Cisco has extended the functions of its VPN routers through updated software that allows them to encrypt voice and video packets while maintaining the QoS (quality of service) levels required to make video smooth and Internet Protocol (IP) voice calls similar to traditional phone calls.
The breakthrough, which Cisco calls V3PN, will simplify telecommuting and branch and remote office computing, Scott Pope, product line manager for site-to-site VPNs at Cisco, said. Key benefits include allowing enterprises to deliver video programs and run videoconferences securely over a broadband connection, eliminating the need for a second phone line for staff working at home and making it easier to extend a company's office phone system to remote sites around the world over an IP network.
VPNs provide a way for enterprises to use a service provider's IP network as if it were a private network, with their own traffic shielded from prying eyes, typically with IPSec (IP Security) encryption. Voice and video traffic can be carried over a service provider's IP network with good quality, as long as the correct QoS information is provided on each packet and recognised by all the routers across that network. In such a case, the QoS information is in the form of data bits associated with the Differentiated Services or IP Precedence standards, Pope said. Routers use that information to make sure the voice and video packets cross the network in a timely fashion.
However, use of IPSec normally conflicts with sending high-quality voice and video because the encryption scrambles the necessary QoS information in the header of the packets. With the new software, Cisco routers will take the QoS information off the packet before it is encrypted, then put it back in afterward.
Similar challenges face enterprises that seek to apply security and QoS to Web services traffic, in which differentiating between different types of traffic with different priorities requires inspection deep into a packet, Pope said.
Applying the appropriate QoS levels for Web services packets is something that needs to take place farther back in the network, such as at the Web server, Pope said. However, the newly introduced mechanism can preserve that QoS setting if the packet is encrypted, he added.
"Though we're applying it to voice here, it'll apply to any latency-intensive traffic," Pope said.
Cisco has also addressed the problem of sending IP Multicast traffic over an IPSec VPN. Multicast allows the provider of a stream of content such as an audio or video program to conserve bandwidth by sending a single stream to multiple selected clients instead of sending one stream to each. IPSec typically throws out multicast packets because it was developed without support for IP Multicast, Pope said. Cisco's VPN routers now can use a technique called GRE (Generic Routing Encapsulation) to wrap multicast packets in a form that IPSec routers can understand, Pope said. GRE has been presented to the IETF (Internet Engineering Task Force) for consideration as a possible standard.
The new offering will lead companies to start experimenting with voice and video over VPNs, predicted Zeus Kerravala, an analyst at Yankee Group.
"The upside obviously is huge, being able to deliver [corporate] telephony applications all the way to your home," Kerravala said.
The problem Cisco is addressing with V3PN goes beyond voice and video as vendors try to make new kinds of services work over IP networks but also keep those networks secure, he said.
"Security and performance have always been fighting one another. The challenge now is to make them work together. For any network vendor, that's what's on the top of their mind right now," he said.
The new VPN capabilities are available immediately on all Cisco IOS (Internetwork Operating System) VPN routers, including the 1700, 2600, 3600, 3700, 7100 and 7200 series routers. Most of these are based on existing Cisco router models with hardware and software upgrades for VPN capability. In July, Cisco will provide deployment guidelines and staff to support the products. A software upgrade is available free to all enterprises with a typical Cisco IOS software contract.
Cisco has also announced the Cisco 7400 Series VPN Router bundle, a VPN router that can be deployed behind a company's WAN (wide-area network) router, typically in cases where the company does not want to modify its WAN router to handle VPN functions. It is based on Cisco's existing 7400 Series router and features only LAN interfaces. It comes with two Fast Ethernet ports and can be upgraded with two Gigabit Ethernet ports. The 7400 Series VPN router bundle will be available in June for $18,500 (£12,630).