nanog mailing list archives
Re: Gig Throughput on IPSEC - alternatively Layer2 encryption devices
From: adel () baklawasecrets com
Date: Wed, 11 Nov 2009 20:07:03 +0000
Hi, Thanks for the pointers to the Juniper devices. I think I'm really thinking about layer2 encryption, rather than do the encryption using IPSEC. I feel that as its a p-t-p fibre link, this makes most sense in terms of throughput and least impact on the network. Operating at layer3 the IPSEC solution introduces more complexity than I would like across this link. As I understand it, with layer2 encryption devices VLANs between the sites, would "just work". I'm interested to hear of peoples experiences with layer 2 encryption devices out there, as I don't have that much experience with them. I think my subject line mentioning IPSEC is a bit confusing as I'm really after information on Layer2 encryption hardware. Adel On Wed 6:45 PM , Brad Fleming bdfleming () kanren net sent:
On Nov 11, 2009, at 3:25 AM, adel@ baklawasecrets.com wrote:Hi, I have a requirement to encrypt data using IPSECover a p-t-p gig > fibrelink. In the past I've normally used Juniper toterminate VPNs, as I> have found them excellent devices and the route based VPN > functionalityvery useful. However looking at their range,only the ISG will do a > gigof IPSEC. I'm leaning towards keeping myexising Juniper SSG550's for> firewall/routing capability at each site. Then having a separate> encryption devices to handle the site-to-site vpn requiring the gig> throughput. Does anyone have any suggestions on devices to use?>AdelNot knowing all your other needs, I won't swear to it... but would the Juniper SRX650 work for your situation? It can pass 1.5Gbps of encrypted traffic according to their datasheet. I've never actually tried to move that much data through the box so I can't testify to it. Also, the Juniper SRX3400 is advertised as handling 6Gbps of encrypted traffic. Of course, these are JunosES devices as opposed to ScreenOS, but the transition isn't as painful as you might expect. We actually use the J- series devices with JunosES as site routers/firewalls with a great deal of success.
Current thread:
- Re: Gig Throughput on IPSEC - alternatively Layer2 encryption devices adel (Nov 11)