Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1420
Views
0
Helpful
5
Replies

Switch to switch encryption over a leased fiber line info needed (MACsec)

pcweber
Level 1
Level 1

‎09-01-2017 09:16 AM - edited ‎03-08-2019 11:54 AM

 

We have a security requirement to encrypt the data flow to our DR location and the storage vendor does not do so in the replication traffic process. I have been asked to look into encrypting the traffic at the switch level. I have read that MACsec can do so. I have a few questions.

 

1. Do I have to place the 2 switches at the extreme edge where the connection is at each side?

 

2. If the answer to question #1 is no, can the MACsec switches be deeper in the network on each side behind multiple standard Layer II switches that do not support MACsec and the encrypted traffic will be passed?

 

3. If I have to place them at the edge and it encrypts all traffic, does adding this encryption cause any noticeable decrease in data throughput for replication? We have a 1GB link and other folks replicating data have a clear sense of replication performance now. 

Labels:
0 Helpful
5 Replies 5

Reza Sharifi
Hall of Fame
Hall of Fame

‎09-01-2017 09:30 AM

For questions 1 and 2, you don't have to put it at the edge.  You can put it deeper in the network but every device has support encryption.

For question 3, you would have to test it to see the impact.  Throughput, latency, high CPU, may not be a concern when using larger chassis based switches but you may see more impact on smaller switches.

The other option would be to build an IPsec tunnel between two end points but that is mainly a function of routers and not so much switches.

HTH 

0 Helpful

pcweber
Level 1
Level 1
In response to Reza Sharifi

‎09-01-2017 10:02 AM

Yea, it may be simpler just to use a couple routers at the edge and setup IPSec tunnel.

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to pcweber

‎09-01-2017 10:40 AM

Yes, that is a lot simpler than running MACsec on every device.

HTH

0 Helpful

pcweber
Level 1
Level 1
In response to pcweber

‎09-01-2017 01:17 PM

Is L2TP another way to do this?

0 Helpful

pcweber
Level 1
Level 1
In response to pcweber

‎11-01-2017 01:44 PM

So then can I place a router on each edge to create an IPSEC tunnel and extend 802.1q VLAN over Layer 2 end to end? Everything I google responds with Ipsec over Layer 3. This is a Layer 2 extension of our network to a DR facility over VPLS and the same VLANs/ networks are at DR. If so, can someone suggest a link to doing so or the basic terms to research?

 

0 Helpful
Customers Also Viewed These Support Documents