Making a policy of QOS: Xedia's Access Point lets providers offer SLAs without tears

Like most things Internet, IP-based virtual private networks have matured in the last year. Where enterprises once thought of connecting a handful of branch offices, many are now poised to link their whole organization with meshed intranets and a slew of suppliers, customers and partners.

One problem in deploying site-to-site VPNs has been that separate tunnels must be created. If a customer wants a VPN to connect different sites and departments within those sites, that increases the number of tunnels geometrically.

Xedia Corp.'s Access Point QVPN can take the heavy lifting out of setting up and running site-to-site VPN services while allowing an Internet service provider to offer class-based quality of service (QOS) over an integrated platform. The customer premises equipment incorporates the functions of an IP router, VPN gateway, bandwidth manager and firewall.

"That makes it more deployable from a service provider's perspective," said Karen Barton, Xedia's vice president of marketing. "They can now deploy and provision a single box at a customer's premises rather than four, and at a much lower cost of ownership."

VPNs began with IPSec encryption appliances and progressed with remote access gateways. "That was the next evolutionary step," Barton said. "It was just about tunneling - not high-speed encryption and certainly not routing." But Access Point integrates a full-scale IP router with border gateway protocol 4 (BGP4), open shortest path first routing and full wide-area capabilities for frame relay, ATM and point-to-point protocol.

The Access Point router function also enables QOS through two core capabilities. Class-based queuing partitions a shared IP link so that individual users and applications can get guaranteed bandwidth. DiffServ lets Access Point mark packets so that a service provider can provide an end-to-end service guarantee.

"[Class-based queuing] and DiffServ complement each other," Barton said. "The system is very granular on the customer's LAN, and very status-based on the network side."

Recently, Xedia has turned its attention to configuring devices associated with an IPSec-based site-to-site VPN. Some of Xedia's partners calculated that configuring a 30-node VPN took up to 60 hours. "By the time you get to a 50-node VPN - not very large in terms of today's router networks - you're talking over 11,000 logical tunnels," Barton said.

The company's answer is QVPN Builder, which centralizes configuration by defining VPN policies and then pushes specific configuration files automatically to each site on the network. Builder constructs the needed tunnels using a secure SNMPv3 link.

"Instead of 60 hours, it ends up taking more on the order of 30 minutes," Barton said.

Access Point already has won the endorsement of two large VPN service providers. UUNet is deploying it in its UUsecure VPN service in the U.S.

"With its advanced IPSec security, bandwidth control and service level monitoring features, Access Point is a critical element of our dedicated access secure offering," said Ralph Montfort, UUNet's director of product marketing for dedicated services.

Concentric Network chose Access Point for its new ConcentricQoS VPN service, offering differentiated QOS for businesses.

"The challenge with any provider's service level agreements is that they're relatively generalized," said John Lawler, VPN product line manager at Concentric. "We wanted a more customer-specific QOS, and that's where Access Point comes in with its class-based queuing. Now we can guarantee that the most important packets are sent out faster than the more mundane ones in a given customer's traffic."

It's not true end-to-end class of service, however. "That would require ripping out our network and putting in multiprotocol label switching and DiffServ," Lawler said. "But it's an important step down the path to end-to-end QOS."