[119260] in North American Network Operators' Group
Re: Gig Throughput on IPSEC - alternatively Layer2 encryption devices
daemon@ATHENA.MIT.EDU (adel@baklawasecrets.com)
Wed Nov 11 15:06:27 2009
To: <nanog@nanog.org>
Date: Wed, 11 Nov 2009 20:07:03 +0000
From: adel@baklawasecrets.com
Reply-To: adel@baklawasecrets.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi,
Thanks for the pointers to the Juniper devices. I think I'm really thinkin=
g about layer2 encryption, rather than do the encryption using IPSEC. I fe=
el that as its a p-t-p fibre link, this makes=20
most sense in terms of throughput and least impact on the network. Operati=
ng at layer3 the IPSEC solution introduces more complexity than I would lik=
e across this link. As I understand=20
it, with layer2 encryption devices VLANs between the sites, would "just wor=
k". I'm interested to hear of peoples experiences with layer 2 encryption =
devices out there, as I don't have that=20
much experience with them.
I think my subject line mentioning IPSEC is a bit confusing as I'm really a=
fter information on Layer2 encryption hardware.
Adel
On Wed 6:45 PM , Brad Fleming bdfleming@kanren.net sent:
>=20
> On Nov 11, 2009, at 3:25 AM, adel@
> baklawasecrets.com wrote:
> >
> >
> > Hi,
> >
> > I have a requirement to encrypt data using IPSEC
> over a p-t-p gig > fibre
> > link. In the past I've normally used Juniper to
> terminate VPNs, as I> have found them excellent devices and the route
> based VPN > functionality
> > very useful. However looking at their range,
> only the ISG will do a > gig
> > of IPSEC. I'm leaning towards keeping my
> exising Juniper SSG550's for> firewall/routing capability at each site. =
Then
> having a separate> encryption devices to handle the site-to-site
> vpn requiring the gig> throughput. Does anyone have any suggestions on
> devices to use?>
> >
> >
> > Adel
> >
> >
>=20
> Not knowing all your other needs, I won't swear to it... but would the=20
> Juniper SRX650 work for your situation? It can pass 1.5Gbps of =20
> encrypted traffic according to their datasheet. I've never actually =20
> tried to move that much data through the box so I can't testify to it.
>=20
> Also, the Juniper SRX3400 is advertised as handling 6Gbps of encrypted=20
> traffic.
>=20
> Of course, these are JunosES devices as opposed to ScreenOS, but the =20
> transition isn't as painful as you might expect. We actually use the J-
> series devices with JunosES as site routers/firewalls with a great =20
> deal of success.
>=20
>=20
>=20
