07-08-2014 07:10 AM - edited 03-07-2019 07:58 PM
Hi,
See attached - might make question more clear
we have a layer 2 connection between sites using a local provider for the link. On the remote side is a 3750-X and on the Main Campus side is a 2960. The link is connected via a VLAN. The VLAN interface exists on the Main Campus 5548, core switch
From What I understand, Trustsec cannot be configured on a logical interface but, if we were to configure the logical interfaces as a physical interfaces could we encrypt traffic between the 5548 and the 3750-X?
Even though it would also have to traverse through the 2960 as well?
And traverse the Layer 2 WAN link?
Any other suggestions for accomplishing this?
Thank you, Pat
07-08-2014 01:55 PM
Hi Pat,
Trustsec is supported on SVIs, but I think in order for it to work correctly, you would need to configure it on every device including 5500, 2900, 3750.
See table-1 in this link:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/security/513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1_chapter_0111.html
HTH
07-09-2014 08:23 AM
Could be mistaken but, I don't believe it is supported on the 2960
Thanks
07-09-2014 10:03 AM
No, it is not supported on the 2960 series. Also, if you want to encrypt traffic between sites, a better solution is to use IPsec tunnel, but you need a firewall or a router in each location.
It doesn't have to be anything expensive if you don't need a lot of bandwidth.
I use these and they work really well.
have a look:
http://www.amazon.com/Juniper-SSG-5-SB-Security-Services-Gateway/dp/B000IZDN88
HTH
07-09-2014 10:38 AM
We do need alot of bandwidth - 800 Mbps. What about 802.1AE?
Thanks
07-09-2014 11:35 AM
802.1AE is Macsec which is the same as trustsec (I think).
07-09-2014 11:39 AM
Are you sure, you are pushing 800Mb traffic. I don't think the 2960 can handle that much traffic. I would look at your data and figure out how much traffic you are really pushing. What I recommended was 10/100. You can go to a Gig device for a little more money. What is your circuit speed to the provider?
07-09-2014 12:58 PM
The circuit speed is an 800 Mbps Fairpoint link between buildings that are roughly 2 miles apart. We don't usually saturate the link but, 800 Mbps is what we pay for.
Thanks
07-09-2014 01:28 PM
Understand. Here is another one I use a lot. It costs a little more money, but it comes with 2 1Gig interfaces and 6 10/100. For IPsec, you only need 2 interfaces (one inside and one outside) which you can use the Gig interfaces for..
http://www.cdw.com/shop/products/Juniper-Networks-SRX210-Services-Gateway-High-Memory-Enhanced-security-ap/2426778.aspx
HTH
07-09-2014 08:42 AM
Thanks Reza -
Actually just realized that trustsec might not be what I am looking for. I'm looking to encrypt traffic between sites. Is this possible with the present equipment setup?
Thank you
07-09-2014 09:35 AM
Appears I need to configure MACSec between the 5548 and the 3750X. Is this possible?
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: