cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
432
Views
0
Helpful
5
Replies
maxnpj
Beginner

IPSec on the LAN

General question:

We have an application that requires the use of IPSec on the LAN to establish communications between the PC and the security DVR. These devices are on the same subnet although the subnet is a /22. There are going to be 10 PC's that can all talk to the one DVR and they are all on the same subnet.

So...what are the pros/cons? I can't really find any good documentation that talks about using IPSec on the LAN.

And thanks for any help / advice.

--Brian

5 REPLIES 5
Reza Sharifi
Hall of Fame Expert

Brian,

The pro is what you actually trying to do, which is securing communication between hosts. The cons are 1-since the traffic is encrypted monitoring and troubleshooting will be difficult. 2-The configuration is a little more complex since there is more involved then just deploying a vlan.

HTH

Reza

Reza;

Thanks for the info. I'm also wondering what effect IPSec may have on bandwidth usage. We use QoS on the LAN for VoIP so I'm interested in how the IPSec traffic will be classed.

--Brian

Reza Sharifi
Hall of Fame Expert

Brian,

Have a look at this document on Qos design over IPsec tunnel.

It also goes over IPsec with GRE tunnel and the amount of overhead for each protocol.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp67849

HTH

Reza

H,

According to the link below approximately an additional 58 bytes is added to every encrypted packet.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

When configuring QoS you can use the pre-classify command for encrypted traffic:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfvpn.html

Please remember to rate all posts that are helpful.

hobbe
Rising star

Hi

I am not sure i understand your problem.

you have a dvr (= digital video recorder ?) and you have 10 pc that you need to connect to that dvr.

is it rules and regulations that state that you need to use ipsec or is it that the dvr does not support any other means of communication ?

if it is rules and regulations then the question becomes if the dvr supports ipsec or if you need to have a device infront of the dvr that can transform the traffic from ipsec to unencrypted traffic such as a 5505 or something similar in function.

if it does not support any other means of communication then there should be a ipsec client available for each of the units that are supposed to be able to attach to it.

I have done some solutions like this but in the end we set up firewalls and made a ipsec tunnels between the central site and the satellite sites due to the fact that we could not protect the PCs adequately otherwise.

so basically we just use the lan as a transport network.

we had no direct performance impact or problems with regards to the ipsec.

however the firewalls costs some but the customer thinks it was worth it and in their situation I would to.

Good luck

HTH