nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Gig Throughput on IPSEC - alternatively Layer2 encryption devices

From: adel () baklawasecrets com
Date: Wed, 11 Nov 2009 20:07:03 +0000
Hi,

Thanks for the pointers to the Juniper devices.  I think I'm really thinking about layer2 encryption, rather than do 
the encryption using IPSEC.  I feel that as its a p-t-p fibre link, this makes 
most sense in terms of throughput and least impact on the network.  Operating at layer3 the IPSEC solution introduces 
more complexity than I would like across this link.  As I understand 
it, with layer2 encryption devices VLANs between the sites, would "just work".  I'm interested to hear of peoples 
experiences with layer 2 encryption devices out there, as I don't have that 
much experience with them.

I think my subject line mentioning IPSEC is a bit confusing as I'm really after information on Layer2 encryption 
hardware.

Adel

On Wed   6:45 PM , Brad Fleming bdfleming () kanren net sent:


On Nov 11, 2009, at 3:25 AM, adel@
baklawasecrets.com wrote:



Hi,

I have a requirement to encrypt data using IPSEC

over a p-t-p gig  > fibre

link.  In the past I've normally used Juniper to

terminate VPNs, as I> have found them excellent devices and the route
based VPN  > functionality

very useful.  However looking at their range,

only the ISG will do a  > gig

of IPSEC.  I'm leaning towards keeping my

exising Juniper SSG550's for> firewall/routing capability at each site.  Then
having a separate> encryption devices to handle the site-to-site
vpn requiring the gig> throughput.  Does anyone have any suggestions on
devices to use?>



Adel




Not knowing all your other needs, I won't swear to it... but would the 
Juniper SRX650 work for your situation? It can pass 1.5Gbps of  
encrypted traffic according to their datasheet. I've never actually  
tried to move that much data through the box so I can't testify to it.

Also, the Juniper SRX3400 is advertised as handling 6Gbps of encrypted 
traffic.

Of course, these are JunosES devices as opposed to ScreenOS, but the  
transition isn't as painful as you might expect. We actually use the J-
series devices with JunosES as site routers/firewalls with a great  
deal of success.
Previous By Date Next
Previous By Thread Next

Current thread: