[c-nsp] Transparent WAN Encryption
cnsp at marenda.net
cnsp at marenda.net
Sun Feb 2 17:01:38 EST 2014
Many of those devices do think that the WAN "Ethernet" is
Bit-transparent, not paket-oriented, unlimited MTU...
In Reality, those "Ethernet"Links are MTU-Limited, often with an
"Ethernet"MTU
of just 1500 or sometimes plus 1 or 2 VLAN Tags. Full-Stop.
No Space for Additional information,encryption header, etc.
Or for "jumbo Frames" found in iscsi etc. applications.
BUT You need your Ethernet-crypto device to solve this,
So when my switches on both ends have an MTU of 9216 Bytes
I would like the crypto-device to transport this even over the
"ethernet" link with an MTU of 1371 .
Very ew of the Products solve that,
so take Care in selecting your Product,
"simple" Products think that you own a dark-fibre
where they can to anything
But in reality, you just have a paket-switched link
with singlemode-fibres on both ends.
> I'm looking for the simplest way to do it. Most customers have L2
> connections between Data Centers. The edge device controlled by the
> customer is a Layer 2 Switch. The mechanisms like IPSec, GETVPN,
> FlexVPN, an so on, need a router in the edge. This implies modification
> of the customer's topologies. L2 encryption seems the perfect solution
> and it seems there are several options on the market.
You can use Cisco-"routers" to build an encrypting,
transparent Ethernet-link, bridging every paket including STP CDP LLDP ...
Needs some CPU on the router, that sets the limits,
but this works well, even with limited links.
> Regards,
>
> Antonio Soares, CCIE #18473 (RS/SP)
> amsoares at netcabo.pt
> http://www.ccie18473.net
>
>
>
> -----Original Message-----
> From: Jeff Orr [mailto:jorr at communicorr.com]
> Sent: domingo, 2 de Fevereiro de 2014 17:25
> To: Antonio Soares
> Cc: <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Transparent WAN Encryption
>
> If you are using a private MPLS (I.e. Not over Internet) & have Cisco
> CE routers consider GETVPN.
>
> For the reasons you mentioned, we as a customer went this direction.
> We needed to ensure our WAN (150 sites/multiple data centers)traveling
> across a variety of links/providers including DS1/DS3/Metro-e is
> secure.
>
> It has really scaled & worked well. GETVPN is VRF aware & can function
> on the PE side as well.
>
> -jeff
>
> Sent from my AT&T iPhone
>
> > On Feb 1, 2014, at 9:16 PM, Antonio Soares <amsoares at netcabo.pt>
> wrote:
> >
> > Hello group,
> >
> >
> >
> > Service Provider WAN links are not secure anymore and I have more and
> > more enterprise customer asking transparent WAN encryption solutions.
> > I came across these two products:
> >
> >
> >
> > EncryptTight:
> >
> >
> >
> > http://www.blackbox.com/Store/Results.aspx/Networking/Security-
> Optimiz
> > ation/
> > Encryption/n-4294953119
> >
> >
> >
> > TrustNet:
> >
> >
> >
> > http://www.certesnetworks.com/securitysolutions/wan-encryption.html
> >
> >
> >
> > Anyone has experience with these products ? This seems the ideal
> solution.
> > The networks remain exactly the same as they were, we simply add
> these
> > devices to do their job.
> >
> >
> >
> >
> >
> > Thanks.
> >
> >
> >
> > Regards,
> >
> >
> >
> > Antonio Soares, CCIE #18473 (RS/SP)
> > amsoares at netcabo.pt
> >
> > http://www.ccie18473.net <http://www.ccie18473.net/>
> >
> >
> >
> >
> >
> >
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list