L2 Encryption of an 802.1q Trunk

Unanswered Question
Jul 14th, 2009

This question was posed to me at a cocktail party and I didn't know the answer.

This guy has a site in San Jose and one in Phoenix. He's doing clustering for an Exchange server and the version he says requires the cluster members be on the same vlan. So his plan is to have a VLAN span two physical locations - SJ and PHX. Actually he'd be trunking a couple of VLANs between the sites. He has a private 100Mbps fiber line between the sites. Now he wants to encrypt the trunk so all VLANs that go over the fiber get encrypted.

I told him I'd upgrade the OS version and use different subnets at each site. But he's intent on this method. How would you go about encrypting/decrypting this L2 trunk??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mchin345 Mon, 07/27/2009 - 13:27

The Catalyst 6500 VPN service module has two Gigabit Ethernet (GE) ports with no externally visible connectors. These ports are addressable for configuration purposes only. Port 1 is always the inside port. This port handles all traffic from and to the inside network. The second port (port 2) handles all traffic from and to the WAN or outside networks. These two ports are always configured in 802.1Q trunking mode. The VPN service module uses a technique called Bump In The Wire (BITW) for packet flow.

Packets are processed by a pair of VLANs, one Layer 3 (L3) inside VLAN and one Layer 2 (L2) outside VLAN. The packets, from the inside to the outside, are routed through a method called Encoded Address Recognition Logic (EARL) to the inside VLAN. After encrypting the packets, the VPN service module uses the corresponding outside VLAN. In the decryption process, the packets from the outside to the inside are bridged to the VPN service module using the outside VLAN. After the VPN service module decrypts the packet and maps the VLAN to the corresponding inside VLAN, EARL routes the packet to the appropriate LAN port. The L3 inside VLAN and the L2 outside VLANs are joined together by issuing the crypto connect vlan command. There are three types of ports in the Catalyst 6500 series switches:

Routed ports-By default all Ethernet ports are routed ports. These ports have a hidden VLAN associated with them.

Access ports-These ports have an external or VLAN Trunk Protocol (VTP) VLAN associated with them. You can associate more than one port to a defined VLAN.

Trunk ports-These ports carry many external or VTP VLANs, on which all packets are encapsulated with an 802.1Q header


This Discussion