Industry heavyweight Cisco, a longtime player in the VPN router space, infiltrated the VPN remote access concentrator market this past March by purchasing Altiga and Compatible Systems. Among the products acquired — Compatible Systems' IntraPort Carrier-8, a network-based VPN platform used by PSINet to deliver its Secure Remote Access service.
Last month, this platform was reborn as Cisco's flagship VPN 5008, prize member of its new VPN 5000 Concentrator series. This IPsec and L2TP tunneling platform, deployed at the service provider network edge, finally brings Cisco into the network-based VPN market.
Moving from customer, to provider network edge
The VPN 5000 Concentrator series currently comprises three products. At the low end, the 5001 is traditional customer premises equipment; it supports tunneling from the edge of a single customer network.
However, the two-slot 5002 and eight-slot 5008 are intended for deployment at a service provider's Point-of-Presence or Central Office, supporting up to 256 customer VPNs with a single device. VPNs are implemented in software using Customer Virtual Contexts. CVCs define tunnel terminations and mappings, address translations, IGP routing, RADIUS servers, encryption policies, and firewall filters. This approach allows customer VPNs operate independently while sharing a common platform. Cisco's CVC Pro, a directory-based provisioning system, is used to build and populate service templates, which in turn, are used to configure VPN 5000 systems.
Carrier-class horsepower
Providers can use the 5002 or 5008 to offer remote access and site-to-site VPN services. Incoming IPsec or L2TP/PPP tunnels can be mapped onto 802.1Q VLANs, Frame Relay PVCs, GRE tunnels, or other IPsec tunnels. Slots can be populated with Edge Service Processor (ESP) cards that enable growth and flexibility. Each ESP hosts a StrongArm RISC 233 MHz processor, two encryption coprocessors, a math coprocessor, 128 MB SDRAM, and one network interface. Any combination of HSSI, OC3-, DS-3, or 10/100 Ethernet interfaces can be used to connect the 5002/5008 to a Frame Relay network, OC-3/STM-1 POS network, or switched/routed Ethernet.
According to Cisco, each ESP supports up to 5,000 simultaneous remote access or site-to-site VPN tunnels. The 5002 can handle 10,000 tunnels with 195 Mbps 3DES throughput. A fully equipped 5008 can handle 40,000 tunnels with 760 Mbps 3DES throughput.
These concentrators offer carrier-class horsepower and scalability that far exceed those of VPN CPE. However, Cisco's numbers do not approach the self-described capacity of Lucent's IP services switches sold as part of its Spring Tide ("100,000 simultaneous sessions") and CoSine lineups ("tens of thousands of subscriber networks"). Providers seeking the operational efficiency of network-based VPN without a big-league price tag may start small and grow incrementally with the modular 5000 series.
Flexible client, push configuration
Every VPN 5000 series concentrator includes a blanket license to brand and distribute IPsec VPN client software, required by remote access VPNs. Clients can connect over dial-up, ISDN, DSL, or cable modem. Cisco's client provides the broadest OS support available on the market today. Windows 95, 98, NT, and 2000 are supported now; a Windows ME client is underway. PowerPC Macs running MacOS 7.6 and OpenTransport 1.1.1 or higher are supported now, as are Intel platforms running Linux variants like RedHat 5.2 and 6.0. Solaris 2.5.1 is available for Sun SPARC now; Intel Solaris is coming soon. This extensive support makes it easier for providers to sell remote access VPN services into any enterprise account.
The VPN 5000 client offers many attractive features:
* Centrally configured security policies can be pushed to the client during tunnel establishment, eliminating confusing, error-prone configuration by desktop users.
* Using a clever port 80 encapsulation trick, this client is able to send IPsec traffic through packet filtering firewalls that perform NAT/PAT (a technology often incompatible with IPsec).
* This client leverages round-robin DNS and hostnames associated with multiple addresses to circumvent unreachable concentrators and distribute tunnels across active concentrators.
* By using hybrid XAUTH, a variety of client authentication methods are supported, including preshared secrets, RADIUS PAP/CHAP, SecurID, AXENT Defender, Entrust and standard PKCS#12 digital certificates, and (via RADIUS proxy) LDAP, NT Domain, or token-based authentication services.
Trading footprint for functionality
Proprietary features like these make the VPN 5000 client more flexible, but inhibits multi-vendor interoperability. The VPN 5000 series interoperates with other Cisco IPsec products: routers running IOS 12.01T or later, PIX firewalls, and 3000 series concentrators.
But Cisco chose not to support the native Windows 2000 IPsec client because it "lacks many of the features that differentiate the VPN 5000 client and enable large scale IPsec VPN deployments."
Why does this matter? Adding any software to enterprise desktops can be an uphill sell — even a lightweight, centrally configured client.
Nonetheless, there are many enterprises willing to add desktop software when required to overcome other hurdles.
According to Terry Milholland, Electronic Data Systems CIO, "Cisco's client support of all major operating systems, including Windows 2000, is critical as we continue to expand our diverse customer base around the world. We have added VPN services to our existing dedicated dial solution, leveraging our CiscoSecure authentication and accounting system. [This] permits our remote access users to take advantage of cable modem and DSL broadband Internet access."
A promising service delivery platform
Cisco VPN series concentrators are well-suited for use by ISPs and DLECs that want to deliver both site-to-site and remote access services through a combination of desktop software, customer premises gateways, and PoP or CO edge devices. Many industry analysts believe the latter approach is required for cost-effective, large-scale VPN service delivery. By adding the 5000 series to its VPN product line, Cisco finally joins this club.
http://www.isp-planet.com/equipment/cisco_vpn.html
