Thank you for your reply :-)

Well it is possible, but not within the switches. You can do it in a seperate router or in a catalyst 6500. But a part of the problem is that I can't seem to find a straightforward description on how to implement this. The best description I have found is on GRE tunneling. But I would like to have a config example on how to configure L2TP in a site-to-site scenario. The IPSEC config is ok tough. It is, of course, possible to try and error, but it would be nice with some sort of reference.

/Oyvind

Hey, I have the exact same issue and was wondering if you had found a solution. I've implemented as large Layer 3 switched/routed network, following the fully routed core/distribution methology that cisco started pushing, but cannot/do not, want to run VLANs accross our complex core, we have 3750's every where but cannot figure out how to tunnel 4 vlans between 2 data centres. I believe the 3750 metro can to this, but am not going to explain to my manager that we need to purchase 4 more of these to replace 4 3750's we purchase 4 months ago.

-Martin

You'd have to use Q-in-Q. If that's not an option, then you'll probably need some other device to form a GRE tunnel. I believe the 3750 isn't capable of doing this in hardware.

Hi,

Can you possibly post the config of this - or point us to some docs?

Regards,

Hi,

I solved this with 2600 series routers and l2tp (pseudowire-class) over IPSEC. With this solution you can bridge traffic over L3 encrypted. The downside is the extra box and the overhead with fragmentation. It works like a charm.

/Oyvind

Hi,

I have the same problem, could you post the config you find to help me !

Thanks

You want to encrypt Layer 2 traffic?  MACsec is the way to go nowadays.

Configuring MACsec Encryption

We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.

The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.

Ok, you got me stumped.  Never heard of a carrier to put a cap on the number of MACs.

I am not sure but how about GRE over IPSec?  It's a favorite because it's fully encrypted but it's Layer 3.

Yeah, I know

Been doing some rading and the Cat6500s can do transparent firewalling - so you could acomplish tunneling with a bridge using the FWSM. But I have 3650s, and cannot afford the capital outlay of 6500s.

mhmm...it is a bit strange that there so much activity on this thread after all this years.

The question is answered by mys self, but I accidentally tagged Craig Boltman's post as a correct answer. I have asked support to correct this for me, so I hope they are able to comply.

The trick is to use L2TPv3, pseudowire, loopback interface and tunnel it through a standard IPSEC tunnel. I have only tested with DES encryption and SHA hashing. But other should work fine as long as you have CPU enough to handle your bandwith.

And as I stated earlier you can use a standard router to do this as long as the IOS supports IPSEC and it has the CPU to support your bandwith requirements.

I guess this may not be that relevant anymore, so trying to digg up the old config from my backups is not necessary I guess.

Cheers,

Øyvind

Hi....

VERY RELEVANT TO ME

Please post the configs - my brain is throwing MACs out like you wont beleive. (I might have the same issue in my head )

Thanks

ok, I will start digging and see what I can find