Many of those devices do think that the WAN "Ethernet" is Bit-transparent, not paket-oriented, unlimited MTU...
In Reality, those "Ethernet"Links are MTU-Limited, often with an "Ethernet"MTU of just 1500 or sometimes plus 1 or 2 VLAN Tags. Full-Stop. No Space for Additional information,encryption header, etc. Or for "jumbo Frames" found in iscsi etc. applications. BUT You need your Ethernet-crypto device to solve this, So when my switches on both ends have an MTU of 9216 Bytes I would like the crypto-device to transport this even over the "ethernet" link with an MTU of 1371 . Very ew of the Products solve that, so take Care in selecting your Product, "simple" Products think that you own a dark-fibre where they can to anything But in reality, you just have a paket-switched link with singlemode-fibres on both ends. > I'm looking for the simplest way to do it. Most customers have L2 > connections between Data Centers. The edge device controlled by the > customer is a Layer 2 Switch. The mechanisms like IPSec, GETVPN, > FlexVPN, an so on, need a router in the edge. This implies modification > of the customer's topologies. L2 encryption seems the perfect solution > and it seems there are several options on the market. You can use Cisco-"routers" to build an encrypting, transparent Ethernet-link, bridging every paket including STP CDP LLDP ... Needs some CPU on the router, that sets the limits, but this works well, even with limited links. > Regards, > > Antonio Soares, CCIE #18473 (RS/SP) > amsoa...@netcabo.pt > http://www.ccie18473.net > > > > -----Original Message----- > From: Jeff Orr [mailto:j...@communicorr.com] > Sent: domingo, 2 de Fevereiro de 2014 17:25 > To: Antonio Soares > Cc: <cisco-nsp@puck.nether.net> > Subject: Re: [c-nsp] Transparent WAN Encryption > > If you are using a private MPLS (I.e. Not over Internet) & have Cisco > CE routers consider GETVPN. > > For the reasons you mentioned, we as a customer went this direction. > We needed to ensure our WAN (150 sites/multiple data centers)traveling > across a variety of links/providers including DS1/DS3/Metro-e is > secure. > > It has really scaled & worked well. GETVPN is VRF aware & can function > on the PE side as well. > > -jeff > > Sent from my AT&T iPhone > > > On Feb 1, 2014, at 9:16 PM, Antonio Soares <amsoa...@netcabo.pt> > wrote: > > > > Hello group, > > > > > > > > Service Provider WAN links are not secure anymore and I have more and > > more enterprise customer asking transparent WAN encryption solutions. > > I came across these two products: > > > > > > > > EncryptTight: > > > > > > > > http://www.blackbox.com/Store/Results.aspx/Networking/Security- > Optimiz > > ation/ > > Encryption/n-4294953119 > > > > > > > > TrustNet: > > > > > > > > http://www.certesnetworks.com/securitysolutions/wan-encryption.html > > > > > > > > Anyone has experience with these products ? This seems the ideal > solution. > > The networks remain exactly the same as they were, we simply add > these > > devices to do their job. > > > > > > > > > > > > Thanks. > > > > > > > > Regards, > > > > > > > > Antonio Soares, CCIE #18473 (RS/SP) > > amsoa...@netcabo.pt > > > > http://www.ccie18473.net <http://www.ccie18473.net/> > > > > > > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/