[c-nsp] Link encryption and scalability kit etc

Darin Herteen synack at live.com
Fri May 6 14:21:00 EDT 2016


I believe the overhead is 40 bytes or less for L2 MTU.


I don't have support matrix information. I basically referred to a breakout session from Cisco Live and the following link and took it from there:


http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf


Darin

Configuring MACsec Encryption - Cisco Systems<http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf>
www.cisco.com
CHAPTER 1-1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-01 1 Configuring MACsec Encryption This chapter describes how to configure Media ...



________________________________
From: Nick Cutting <ncutting at edgetg.com>
Sent: Friday, May 6, 2016 1:00 PM
To: Darin Herteen; cisco-nsp at puck.nether.net; Saku Ytti
Subject: RE: Link encryption and scalability kit etc


MacSec looks interesting - what kind of overhead does it add?



Would it generally work through a L2 MPLS circuit MTU wise?



Also - is the a feature support matrix anywhere for this ?



From: Darin Herteen [mailto:synack at live.com]
Sent: Friday, May 6, 2016 1:57 PM
To: Nick Cutting; cisco-nsp at puck.nether.net
Subject: Re: Link encryption and scalability kit etc



I'm currently testing MACSec using Cisco 3560-CX in the lab in a Switch-to-Switch manual deployment and so far so good. If you don't want to get elaborate the price point might be attractive..

Darin
________________________________________
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net><mailto:cisco-nsp-bounces at puck.nether.net%3e> on behalf of Nick Cutting <ncutting at edgetg.com><mailto:ncutting at edgetg.com%3e>
Sent: Friday, May 6, 2016 12:13 PM
To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
Subject: [c-nsp] Link encryption and scalability kit etc

Link encryption and scalability kit etc

We have many clients connecting back to our DC using mostly 3rd party L2 circuits.
There has been an increasing number of requests to encrypt these links - as they want to protect against the "possibly many" service providers that are in the transit path.

Management suggested firewalls (cisco only, no routed VPN's) - but I have two issues with this - no Routing protocols, and no VRF's on our Data Center end to terminate at a larger device.

I was think of little routers capable of encrypting 1 VTI tunnels @100 meg on the client side And ASR1k would fit the bill on the DC end - and maybe would suffice for 30 or so P2P's if it was connected back to our core at 10G, but these are too expensive for the MGT team.

What other technologies/products could I consider at either end, that are available in the enterprise space?

Any direction greatly appreciated,
Nick
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list