Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
0
Helpful
7
Replies

Dividing ISL trunk problem

josh
Level 1
Level 1

‎07-16-2008 05:38 AM - edited ‎03-06-2019 12:13 AM

I have a network design issue to solve and need some help. Current network uses ISL to trunk vlans between two sites. Some encryption devices need to be installed that do not understand ISL (or BPDUs for that matter). I need to split the ISL, or tunnel it, so that the inside devices cannot see the L2 stuff but the end devices can still communicate. Any ideas?

Regards ... John

Labels:
0 Helpful
7 Replies 7

lee.reade
Level 4
Level 4

‎07-16-2008 07:15 AM

Hi,

Can you not do the encryption before the ISL tag gets added.

Best practice for encryption is for it to be done end-to-end, ie as close to source of data as poss.

HTH

LR

0 Helpful

josh
Level 1
Level 1
In response to lee.reade

‎07-16-2008 07:28 AM

Hi, Thanks for replying!

Ordinarily, I would agree with you but the end Customer only wants the link segments encrypted. I am currently looking into 802.1Q tunneling. Is this usable on 2960 switches and is there any gotchas to watch out for? Topology is actually 4 switches and two links in a redundant loop between the sites. Keeping STP running would be nice (-:

Regards ... John

0 Helpful

lee.reade
Level 4
Level 4
In response to josh

‎07-16-2008 07:34 AM

Hi,

Yes you could use 802.1q instead of ISL, this is the standard method of doing trunking anyway.

You can do 802.1q on almost all cisco switches, as its the industry standard so it has to be supported for compatiblity with 3rd party equipment.

Obviously the encrptions devices will need to support 802.1q.

HTH

LR

0 Helpful

josh
Level 1
Level 1
In response to lee.reade

‎07-16-2008 07:41 AM

Yep, that's the problem. Crptos do not natively support dot1Q so I was hoping to use dot1Q tunneling over an un-tagged link where the crytos sit in the un-tagged bit. No challenge there then (-;

S'pose the first question is do 2690 switches support Dot1Q tunneling?

Hmmm

0 Helpful

lee.reade
Level 4
Level 4
In response to josh

‎07-16-2008 09:12 AM

Hi,

No they do not im afraid.

LR

0 Helpful

slaterc
Level 1
Level 1
In response to josh

‎07-16-2008 11:44 PM

Hi Josh

I had to solve a very similar problem to yours, and the solution I came up with was to use L2TPv3 (layer 2 tunnelling protocol) over IPSEC. I used the same device (a pair of old 1700 series routers at each end) to create both the L2 tunnel and the IPSEC tunnel, but in your case you are using a separate device to do the encryption. You just need to create the L2 tunnel between 2 devices which are on the unencrypted side at each end. You need to ensure that the 2 devices can route to each other.

0 Helpful

josh
Level 1
Level 1
In response to slaterc

‎07-17-2008 04:39 AM

Thanks Chaps,

I believe that my best option is to offer the Customer two choices:

1. Buy some routers and use L2TPv3

2. Upgrade the switches and user 802.1Q tunneling.

All the best ... Josh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card