Re: IPSec tunnel over Gbit fibre.

From:
Date: 11/15/02


Date: Fri, 15 Nov 2002 16:31:59 +0000

On Fri, 15 Nov 2002 12:25:08 -0000, "Hugh Pritchard"
<Hugh_spamtrap@ikuzus.demon.co.uk> wrote:

>Greg,
>
>Thanks for this.

You're welcome Hugh.

>
>Yes you are correct the 29/35xx are L2 switches. They are in the 'user
>seats' suites which may or may not be in the same building as the link from
>the separate 'server site'.

So you have VLANs spanning a WAN connection by the sound of it? Its going
to be hard to use an L3 firewall to encrypt that traffic TBH. The easiest
way would be to use GRE and encrypt it over the link endpoints.

>Neither of these device's
>supports IPSec hence the suggestion of using a separate device at each end
>purely to provide a tunnel. The fact that the presentation is 1Gb doesn't
>mean the data would be filling the pipe, so maximum throughput need not
>necessarily be a show stopper.

I would have thought that the L3 part of the 8600 would support GRE and
allow you to run an encrypted tunnel within it. (Caveat: what I know about
Bay Networks kit (apart from the Nortel Contivity ) could be inscribed on
the head of a pin with a hammer and blunt chisel, so dont take that as
gospel), my exposure to networking hardware has been cisco in the main. But
the same principal applies.

>
>Your thoughts are appreciated but as you noted we don't have the luxury of
>routers at both ends of this 'local' link. As the 'seats' could be in any
>one of 3 locations, 4 sets of relatively expensive hardware is not currently
>an option.

That would suggest that you have VLANS spanning the ATM link, the remote
ciscos using dot1q into the 8600, it will be very difficult to encrypt that
over the WAN link using conventional means as you are extending the network
@ L2 not L3.

>
>The ultimate decision is more of an Audit one. The business will decide on
>what is an acceptable level of risk verses the expense. I suspect they may
>decide that this small part of the whole DR plan is not sufficiently risky
>to justify the solution!

True.

greg

>
>Regards,
>
>Hugh
>

--
$ReplyAddress =~ s#\@.*$##; # Delete everything after the '@'
Ich will dass ihr mir vertraut
Ich will dass ihr mir glaubt