Thanks Reza -Actually just

Patrick McHenry · ‎07-08-2014

Hi,

See attached - might make question more clear

we have a layer 2 connection between sites using a local provider for the link. On the remote side is a 3750-X and on the Main Campus side is a 2960. The link is connected via a VLAN. The VLAN interface exists on the Main Campus 5548, core switch

From What I understand, Trustsec cannot be configured on a logical interface but, if we were to configure the logical interfaces as a physical interfaces could we encrypt traffic between the 5548 and the 3750-X?

Even though it would also have to traverse through the 2960 as well?

And traverse the Layer 2 WAN link?

Any other suggestions for accomplishing this?

Thank you, Pat

Reza Sharifi · ‎07-08-2014

Hi Pat,

Trustsec is supported on SVIs, but I think in order for it to work correctly, you would need to configure it on every device including 5500, 2900, 3750.

See table-1 in this link:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/security/513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1_chapter_0111.html

HTH

Patrick McHenry · ‎07-09-2014

Could be mistaken but, I don't believe it is supported on the 2960

Thanks

Reza Sharifi · ‎07-09-2014

No, it is not supported on the 2960 series. Also, if you want to encrypt traffic between sites, a better solution is to use IPsec tunnel, but you need a firewall or a router in each location.

It doesn't have to be anything expensive if you don't need a lot of bandwidth.

I use these and they work really well.

have a look:

http://www.amazon.com/Juniper-SSG-5-SB-Security-Services-Gateway/dp/B000IZDN88

HTH

Patrick McHenry · ‎07-09-2014

We do need alot of bandwidth - 800 Mbps. What about 802.1AE?

Thanks

Reza Sharifi · ‎07-09-2014

802.1AE is Macsec which is the same as trustsec (I think).

Reza Sharifi · ‎07-09-2014

Are you sure, you are pushing 800Mb traffic. I don't think the 2960 can handle that much traffic. I would look at your data and figure out how much traffic you are really pushing. What I recommended was 10/100. You can go to a Gig device for a little more money. What is your circuit speed to the provider?

Patrick McHenry · ‎07-09-2014

The circuit speed is an 800 Mbps Fairpoint link between buildings that are roughly 2 miles apart. We don't usually saturate the link but, 800 Mbps is what we pay for.

Thanks

Reza Sharifi · ‎07-09-2014

Understand. Here is another one I use a lot. It costs a little more money, but it comes with 2 1Gig interfaces and 6 10/100. For IPsec, you only need 2 interfaces (one inside and one outside) which you can use the Gig interfaces for..

http://www.cdw.com/shop/products/Juniper-Networks-SRX210-Services-Gateway-High-Memory-Enhanced-security-ap/2426778.aspx

HTH

Patrick McHenry · ‎07-09-2014

Thanks Reza -

Actually just realized that trustsec might not be what I am looking for. I'm looking to encrypt traffic between sites. Is this possible with the present equipment setup?

Thank you

Patrick McHenry · ‎07-09-2014

Appears I need to configure MACSec between the 5548 and the 3750X. Is this possible?

Thank you

Trustsec Mac Encryption Between Sites