ok, thanks ,

all clear, i guessed already that I would have to go for the routers.

I have to look for appropiate sizing, since the customers is using 12Gbit over this connection.

What??? 12Gbit??? What kind of link are they using?

I could probably get you a 10Gbit encrypted line with several VLAN's like this.

On each side:

One 6513 with 2xSup720-3B supervisor (should have some level of redundancy).

Ten WS-SVC-IPSEC-1 modules to give ~13Gbps IPSec 3DES throughput

One WS-X6704-10GE module to give 10Gb interfaces

One XENPAK-10GB-ER 10GbE Extended Reach module for up to 40km

One XENPAK-10GB-SR 10GbE for connecting to your local equipment.. :)

And run IPSec-protected MPLS-VPN over the link...

With this setup I think you could provide an encrypted 10Gb link which could transport any VLAN's you want.. and should do it transparently, though it hasn't got support for transporting a 802.1Q directly yet.

Note: I haven't tested all of this yet, and it should probably be tested on a smaller scale before you go out and buy the equipment.. :)

yes, it really is 12 Gbit ( that is waht the customers says ).

How about those ONS optical boxes , do they have encrytion capabilitys

p.s. I haven't been to this customer yet, so I have no exact setup of the equiment

p.s.2 The customers says QUOTE " MONEY IS NO CONCERN " :) :)

Unless you have two fiber pairs for this, I can't see how they are running 12Gbit... Unless they are summarizing the rx and tx (full-duplex). Some marketing-departments like to do this.. :)

The ONS's doesn't have any security-services no..

Cisco has 'just' introduced the 40Gbit interface (OC-768c/STM-256c) which is available on the CRS-1 platform, but they only have the Short Range version as of now... If they had a ER/ZR-version of this interface, then I could have put together a nifty system... :)

Something like this:

One CRS-1 8-slot system

One CRS-8-RP Route Processer

One CRS-8-RP/R Redundant Route Processor

Two CRS1-SIP-800 slots with ten SPA-IPSEC-2G IPSec modules

One 8-10GBE 8-port 10GbE slot with CRS-XENPAK-10GB-LR optics for local connections

One 1OC768-POS-ER 40Gbps POS interface Extended Reach (which doesn't exist yet).

And if you don't have 10GbE available on the end-equipment, you'll need a C6509-system almost like the one I mentioned (and as specified lower down in this reply).

But... as the ER-version doesn't exist, it's not possible yet..

If the customer really doesn't have any concern about the money, why not order a second fiber-pair and run 2x10GbE?

Well, I found a new way to do it.. let a ONS15540 do some DWDM magic and provide the 65xx-switch with two 10GbE connections:

At each side you'll need something to take care of the IPSec:

One 6509 chassis with two Sup720-3B supervisors

Five SPA-IPSEC-SSC4-2 bundle-slots (for a total of 16Gbps IPSec at Imix-traffic)

One WS-X6704-10GE module to give four 10Gb interfaces:

- Two XENPAK-10GB-LR 10GbE modules to connect to the ONS

- Two XENPAK-10GB-SR 10GbE for connecting to your local equipment.. :)

This'll give you two spare slots for more interface/servicemodules as well.. :)

And then you'll need something like this to mux the channels over the fiber-pair (at each location):

One ONS 15540 ESPx Extended services platform with all the doo-hickeys it needs to operate

Two 15540-10GE-03B3xy 10GbE SM transponders with SC channel = xy (must be chosen correctly)

And then you'll have lot's of colors left to do other stuff over the fiberpair.. :)

Well.. this was fun... are you sure money is still no concern?