Dividing ISL trunk problem

Unanswered Question

I have a network design issue to solve and need some help. Current network uses ISL to trunk vlans between two sites. Some encryption devices need to be installed that do not understand ISL (or BPDUs for that matter). I need to split the ISL, or tunnel it, so that the inside devices cannot see the L2 stuff but the end devices can still communicate. Any ideas?


Regards ... John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lee.reade Wed, 07/16/2008 - 07:15

Hi,


Can you not do the encryption before the ISL tag gets added.


Best practice for encryption is for it to be done end-to-end, ie as close to source of data as poss.


HTH


LR

Hi, Thanks for replying!


Ordinarily, I would agree with you but the end Customer only wants the link segments encrypted. I am currently looking into 802.1Q tunneling. Is this usable on 2960 switches and is there any gotchas to watch out for? Topology is actually 4 switches and two links in a redundant loop between the sites. Keeping STP running would be nice (-:


Regards ... John

lee.reade Wed, 07/16/2008 - 07:34

Hi,


Yes you could use 802.1q instead of ISL, this is the standard method of doing trunking anyway.


You can do 802.1q on almost all cisco switches, as its the industry standard so it has to be supported for compatiblity with 3rd party equipment.


Obviously the encrptions devices will need to support 802.1q.


HTH


LR

slaterc Wed, 07/16/2008 - 23:44

Hi Josh


I had to solve a very similar problem to yours, and the solution I came up with was to use L2TPv3 (layer 2 tunnelling protocol) over IPSEC. I used the same device (a pair of old 1700 series routers at each end) to create both the L2 tunnel and the IPSEC tunnel, but in your case you are using a separate device to do the encryption. You just need to create the L2 tunnel between 2 devices which are on the unencrypted side at each end. You need to ensure that the 2 devices can route to each other.



Actions

This Discussion