We have a situation where we need to encrypt the traffic on a Layer 2 VLAN. We have a Cisco Switch on each side but the fiber it runs over is leased and encryption (AES256 minimum) is required on a leased line. We have 2 ASA5505s that we could use on each side. Not sure what would be the best setup for this scenario (Site to Site). Or is there something better than using 2 ASAs on each side?
Actually, if you're talking about a VLAN , the switches can encrypt on L2.
The feature you're looking for is called MACSec http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/config.html
There's no need for ASA.
Please rate if it helps
Thanks for the MACSec suggestion. It would be nice to be able to do this without the need of additional hardware (ASAs).
I saw this config guide.
Under Guidelines and Limitations is states ACS 5.1. We have ACS 4.2.
Would MACSec be AES256 or greater encryption level?
The MACSec is confusing me...
it would work only with ACS5.1 and later with a trustsec license.
Below are the prerequisites
•TrustSec software on all network devices
•Network availability of the Cisco Secure ACS 5.1 operating with a TrustSec license
•Directory, DHCP, DNS, certificate authority, and NTP servers functioning in the network
Trustsec and MACSec are different things.
Trustes is a marketing term that refers to many different security features.
MACSec is a technical term that refers to layer 2 encryption by switches.
You don't need ACS for MACSec. You just need the Cisco switches. I know 3750, 4500 , 6500 and Nexus support MACSec.
It looks like L2TP is between routers given the platforms it runs on.
We have dark fiber between the sites but there are numerous hops in between in a chain. Flow could be as follows, Core 6500 - - 3750 - - 3560 - - 3750 - - 3750 - - 3560 - - 3750. Not sure of the exact number of hops. Final destination would be a 3750 and all switches in between would be either a 3560 or 3750. All switches in the chain are connected through SFPs on a CWDM chain.
Would MACSec work in a scenario similar to this without the need for ACS?
Thanks for all the replies, I am learning about a lot of concepts I am unfamiliar with.
I've been researching more about MACSec.
802.1x is a pre-requisite for MACSec, so yes you need ACS.
Devices that support MACSec are 3560-X , 3750-X, 4500, 6500 and Nexus 7000.
It seems it's not supported on plain 3560 and 3750.
I am going with 2 ASA 5505s and the site to site vpn for this scenario.
This site to site vpn will be on the same subnet of 10.207.1.0/24.
Remote side and Host side will both be on the 10.207.1.0/24 network.
Will this cause an issue?
Firsts off the macsec does not work with 2 3750x or 3560x and so on.
They can only speak macsec towards a nexus 7000 or a server as far as it goes today.
I have been told it is in the roadmap. but speak to your cisco rep to make them stand behind the solution.
either way it i not feasable with a L2 link setup, only L1 will work.
ie you will need a link that is L1 only. the 802.1ae is point to point only.
2 asa5505 site to site with the same network on both sides will cause problems.
We are trying to accomplish some encryption on a Layer 2 VLAN that is trunked over our private network through multiple switches. The traffic never leaves the LAN. The application host requires at least AES256 encryption over leased lines. Even though it is our dark fiber, we dont own the fiber. We are the only ones using the fiber. A host from a different site needs access to this application.
Our thought was site to site vpn but then realized its all same subnet.
Below is a rough drawing of the topology. Hope this helps.
I have a few questions.
First off. if at all possible change the networks. you do not want two of the same networks for many reasons.
Second: The number of ip addresses that are on each side that is needed is that the hole network or just between a couple (2-3) machines ?
Third: Does the application care that you are on the same network or not ?
ie must the question come from 10.231.1.211 to 10.231.1.100 or can one use 10.231.2.211 as a source of the packets going to the server ?
if it is possible you can change the network on one side then the 5505 should be able to help you out.
if not but it is possible for you to use NAT and only a few static addresses then i can think of a way but i have never tried it, its tricky but it could work.
Since you have several L2 switches inbetween you have no chance of using 802.1ae macsec.
its strictly L1. so we can forget about that.
otherwise that would have been a nice workaround.
so now we have exhausted the cisco equipment that we have available for this.
if nothing else works then you could use a Link point to point encryption device.
they are quite expensive but is used in events such as this.
if you need one of those then know that the more data is needed to be sent between the two different segments of the network the higher the cost for the equipment.
Thanks so much for all the great information.
Interested in Link point to point encryption device too. Who is make and model?
1. I understand reasons for different networks. This network is not controlled by us but by the app host.
2. The remote side will only have 2 IP Devices (PC and Printer)
3. Yes, app host requires must be on the same network. I had read another thread and changed my 10.231.1.x network with what they had. Not sure if this would work.
ASA 5505 Remote
access-list NAT permit ip 10.231.1.0 255.255.255.0 10.2.2.0 255.255.255.0
static (inside,outside) 10.1.1.0 access-list NAT
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
ASA 5505 Central
access-list NAT permit ip 10.231.1.0 255.255.255.0 10.1.1.0 255.255.255.0
static (inside,outside) 10.2.2.0 access-list NAT
access-list VPN permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
The idea is the following:
Site 5505 central will translate its local 10.231.1.0 to 10.1.1.0 when going to the remote site.
Site 5505 remote will translate its local 10.231.1.0 to 10.2.2.0 when going to the central site.
The communication over the tunnel will flow between 10.1.1.0/24 and 10.2.2.2/24
Sorry about the delay in answer.
You can check out different vendors.
This is one of many products that work just about the same way ie a box on the outside that
encrypts and decrypts the traffic entering one interface and vise verse.
the only ones I have worked with is not possible to get a hold of.
I do not know if that is a good or a bad piece of hardware.
But google for l2 encryption and you will find more devices.
2) ok, then it might be possible to do a nat/static portion and sending it to the other side.
3) I doubt that will work, I think it will not.
if you translate two addresses and so on then maybe.
what is the reason for them having to be on the same network, if it is that they listen to broadcasts and so on then your only choise will be encryption devices. and make shure that the devices are L2 compatible.
the asa will not send the broadcasts to the other side.