MetroE Security across link

Unanswered Question
Sep 14th, 2009

We are going to be implementing EVPL from our carrier soon.

We will have some sensitive data go across the layer 2 link, but it needs to be on the same VLAN on both sides.

We will trunk this VLAN.

What can be done to enhance the security across the trunk as far as preventing hackers from getting to the traffic?

Such as VPN encryption across layer 2?

What do people do to encrypt data across MetroE?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
wilson_1234_2 Mon, 09/14/2009 - 14:48

How would I use IPSEC on a trunked VLAN?

It can be configured from 6509 to 3750?

Joseph W. Doherty Mon, 09/14/2009 - 17:40

If it's just some sensitive data, you might encrypt host-to-host or send data as encrypted file(s).

If your security encompasses concern about being "hacked" across a non-public WAN (e.g. EVPL), then you might want to be as concerned about the data between hosts and the WAN demarcs.

Even on the Internet, and with all the hoopla about using encryption across it, hosts are really more the target of a hacker than transit traffic, unless transit traffic has host access security keys that are easy to crack or in the clear text.

Don't misunderstand, I don't intend to imply encryption across a network doesn't have value, just both the difficulty of "hacking" of private WAN might makes it more secure than your internal LAN, and unless you also consider end-to-end (host-to-host) encryption, encrypted files systems, and secured/harden servers, etc., WAN encryption alone might provide a false sense of security.

However, in answer to your questions, would suspect you might need a special appliance to support some sort of transparent encryption across L2.

As to your question about MetroE, if it were L3 rather than L2, then you likely could support it across a logical VPN L3 link.

wilson_1234_2 Mon, 09/14/2009 - 19:59

Thanks joseph,

We are a finacial organization and the data is the host and backup host.

The data being transfered is the host data being copied to the backup host once a night.

This is only part of what is going across, but the security guy was concerned that someone may be able to span one of the provider's ports and steal the information.

I don't think it is something to really worry about myself.

We currently have DS3s to the DR site and are moving to the EVPL.

We could link a gigabit ethernet port on the router via subinterfaces and trunk the needed vlans and route the rest on a trunked vlan couldn't we?

But, I was liking the idea of conecting the switches via layer 2 as being cleaner and more efficient.

Another thing to consider also is losing the qos capability with the switches.

Joseph W. Doherty Tue, 09/15/2009 - 04:06

Well your security guy is right to worry, but again I would expect the risk to be small. Security people sometimes overlook the cost to implement and support security vs. value of what's being protected. They also sometimes have tunnel vision where they worry, perhaps excessively, about one threat vector possibly leaving others.

Perhaps you might be able to use a routed interface with subinterfaces, but as to the advantage of using L2 between sites, I would recommed L3 (on L3 switches). (One WAN's L2 "advantage" is for those who don't have L3 switches, just L2 switches.) Assuming your DS3 is currently routed, it's unclear, to me, why L2 would be cleaner and more efficient. (You can usually treat the L2 WAN similar to a Ethernet link that you route across.)

It's also unclear to me why you would lose QoS. If the concern is the EVPL only supports L2 CoS, you should be able to set it on a L3 switch as you place frames on the transit L2 path.

wilson_1234_2 Tue, 09/15/2009 - 04:22

Thanks Joseph,

We currently have 2 DS3s routed to the other site, we are replacing that with 100Mbps EVPL, as the EVPL is less cost than one of the DS3s.

We have layer three switches on both ends.

The routers are currenly bridging a couple of the VLANs and rouing the rest between the two sites.

When we get the EVPL, I liked the idea of connecting the two links directly to the switches, rather than go through the router with subinterfaces, then to the switches.

Can you explain this:

"It's also unclear to me why you would lose QoS. If the concern is the EVPL only supports L2 CoS, you should be able to set it on a L3 switch as you place frames on the transit L2 path."

What I was going to do is trunk the subnets that are currently being bridged, and on a seperate VLAN as shown below from a previous post:

"The provider will give you a Layer2 handoff with a customer Vlan.

On the ISP facing interface, you can configure a trunk with the customer Vlan being the native Vlan.

For instance; customer Vlan 100

interface fx/x

switchport trun en do

switchport trun na vl 100

switchport mode trunk

switchport trun all vl 100,101

The 101 Vlan can be the Vlan where you create the p-t-p link for this MetroE so in your switches create Vlan 101 on L2 and L3 and assign the L3 Address as /30 subnet.

For instance:

Main Site

interface vlan 101

ip add 10.101.1.1 255.255.255.252

Remote Site

interface vlan 101

ip add 10.101.1.2 255.255.255.252

Then you can configure your routing protocol of choice and advertise the subnets from each location."

Joseph W. Doherty Tue, 09/15/2009 - 04:47

Yes, it likely makes much sense to connect Ethernet handoffs directly to L3 switches. I'm surprised to read you were both bridging(?) and routing across the DS3s.

You might want to double check how you need to interact with the EVPL. Having a VLAN trunk connection to the vendor is common. Passing multiple customer VLANs across that trunk, is not, unless something like QinQ is being provided.

From your provider(?) quotation, it appears you're expected to route across one VLAN (as p-2-p). I.e., are you sure you'll be able to pass multiple VLANs?

Regarding explaining my remark about QoS, it was in response to concern about losing QoS moving to EVPL. My point was, many L3 switches support both L3 and L2 QoS/CoS, so from an equipment perspective, moving connections directly to an L3 switch doesn't always mean you'll lose QoS. However, QoS features between L3 and L2 QoS/CoS are often different as what might be supported on a L3 switch vs. a router. Further, when working with L2 WANs, vendor might not support any direct QoS/CoS (although some WAN technologies don't either).

wilson_1234_2 Tue, 09/15/2009 - 05:23

That quotation was from another NetPro engineer that I had asked some questions.

I will verify with the provider that this is possible.

The bridged/routed scenario was set up a while back from a CCIE that was contracted to do this.

What he did was set the routers up to do frame-relay switching and created four PVCs.

Three are bridged to seperate their traffic from everything else and the fourth is routed, so all other traffic goes across the routed.

It works really well.

I wanted to trunk the three bridged subnets and route the rest of the VLANs across the EVPL.

Actions

This Discussion