Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Encrypting vlan-trunk traffic between switches

Hi,

Can anyone guide me to some papers or other resources on how to encrypt traffic between 2 switches. The switchces will be connected with fiber and use dot-1q tagging. And I wan't to encrypt all of the trunked traffic.

I was thinking of L2TP, but I haven't found any good description on how to implement this. I have two 3750 switches I thought I might use.

Thanks for any input,

Regards,

Oyvind Mathiesen

mnemonic

Norway

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Encrypting vlan-trunk traffic between switches

Hi,

Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:

We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.

The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.

We also need to encrypt the datatraversing this connectivity.

MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M...
)

And that would cause me to eat into the 100 MAC limit.

Ridiculous I know, but we are looking for an out-of-the-norm plan...

Thanks

14 REPLIES
Bronze

Re: Encrypting vlan-trunk traffic between switches

As far as I know, L2TP is mainly used in the dial up remote access environments. Most of the tunnelling and encryption technologies are deployed at layer 3. I am not sure if this is possible at all. Can anyone throw more light into this?

New Member

Re: Encrypting vlan-trunk traffic between switches

Thank you for your reply :-)

Well it is possible, but not within the switches. You can do it in a seperate router or in a catalyst 6500. But a part of the problem is that I can't seem to find a straightforward description on how to implement this. The best description I have found is on GRE tunneling. But I would like to have a config example on how to configure L2TP in a site-to-site scenario. The IPSEC config is ok tough. It is, of course, possible to try and error, but it would be nice with some sort of reference.

/Oyvind

New Member

Re: Encrypting vlan-trunk traffic between switches

Hey, I have the exact same issue and was wondering if you had found a solution. I've implemented as large Layer 3 switched/routed network, following the fully routed core/distribution methology that cisco started pushing, but cannot/do not, want to run VLANs accross our complex core, we have 3750's every where but cannot figure out how to tunnel 4 vlans between 2 data centres. I believe the 3750 metro can to this, but am not going to explain to my manager that we need to purchase 4 more of these to replace 4 3750's we purchase 4 months ago.

-Martin

New Member

Re: Encrypting vlan-trunk traffic between switches

You'd have to use Q-in-Q. If that's not an option, then you'll probably need some other device to form a GRE tunnel. I believe the 3750 isn't capable of doing this in hardware.

New Member

Encrypting vlan-trunk traffic between switches

Hi,

Can you possibly post the config of this - or point us to some docs?

Regards,

New Member

Re: Encrypting vlan-trunk traffic between switches

Hi,

I solved this with 2600 series routers and l2tp (pseudowire-class) over IPSEC. With this solution you can bridge traffic over L3 encrypted. The downside is the extra box and the overhead with fragmentation. It works like a charm.

/Oyvind

New Member

Re: Encrypting vlan-trunk traffic between switches

Hi,

I have the same problem, could you post the config you find to help me !

Thanks

Hall of Fame Super Gold

Encrypting vlan-trunk traffic between switches

You want to encrypt Layer 2 traffic?  MACsec is the way to go nowadays.

Configuring MACsec Encryption

New Member

Encrypting vlan-trunk traffic between switches

Hi,

Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:

We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.

The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.

We also need to encrypt the datatraversing this connectivity.

MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M...
)

And that would cause me to eat into the 100 MAC limit.

Ridiculous I know, but we are looking for an out-of-the-norm plan...

Thanks

Hall of Fame Super Gold

Encrypting vlan-trunk traffic between switches

We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.

The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.

Ok, you got me stumped.  Never heard of a carrier to put a cap on the number of MACs.

I am not sure but how about GRE over IPSec?  It's a favorite because it's fully encrypted but it's Layer 3.

New Member

Encrypting vlan-trunk traffic between switches

Yeah, I know

Been doing some rading and the Cat6500s can do transparent firewalling - so you could acomplish tunneling with a bridge using the FWSM. But I have 3650s, and cannot afford the capital outlay of 6500s.

New Member

Encrypting vlan-trunk traffic between switches

mhmm...it is a bit strange that there so much activity on this thread after all this years.

The question is answered by mys self, but I accidentally tagged Craig Boltman's post as a correct answer. I have asked support to correct this for me, so I hope they are able to comply.

The trick is to use L2TPv3, pseudowire, loopback interface and tunnel it through a standard IPSEC tunnel. I have only tested with DES encryption and SHA hashing. But other should work fine as long as you have CPU enough to handle your bandwith.

And as I stated earlier you can use a standard router to do this as long as the IOS supports IPSEC and it has the CPU to support your bandwith requirements.

I guess this may not be that relevant anymore, so trying to digg up the old config from my backups is not necessary I guess.

Cheers,

Øyvind

New Member

Encrypting vlan-trunk traffic between switches

Hi....

VERY RELEVANT TO ME

Please post the configs - my brain is throwing MACs out like you wont beleive. (I might have the same issue in my head )

Thanks

New Member

Encrypting vlan-trunk traffic between switches

ok, I will start digging and see what I can find

4657
Views
2
Helpful
14
Replies
CreatePlease login to create content