6509-E dot1Q to 2960 via 3800

Unanswered Question
May 10th, 2010

Hey all,

I have been very unsuccessful in finding a solution to this issue and am begining to believe that it is not possible...well, at least as we would like to do it.

Our situation: We have a 6509-E (SUP-720, VSPA) that is the hub to several 2960's connected (dot1Q) to remote sites (2-13 miles away) via our own fiber (no ISP).

Our objective: We are wishing to encrypt the traffic over that fiber to help us comply with DoD requirements. We have some 3825's that we would like to place at each of the sites in front of the 2960's.

Our problem: We do not want to have to route the traffic. We have several VLANs distributed at each of those sites. These VLANs are required to separate the data from eachother, again to help comply with DoD requirements.

Is this doable? If so, where can I get some additional info?


Cliff Goniea

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Mon, 05/10/2010 - 13:46

Hello Cliff,

you should use L2TPv3 and you should protect L2TPv3 with IPSec between a pair of C3825.

be aware that you can face performance issues. so even if technically it can be done it is not recommended.

Routing using GRE tunnels or  DMVPN would be a far better solution, once you deploy a C3825 on each site you can do routing and if you can do it you should do.

You could in this way use IPSec encyption to protect routed traffic and you wouldn't waste WAN bandwidth propagating broadcast frames.

Hope to help


Reza Sharifi Mon, 05/10/2010 - 14:12

Hi Cliff,

You can use the 3800 to do type-2 encryption (IPSEc) from your remote location.  If you need to have separation then you can use VRF to that for you.



Leo Laohoo Mon, 05/10/2010 - 15:16

I can't say for DoD, but here in Australia, we follow guidelines set by DSD.  DSD doesn't like dot1Q trunking.  We need to use GRE over IPSec or IPSec.

Just double check with the manual because western nation, including Australia, UK, Germany, France, etc. share a common guidelines called Common Criterea (CC).

cliffgoniea Fri, 02/11/2011 - 11:52

For anyone also looking for this solution...Cisco's official stance on this subject is that it is not supported. If I figure a way to make it work, I hope to remember to come here and post the solution.


This Discussion