01-23-2006 02:39 AM - edited 03-09-2019 01:42 PM
Hi,
Can anyone guide me to some papers or other resources on how to encrypt traffic between 2 switches. The switchces will be connected with fiber and use dot-1q tagging. And I wan't to encrypt all of the trunked traffic.
I was thinking of L2TP, but I haven't found any good description on how to implement this. I have two 3750 switches I thought I might use.
Thanks for any input,
Regards,
Oyvind Mathiesen
mnemonic
Norway
Solved! Go to Solution.
06-26-2012 03:43 AM
Hi,
Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:
We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.
The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.
We also need to encrypt the datatraversing this connectivity.
MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M...
)
And that would cause me to eat into the 100 MAC limit.
Ridiculous I know, but we are looking for an out-of-the-norm plan...
Thanks
01-27-2006 07:31 AM
As far as I know, L2TP is mainly used in the dial up remote access environments. Most of the tunnelling and encryption technologies are deployed at layer 3. I am not sure if this is possible at all. Can anyone throw more light into this?
01-27-2006 08:48 AM
Thank you for your reply :-)
Well it is possible, but not within the switches. You can do it in a seperate router or in a catalyst 6500. But a part of the problem is that I can't seem to find a straightforward description on how to implement this. The best description I have found is on GRE tunneling. But I would like to have a config example on how to configure L2TP in a site-to-site scenario. The IPSEC config is ok tough. It is, of course, possible to try and error, but it would be nice with some sort of reference.
/Oyvind
10-09-2006 05:24 PM
Hey, I have the exact same issue and was wondering if you had found a solution. I've implemented as large Layer 3 switched/routed network, following the fully routed core/distribution methology that cisco started pushing, but cannot/do not, want to run VLANs accross our complex core, we have 3750's every where but cannot figure out how to tunnel 4 vlans between 2 data centres. I believe the 3750 metro can to this, but am not going to explain to my manager that we need to purchase 4 more of these to replace 4 3750's we purchase 4 months ago.
-Martin
11-12-2006 05:31 AM
You'd have to use Q-in-Q. If that's not an option, then you'll probably need some other device to form a GRE tunnel. I believe the 3750 isn't capable of doing this in hardware.
06-26-2012 03:14 AM
Hi,
Can you possibly post the config of this - or point us to some docs?
Regards,
11-12-2006 03:08 PM
Hi,
I solved this with 2600 series routers and l2tp (pseudowire-class) over IPSEC. With this solution you can bridge traffic over L3 encrypted. The downside is the extra box and the overhead with fragmentation. It works like a charm.
/Oyvind
12-06-2006 01:04 AM
Hi,
I have the same problem, could you post the config you find to help me !
Thanks
06-26-2012 03:22 AM
You want to encrypt Layer 2 traffic? MACsec is the way to go nowadays.
06-26-2012 03:43 AM
Hi,
Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:
We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.
The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.
We also need to encrypt the datatraversing this connectivity.
MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M...
)
And that would cause me to eat into the 100 MAC limit.
Ridiculous I know, but we are looking for an out-of-the-norm plan...
Thanks
06-26-2012 03:48 AM
We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.
The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.
Ok, you got me stumped. Never heard of a carrier to put a cap on the number of MACs.
I am not sure but how about GRE over IPSec? It's a favorite because it's fully encrypted but it's Layer 3.
06-26-2012 05:03 AM
Yeah, I know
Been doing some rading and the Cat6500s can do transparent firewalling - so you could acomplish tunneling with a bridge using the FWSM. But I have 3650s, and cannot afford the capital outlay of 6500s.
06-26-2012 01:53 PM
mhmm...it is a bit strange that there so much activity on this thread after all this years.
The question is answered by mys self, but I accidentally tagged Craig Boltman's post as a correct answer. I have asked support to correct this for me, so I hope they are able to comply.
The trick is to use L2TPv3, pseudowire, loopback interface and tunnel it through a standard IPSEC tunnel. I have only tested with DES encryption and SHA hashing. But other should work fine as long as you have CPU enough to handle your bandwith.
And as I stated earlier you can use a standard router to do this as long as the IOS supports IPSEC and it has the CPU to support your bandwith requirements.
I guess this may not be that relevant anymore, so trying to digg up the old config from my backups is not necessary I guess.
Cheers,
Øyvind
06-26-2012 02:24 PM
Hi....
VERY RELEVANT TO ME
Please post the configs - my brain is throwing MACs out like you wont beleive. (I might have the same issue in my head )
Thanks
06-26-2012 02:34 PM
ok, I will start digging and see what I can find
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide