Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WAN encryption over Metropolitan Optical Ethernet

We're installing ASR1000 series (ASR1001 and ASR1006) routers on a new WAN and have a requirement to enrypt the traffic between the EIGRP neighbors.  Each ASR will be connected to the MOE with a gig interface and we will be using L3 on the interfaces with EIGRP as the routing protocol. We have advipservices-k9 IOS-XE

The ASR1006 is our datacenter WAN router and all remote sites have the ASR1001s.  The ASR1006 WAN interface will be configured with L3 subinterfaces, one to each remote location, using a /30 mask.

What is the best method to encrypt the traffic between the ASR1006 WAN interface and the remote ASR1001 WAN interface?

  • WAN Routing and Switching
2 REPLIES
Super Bronze

WAN encryption over Metropolitan Optical Ethernet

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

If an ASR support it, perhaps p2p VPN tunnels using VTI.

Hall of Fame Super Gold

WAN encryption over Metropolitan Optical Ethernet

What is the best method to encrypt the traffic between the ASR1006 WAN interface and the remote ASR1001 WAN interface?

There are several methods of doing this.

The easiest way is to let the routers do the encryption.

I know in Australia, it's frowned upon by some government organization to use a single appliance to do encryption and routing.  In theory, this may make "sense" but have you seen the ridiculous prices of a dedicated encryption appliance that will do GigabitEthernet (non-blocking or wire speed) lately?

Another thing about using a dedicated encryption appliance (aside from the price) is the logistics involved when you move your bandwidth around.  Like if you bought a FastEthernet model and someone decides to upgrade the bandwidth to something higher. 

406
Views
0
Helpful
2
Replies
This widget could not be displayed.