Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
0
Helpful
4
Replies

6509-E dot1Q to 2960 via 3800

cliffgoniea
Level 1
Level 1

‎05-10-2010 01:39 PM - edited ‎03-06-2019 11:01 AM

Hey all,

I have been very unsuccessful in finding a solution to this issue and am begining to believe that it is not possible...well, at least as we would like to do it.

Our situation: We have a 6509-E (SUP-720, VSPA) that is the hub to several 2960's connected (dot1Q) to remote sites (2-13 miles away) via our own fiber (no ISP).

Our objective: We are wishing to encrypt the traffic over that fiber to help us comply with DoD requirements. We have some 3825's that we would like to place at each of the sites in front of the 2960's.

Our problem: We do not want to have to route the traffic. We have several VLANs distributed at each of those sites. These VLANs are required to separate the data from eachother, again to help comply with DoD requirements.

Is this doable? If so, where can I get some additional info?

Thanks!

Cliff Goniea

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-10-2010 01:46 PM

Hello Cliff,

you should use L2TPv3 and you should protect L2TPv3 with IPSec between a pair of C3825.

be aware that you can face performance issues. so even if technically it can be done it is not recommended.

Routing using GRE tunnels or  DMVPN would be a far better solution, once you deploy a C3825 on each site you can do routing and if you can do it you should do.

You could in this way use IPSec encyption to protect routed traffic and you wouldn't waste WAN bandwidth propagating broadcast frames.

Hope to help

Giuseppe

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame

‎05-10-2010 02:12 PM

Hi Cliff,

You can use the 3800 to do type-2 encryption (IPSEc) from your remote location.  If you need to have separation then you can use VRF to that for you.

HTH

Reza

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎05-10-2010 03:16 PM

I can't say for DoD, but here in Australia, we follow guidelines set by DSD.  DSD doesn't like dot1Q trunking.  We need to use GRE over IPSec or IPSec.

Just double check with the manual because western nation, including Australia, UK, Germany, France, etc. share a common guidelines called Common Criterea (CC).

0 Helpful

cliffgoniea
Level 1
Level 1

‎02-11-2011 11:52 AM

For anyone also looking for this solution...Cisco's official stance on this subject is that it is not supported. If I figure a way to make it work, I hope to remember to come here and post the solution.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card