Solved: Bridging two sites together, but encrypted

osiristrading · ‎09-15-2009

Hi everyone

I need to link two sites together using 2811 routers. I have a layer 2 link (effectively Ethernet) between two 2811 routers (using the Fa0/0 interfaces).

The wireless link is not encrypted, so I would like to use the 2811 routers to encrypt the traffic. The problem is the link must still appear as layer 2 (i.e. same VLAN(s) both sides.

Is this possible?

Thanks

Giuseppe Larosa · ‎09-15-2009

Hello Jason,

this is possible although you should be aware of possible performance problems.

The L2 point-to-point transport service can be implemented with L2TPv3.

see

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html#wp1043064

it can be defined on a per vlan subinterface basis.

L2tpv3 packets between the two routers then need to be encrypted using IPSec for example

you can define with an extended ACL what traffic has to be encrypted in your case the L2TPv3 flow.

Another possible solution uses NAT and IPSec

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

you can use this as reference for the ipsec the L2TPv3 really joins the two broadcast domains and should be what you look for.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎09-15-2009

Hello Jason,

this is possible although you should be aware of possible performance problems.

The L2 point-to-point transport service can be implemented with L2TPv3.

see

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html#wp1043064

it can be defined on a per vlan subinterface basis.

L2tpv3 packets between the two routers then need to be encrypted using IPSec for example

you can define with an extended ACL what traffic has to be encrypted in your case the L2TPv3 flow.

Another possible solution uses NAT and IPSec

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

you can use this as reference for the ipsec the L2TPv3 really joins the two broadcast domains and should be what you look for.

Hope to help

Giuseppe

osiristrading · ‎09-15-2009

Thanks Giuseppe. Option 1 looks like the best bet. Could we realistically expect 10mbps encryption through a 2811?

Giuseppe Larosa · ‎09-15-2009

Hello Jason,

without an hardware encryption module I'm afraid it is too much for the C2811.

Hope to help

Giuseppe

Edison Ortiz · ‎09-15-2009

Giuseppe,

2811 provides onboard hardware encryption and 10Mbps LAN-to-LAN shouldn't be a problem.

Each of the Cisco 2800 Series routers comes standard with embedded hardware cryptography accelerators, which when combined with an optional Cisco IOS Software upgrade help enable WAN link security and VPN services.

http://www.cisco.com/en/US/prod/collateral/routers/ps5854/ps5882/product_data_sheet0900aecd8016fa68_ps5854_Products_Data_Sheet.htmlZ

__

Edison.

Giuseppe Larosa · ‎09-15-2009

Hello Edison,

thanks for your correction

the HW encryption module is already there!

I should have checked on the CCO

Hope to help

Giuseppe

Leo Laohoo · ‎09-15-2009

If you have an IOS with Crypto feature, you can verify using the command sh crypto engine brief and look under "crypto engine type". If it's hardware, then your AIM/VPN is enabled.