Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1667
Views
0
Helpful
3
Replies

Layer 2 VPN - Cat6509

feliperodero
Community Member

‎01-18-2005 04:04 AM

Is it possible to encrypt a link between 2 Cat6509 belonging to the same LAN (only VLAN 1) without using MPSL ?

We need to create like a VPN (encrypted link) between 2 Cat6509 (using a fiber link) with same addressing (in a flat LAN - no layer 3). What are alternatives ?

1.- Evolve to a Layer 3 architecture and implement VPNs.

2.- MPLS ?

3.- ????

any more ?

(we can have Firewall and VPN module in our Cat6509)

Reading literature we don't find any other alternative.

Thanks

Labels:
0 Helpful
3 Replies 3

ehirsel
Level 11
Level 11

‎01-18-2005 11:02 AM

What would the reason for encrypting be? On a layer 2 level, security best practices suggest that you do not use vlan 1 for any reason. Assuming your fiber links between the 6509s are already in place and are configured as trunk links (even if you are only using one vlan for now), you may be better off doing this:

1. Remove every device off of vlan 1.

2. Define two new vlans: one as a management vlan and one dummy vlan.

3. Make the mgmt vlan the native vlan on the 6509-to-6509 trunk links

4. Place all unused ports in the dummy vlan.

Doing this will insure that no end-station can perform vlan-jumping attacks on the trunk ports.

Let me know if this is of any help.

0 Helpful

feliperodero
Community Member
In response to ehirsel

‎01-18-2005 11:34 PM

Thanks for your information.

But we need to encrypt because we are using a "black fiber" and distance between Cat6509 is around 40 Km ... so fiber is crossing public space. For this reason we would like to encrypt data between 2 Cat6500. I know it's difficult to "sniff" in a fiber but ..... !!!

0 Helpful

ehirsel
Level 11
Level 11
In response to feliperodero

‎01-19-2005 06:21 AM

I believe that you will need to define that 6509-to-6509 connection as a layer 3 one, and implement an IPSec vpn for the two devices to talk. That would mean reworking your ip network topology, to use two subnets, one subnet for each vlan. The devices off of one 6509 would need to see the 6509 as their default gateway, and the devices on the other would need to be moved to a different vlan and use that 6509 as their default gateway.

Let me know if you need more assistance.

0 Helpful
Customers Also Viewed These Support Documents