows application developers to build in features that let the application sense performance problems and make calls to the network to affect performance on the fly, Zeus said.

The problem with that approach, though it's effective, is that it lays another proprietary layer on top of the network, making it difficult to use non-F5 or Riverbed technology to improve performance, Fairbanks said.

"Cisco's biggest selling point is that it's entirely transparent to the network," Fairbanks said. "It's not inline, so if the product dies, it just falls out of the WCCP group. That transparency is what they're really going to hurt their competitors."

Web Cache Communication Protocol (WCCP) is a Cisco content-routing function that allows network administrators to set up caches inside their networks to improve performance of applications using data that can be cached.

GET will also be available free, as part of an updated version of Cisco's IOS router operating system, according to Lasser-Raab.

Channel companies can use the benefits of WAAS and GET VPNs to urge customers to migrate from Cisco 1700 2500, 2600 and 3700 routers to the 2800 or 3800 models, which are the only ones that support the new WAAS and GET modules, Growdon said.

In addition to Cisco's usual incentives, the company will offer an extra 15% backend rebate on credits gathered in competitive upgrades, and will offer bundles of the bare-bones ISR and a number of add-on modules at savings of up to 17% compared to a la carte pricing, Growdon said.

The combination is a tremendous seller, Fairbanks said. "I've done maybe 10 WAAs meetings in the last six weeks with customers," he said. "We typically deal with Cisco enterprise customers and in something like 90% of those, we walked in and walked out with a try-and-buy P.O. It is that good a technology," Fairbanks said. Under try-and-buy, a Cisco customer can cut a purchase order for a new product, use it for 30 or 60 days to judge its performance, then either pay the P.O. or return the product.

"[Customers] see it and it's amazing how fast the budget opens up," Fairbanks said. "Even when they say their budget is closed, they know if they get this out there the business units around will cough up the money because it will make their life better."

Tags: Network Infrastructure,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Infrastructure Nortel partners have a lot of explaining to do to calm customers Cisco boosts small business products and programs for channel partners Networking VARs could grab smart grid stimulus bill funding Channel Explained: Data center design for networking VARs Cisco Unified Computing irrelevant to most channel partners for now Partners to see stimulus package benefits, but not without challenges Advanced routing and switching considerations Routers study guide Tech Watch: Telepresence solutions Why solution providers should prepare for the IPv6 transition

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary