09-15-2009 06:01 AM - edited 03-04-2019 06:03 AM
Hi everyone
I need to link two sites together using 2811 routers. I have a layer 2 link (effectively Ethernet) between two 2811 routers (using the Fa0/0 interfaces).
The wireless link is not encrypted, so I would like to use the 2811 routers to encrypt the traffic. The problem is the link must still appear as layer 2 (i.e. same VLAN(s) both sides.
Is this possible?
Thanks
Solved! Go to Solution.
09-15-2009 09:16 AM
Hello Jason,
this is possible although you should be aware of possible performance problems.
The L2 point-to-point transport service can be implemented with L2TPv3.
see
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html#wp1043064
it can be defined on a per vlan subinterface basis.
L2tpv3 packets between the two routers then need to be encrypted using IPSec for example
you can define with an extended ACL what traffic has to be encrypted in your case the L2TPv3 flow.
Another possible solution uses NAT and IPSec
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
you can use this as reference for the ipsec the L2TPv3 really joins the two broadcast domains and should be what you look for.
Hope to help
Giuseppe
09-15-2009 09:16 AM
Hello Jason,
this is possible although you should be aware of possible performance problems.
The L2 point-to-point transport service can be implemented with L2TPv3.
see
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html#wp1043064
it can be defined on a per vlan subinterface basis.
L2tpv3 packets between the two routers then need to be encrypted using IPSec for example
you can define with an extended ACL what traffic has to be encrypted in your case the L2TPv3 flow.
Another possible solution uses NAT and IPSec
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
you can use this as reference for the ipsec the L2TPv3 really joins the two broadcast domains and should be what you look for.
Hope to help
Giuseppe
09-15-2009 10:19 AM
Thanks Giuseppe. Option 1 looks like the best bet. Could we realistically expect 10mbps encryption through a 2811?
09-15-2009 11:48 AM
Hello Jason,
without an hardware encryption module I'm afraid it is too much for the C2811.
Hope to help
Giuseppe
09-15-2009 01:21 PM
Giuseppe,
2811 provides onboard hardware encryption and 10Mbps LAN-to-LAN shouldn't be a problem.
Each of the Cisco 2800 Series routers comes standard with embedded hardware cryptography accelerators, which when combined with an optional Cisco IOS Software upgrade help enable WAN link security and VPN services.
__
Edison.
09-15-2009 01:41 PM
Hello Edison,
thanks for your correction
the HW encryption module is already there!
I should have checked on the CCO
Hope to help
Giuseppe
09-15-2009 02:22 PM
If you have an IOS with Crypto feature, you can verify using the command sh crypto engine brief and look under "crypto engine type". If it's hardware, then your AIM/VPN is enabled.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide