Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Bridging two sites together, but encrypted

Hi everyone

I need to link two sites together using 2811 routers. I have a layer 2 link (effectively Ethernet) between two 2811 routers (using the Fa0/0 interfaces).

The wireless link is not encrypted, so I would like to use the 2811 routers to encrypt the traffic. The problem is the link must still appear as layer 2 (i.e. same VLAN(s) both sides.

Is this possible?

Thanks

  • WAN Routing and Switching
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Bridging two sites together, but encrypted

Hello Jason,

this is possible although you should be aware of possible performance problems.

The L2 point-to-point transport service can be implemented with L2TPv3.

see

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html#wp1043064

it can be defined on a per vlan subinterface basis.

L2tpv3 packets between the two routers then need to be encrypted using IPSec for example

you can define with an extended ACL what traffic has to be encrypted in your case the L2TPv3 flow.

Another possible solution uses NAT and IPSec

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

you can use this as reference for the ipsec the L2TPv3 really joins the two broadcast domains and should be what you look for.

Hope to help

Giuseppe

6 REPLIES
Hall of Fame Super Silver

Re: Bridging two sites together, but encrypted

Hello Jason,

this is possible although you should be aware of possible performance problems.

The L2 point-to-point transport service can be implemented with L2TPv3.

see

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html#wp1043064

it can be defined on a per vlan subinterface basis.

L2tpv3 packets between the two routers then need to be encrypted using IPSec for example

you can define with an extended ACL what traffic has to be encrypted in your case the L2TPv3 flow.

Another possible solution uses NAT and IPSec

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

you can use this as reference for the ipsec the L2TPv3 really joins the two broadcast domains and should be what you look for.

Hope to help

Giuseppe

New Member

Re: Bridging two sites together, but encrypted

Thanks Giuseppe. Option 1 looks like the best bet. Could we realistically expect 10mbps encryption through a 2811?

Hall of Fame Super Silver

Re: Bridging two sites together, but encrypted

Hello Jason,

without an hardware encryption module I'm afraid it is too much for the C2811.

Hope to help

Giuseppe

Hall of Fame Super Bronze

Re: Bridging two sites together, but encrypted

Giuseppe,

2811 provides onboard hardware encryption and 10Mbps LAN-to-LAN shouldn't be a problem.

Each of the Cisco 2800 Series routers comes standard with embedded hardware cryptography accelerators, which when combined with an optional Cisco IOS Software upgrade help enable WAN link security and VPN services.

http://www.cisco.com/en/US/prod/collateral/routers/ps5854/ps5882/product_data_sheet0900aecd8016fa68_ps5854_Products_Data_Sheet.htmlZ

__

Edison.

Hall of Fame Super Silver

Re: Bridging two sites together, but encrypted

Hello Edison,

thanks for your correction

the HW encryption module is already there!

I should have checked on the CCO

Hope to help

Giuseppe

Hall of Fame Super Gold

Re: Bridging two sites together, but encrypted

If you have an IOS with Crypto feature, you can verify using the command sh crypto engine brief and look under "crypto engine type". If it's hardware, then your AIM/VPN is enabled.

208
Views
5
Helpful
6
Replies
This widget could not be displayed.