News Stay informed about the latest enterprise technology news and product updates.

Cisco debuts tunnelless VPN, modular WAN optimization gear

Cisco is ready to ship a series of upgrades to its multimedia router that allow VPNs without tunnels and modular upgrades to transparent WAN application acceleration.

Cisco Systems Inc. announced today a new version of its integrated services router with a new feature that could make wide area network configuration easier and more sustainable for both end user companies and value-added resellers (VARs).

Cisco, video, voice
Cisco takes sole-sourcing to the next level

Video conferencing brings desktop VoIP, app sharing

Video conferencing brings desktop VoIP, app sharing

The feature, called a tunnelless virtual private network (VPN), is designed to keep in place the encryption that makes a VPN secure, without the manual labor of setting up one-to-one connections between branch offices or one-to-many connections between a home office and mobile workers.

Tunnel-based VPNs have a limit on their scalability because network integrators have to lay a mesh of encryption points -- tunnels -- on top of existing networks, which adds work for the integrators and prevents users from creating as many direct connections to networked resources as they'd like, according to John Growdon, director of routing and switching worldwide channel sales at Cisco.

See additional TechTarget coverage at

In normal VPNs all the traffic between two set points is encrypted, keeping the data and the connection safe, he said. That makes quality-of-service features that set priorities on different kinds of network traffic and give priority to time-sensitive content such as audio or video. Because the data and all the addressing information on each packet is encrypted, Growdon said, a switch with QoS features can't adequately identify traffic moving across a VPN.

Using Cisco's tunnelless VPN approach -- which it calls Group Encrypted Transport (GET) -- only the data within the packet is encrypted, according to Inbar Lasser-Raab, director of enterprise marketing of network systems at Cisco. The traffic remains secure because the data part of the packet is encrypted, but the routing information in the header and footer of each packet is in the clear, allowing switching equipment to identify and prioritize that traffic, she said. The approach has a lot of advantages for channel companies other than simplifying configuration, according to Chris Fairbanks, principal network architect at ePlus Technology, the Herndon, Va. VAR subsidiary of cost-management integrator ePlus Inc.

ePlus has been beta testing and implementing the GET VPNs, as well as the latest version of Cisco's Integrated Services Router (ISR), a modular router that allows customers to buy a basic router, then add modules for GET and the networked-application accelerator technology Cisco calls Wide Area Application Services (WAAS).

Encrypting only the payload of each packet can make the network more secure than a normal VPN, even one running across a network using Multi-Protocol Label Switching (MPLS) to identify and accelerate time-sensitive traffic.

GET adds "IPsec-like encryption, with about the same amount of overhead," Fairbanks said. "5%, 10%, 15% overhead -- not a ton," he said.

"[MPLS] is still a shared network, what's to prevent someone from misconfiguring a circuit into your MPLS cloud?" Fairbanks asked. "It's an entirely shared network; once you're in, you're in. If the payload is encrypted, that's not a problem."

What is a problem is routing GET VPNs across the public Internet, Fairbanks said. GET is geared toward private networks connected via Frame Relay, metro Ethernet or MPLS, so it can only connect across a public network if each node of the network uses a "real" IP address. Most networks use public IP addresses only for Internet gateways, giving nodes inside the firewall "private" IP addresses that are understood by internal routers and switches, but are inaccessible to the public Net.

Both the ISR and GET compete with products from F5 Networks Inc. and Riverbed Technology, whose devices are designed to improve performance for video, voice and other time-sensitive applications across wide area networks whose bandwidth limitations frequently make that difficult, according to Zeus Kerravala, analyst at the Yankee Group.

F5's technology specifically allows application developers to build in features that let the application sense performance problems and make calls to the network to affect performance on the fly, Zeus said.

The problem with that approach, though it's effective, is that it lays another proprietary layer on top of the network, making it difficult to use non-F5 or Riverbed technology to improve performance, Fairbanks said.

"Cisco's biggest selling point is that it's entirely transparent to the network," Fairbanks said. "It's not inline, so if the product dies, it just falls out of the WCCP group. That transparency is what they're really going to hurt their competitors."

Web Cache Communication Protocol (WCCP) is a Cisco content-routing function that allows network administrators to set up caches inside their networks to improve performance of applications using data that can be cached.

GET will also be available free, as part of an updated version of Cisco's IOS router operating system, according to Lasser-Raab.

Channel companies can use the benefits of WAAS and GET VPNs to urge customers to migrate from Cisco 1700 2500, 2600 and 3700 routers to the 2800 or 3800 models, which are the only ones that support the new WAAS and GET modules, Growdon said.

In addition to Cisco's usual incentives, the company will offer an extra 15% backend rebate on credits gathered in competitive upgrades, and will offer bundles of the bare-bones ISR and a number of add-on modules at savings of up to 17% compared to a la carte pricing, Growdon said.

The combination is a tremendous seller, Fairbanks said. "I've done maybe 10 WAAs meetings in the last six weeks with customers," he said. "We typically deal with Cisco enterprise customers and in something like 90% of those, we walked in and walked out with a try-and-buy P.O. It is that good a technology," Fairbanks said. Under try-and-buy, a Cisco customer can cut a purchase order for a new product, use it for 30 or 60 days to judge its performance, then either pay the P.O. or return the product.

"[Customers] see it and it's amazing how fast the budget opens up," Fairbanks said. "Even when they say their budget is closed, they know if they get this out there the business units around will cough up the money because it will make their life better."

Dig Deeper on WAN technology and services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.