"Forbidden File or Application"

???

that would be a cco access issue.

If you can take a look at the 3900 series routers. I think the high end ones would meet your needs.

Nope, not planning on running encryption.

For cost purposes, should I just use a switch for now? Wouldn't that work too? This is just for some simple connectivity of a couple VLANs between sites.

Thanks!

It's L2. Like you said, just between two datacenters, but there are a couple different VLANs that will be running (regular intersite data, a replication network, and a few others). There are quite a few VLANs at each site, but the 3560X switches at each site are the L3 routers for these networks.

I still have some backup networks that will use the 2811's at each site (a MPLS network) but I assume I could just make that a lower priority route in the switches.

I am not too worried about encryption at this point...especially if it saves me $30k on routers. Thoughts?

Thanks again.

well if it is a L2 connection then you can forget about 802.1ae since that will not work in that type of environment.

otherwise I think that your 3560x will support connecting to eachother with 802.1ae in the near future but that is not over L2 only L1 links.

When it comes to encryption I think you should realy think twice about it.

it all comes down to the simple fact that if you have a L2 without any encryption scheme anyone can listen in to your conversations, plant traffic and so on.

Do you know how the wires are drawn all over town ? I know ! well not in your special case, but as a general rule. since when I was in the same situation I actually checked it out. and trust me, thats the stuff nightmares comes from. It took me a little bit more than a year and a lot of inofficial greasing of the technichians to get the whole picture.

There are special hardware that you can set inplace to make encryption on the link itself, ie you set two boxes outside your switches and they encrypt everything that is inbetween them. But I know of no such hardware from cisco itself.

if you do not care for encryption I think the 3560x will do just nice!

and if you want another link and chooses two l1 links (dark fibre) then you can connect etherchannels and most likely in the near future connect your 3560x with wirespeed encryption between them.

Just a tip.

There is a thing you can do to atleast give you a heads up if something is "wierd".

You can check the mac address table on both sites and if there is a mac address that sticks out as being on the outside of both your 3560X then you know for shure something is going on.

if they do not know that you are testing for that then it can atleast be a little alarm.

Good luck

HTH

Thanks Hobbe, it does help indeed. Now you have me thinking that I probably should encrypt the traffic over this EPL.

As I said, I have a 3560X at each end, and I can certainly use them as the termination point for the EPL. However, in my limited research, it looks like they only support TrustSec (which is 802.1x-REV, which includes 802.1ae, which is what I want, right?!?!) on downlink ports - so I would be unable to use it between the switches, correct? And why do you say it won't work for L2 - I thought that was the layer TrustSec runs over?

Thanks!

Dan

Yes you are correct the 3650x does not support linking two 3560x towards eachother. At this time!

However I have been told by our cisco rep that that will change during this spring/summer so that you can use 2 3560x/3750x to encrypt the traffic between them. A feature I am anxiously waiting for myself.

If this should not change then a backup plan could be just replace one end of the link with a 2960C/3560C and it should work anyway. They will be shipped in a month or two.

A rough explanation:

L1= cust switch ----line---connectionpoint(cp)----line----cp-------cust switch

L2= cust switch ----line---L2 device (switch) ----L2 device---line----cust switch

L1 connectivity = nothing above layer 1 inbetween the customer switches.

L2 connectivity = a switch or something like that existing in L2 or above, switching your packets to your endpoint.

L1 = fx dark fiber if you do not light it up it will be dark all the way. connect 1 switch and it will not light up.

L2 = connect your switch in one end and it will light up, but no switch is yet in endpoint 2.

Since the 802.1ae is not "end to end" but works binding two switches together and is linkbased, ie  switch --- switch

It does not support having another switch between them since that would break the link.

so if your link have L2 devices then I would guess that you would need a firewall, or as you yourself have been looking at a router with a good ipsec throughput or crypto engines. crypto engines is usually quite expensive or atleast have been in the past. but a + for them would be that you still have your l2 network.

Asa/router have the positive that you can detect any anomalities and se for yourself if any traffic not sent by you is hitting the outward facing interface.

please rate if you find this helpful.

Good luck

HTH

Thanks! Again, much appreciated. So what's the best route for me here? Put an ASA on either side of the EPL and run encryption on it (IPSec?) in addition to the 2811's and put 2 prioritized routes in the core switches at each location? Or go with a bigger router? I assume I'm looking at at least a 7200 if I go that route, and most likely a 7304 if I want to encrypt? Referencing throughput listed here:

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

Thanks again!

Personal Preference anyway...Go big. I like the asr1000 series....

Hi

I have though hard and long about this.

I will give you an advice that actually more fits in the end of the posting. but i think it will help you from here on.

"Remember Nothing has changed just because you have found this problem, the world and everyone else works just the same. "

My recomendation is that you make contact with your local cisco rep. and get them into a meeting.

why ? well the information given over a meeting is normally more rewarding for all parties and well they might be able to give you some help such as pre release software and such things. would not that be nice ? Or they could already have a solution for this problem. After all its not the first time someone wants 2 datacenters to be connected.

That is what I would do.

Now that said.

I would gather the following information before that meeting.

• Bandwith requirement, how much bandwith are you using today ?
  • How much do you think you will use in 1 year
  • How much do you think you will use in 3 year.
• The link between the datacenters, is it L1 or L2 ?
  • If it is not L1 is it possible to change it ? at what cost
  • is it possible to get a second link ? at what cost
• What are your security needs and demands ?
  • it is entirely possible that the people in charge of that part does not want to pay for the solution and then you will be off the hook.
• How much money is reasonable to spend on this problem.

as I see it you have the following options

• ASA-ASA
  • 2 ASA gives that you get the benefits of L3 ipsec and a sturdy platform that takes a beating, You do not trust this net more than you would the internet.
  • Depending on speed requirements you will have a cheap solution or a not so very cheeap solution.
• Router-Router
  • 2 Routers gives you the benefits of L3 ipsec and better netflow and high end routing capabilities.
• 3560x-Nexus7000
  • Not cheap but with the right links this will do the job today.
• 3560x-3560x
  • Using 802.1AE would be the prefered method due to the costs involved. If at all possible. I mean securing links is what it does.
  • If you get a second link then you can have redundancy through an etherchannel between the datacenters
  • Vlan and all that information will work out of the box.
  • An interim solution would be to buy a small 3560C or 2960C when they come out. and use that until cisco releases the software for 3560x.
• Crypto boxes
  • This is a working and viable solution. However that said how well is up to what type of boxes you would buy and as a general rule, they are NOT cheap!
• Do nothing
  • This is actually a viable solution. You know of the problem and you have informed your bosses who choose not to do anything about itdue to costs or just blatant ignorance.
  • Very few things are built on a day, so this might be an interim solution until you have whatever measurements you deem fit installed and can build your way out of the hole.

Good luck

HTH