cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

370
Views
0
Helpful
2
Replies
Highlighted
Explorer

Hardware Based Encryption

Hello Guys,


We have an existing HQ with some regional branches, and we have connected those brs to HQ through Micro-Wave data-link. currently the data is travelling is Plain-Text Form between our HQ and Brs.

So I found about Macsec Technology that can encrypte data inbetween switches. but the docs for MacSec says that MacSec encryption will be disabled if  there is any  (Bridge or any Devices above Layer-1  ) connected in between  switches with Macsec enabled

My issue is that the Micro-Waves which connect my HQ and Branches, those micro-waves work as a Bridge, so does it means we can not have MacSec enabled in this senerio ? because of the bridge (micro-wave) existance

please give any idea

Everyone's tags (3)
2 REPLIES 2
Hall of Fame Expert

Hardware Based Encryption

Hello Imran,

in a scenario like yours IPSec VPN at IP OSI layer3 may be the best solution.

By the way, MACSec is not so widely supported on Cisco switch platforms (= it is not a common feature and it is relative new).

The presence of a transparent bridge in the middle may be detected by reception of STP BPDUs or other L2 signalling protocol.

IF your micro-waves to ethernet bridge do not speak STP, LLDP and other L2 protocols they might be undetected. But this is something that should be tested.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960c_3560c/software/release/12.2_55_ex/release/notes/ol24071.html#wp1264027

on cisco switches like C3560C support of MACSec is limited to end user host facing ports in access mode,

Hope to help

Giuseppe

Explorer

Hardware Based Encryption

Hi Giuseppe,

As you said in my senerio  VPN is the best solution. you are right.  But!!! establishing vpn in my senerio is not possible. let me explain why not possible

As i said some of our branches are connected to our HQ through Micro-wave links,   this means those branches terminate at our HQ through micro-wave data-link,  and then they are roughted to a  VPN_TRUNK link   to external companies through a site-to-site vpn (which is established through internet ).      let me clarify little more,  my branch-X connects to my HQ directly without use of vpn,  then this branch is routed to the external-company through HQ Internet-link.  example:  Branch--directly-connects-to-HQ-----vpn---external-company

so here wat u said "to use vpn between my branches and HQ"   if i establish vpn in-between my Branch-HQ, then how the Branch is routed or can establish vpn to the External-Company through HQ-Device ?  that is not possible i think, because lets say if my branch vpns to my HQ ASA-Firewall on its outside-int, then How it can revert back and establish vpn to ex-company through that HQ asa outside-int                            

dont think it is possible

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here