Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trustsec Mac Encryption Between Sites

 

 

Hi,

 

See attached - might make question more clear

 

we have a layer 2 connection between sites using a local provider for the link. On the remote side is a 3750-X and on the Main Campus side is a 2960. The link is connected via a VLAN. The VLAN interface exists on the Main Campus 5548, core switch

 

From What I understand, Trustsec cannot be configured on a logical interface but, if we were to configure the logical interfaces as a physical interfaces could we encrypt traffic between the 5548 and the 3750-X?

Even though it would also have to traverse through the 2960 as well?

And traverse the Layer 2 WAN link?

 

Any other suggestions for accomplishing this?

 

Thank you, Pat

Everyone's tags (1)
10 REPLIES
VIP Super Bronze

Hi Pat,Trustsec is supported

Hi Pat,

Trustsec is supported on SVIs, but I think in order for it to work correctly, you would need to configure it on every device including 5500, 2900, 3750.

 

See table-1 in this link:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/security/513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1_chapter_0111.html

HTH

New Member

Could be mistaken but, I don

Could be mistaken but, I don't believe it is supported on the 2960

 

Thanks

VIP Super Bronze

No, it is not supported on

No, it is not supported on the 2960 series.  Also, if you want to encrypt traffic between sites, a better solution is to use IPsec tunnel, but you need a firewall or a router in each location.

It doesn't have to be anything expensive if you don't need a lot of bandwidth.

I use these and they work really well.

have a look:

http://www.amazon.com/Juniper-SSG-5-SB-Security-Services-Gateway/dp/B000IZDN88

HTH

New Member

 We do need alot of bandwidth

 

We do need alot of bandwidth - 800 Mbps. What about 802.1AE?

 

 

Thanks

VIP Super Bronze

802.1AE is Macsec which is

802.1AE is Macsec which is the same as trustsec (I think).

VIP Super Bronze

Are you sure, you are pushing

Are you sure, you are pushing 800Mb traffic.  I don't think the 2960 can handle that much traffic.  I would look at your data and figure out how much traffic you are really pushing.  What I recommended was 10/100. You can go to a Gig device for a little more money.  What is your circuit speed to the provider?
 

New Member

The circuit speed is an 800

The circuit speed is an 800 Mbps Fairpoint link between buildings that are roughly 2 miles apart. We don't usually saturate the link but, 800 Mbps is what we pay for.

 

Thanks

VIP Super Bronze

Understand.  Here is another

Understand.  Here is another one I use a lot. It costs a little more money, but it comes with 2 1Gig interfaces and 6 10/100. For IPsec, you only need 2 interfaces (one inside and one outside) which you can use the Gig interfaces for..

http://www.cdw.com/shop/products/Juniper-Networks-SRX210-Services-Gateway-High-Memory-Enhanced-security-ap/2426778.aspx

HTH

New Member

 Thanks Reza -Actually just

 

Thanks Reza -

Actually just realized that trustsec might not be what I am looking for. I'm looking to encrypt traffic between sites. Is this possible with the present equipment setup?

 

Thank you

New Member

Appears I need to configure

Appears I need to configure MACSec between the 5548 and the 3750X. Is this possible?

Thank you

96
Views
20
Helpful
10
Replies
CreatePlease to create content