Gig Throughput on IPSEC - alternatively Layer2 encryption devices

adel at baklawasecrets.com adel at baklawasecrets.com
Wed Nov 11 20:07:03 UTC 2009


Hi,

Thanks for the pointers to the Juniper devices.  I think I'm really thinking about layer2 encryption, rather than do the encryption using IPSEC.  I feel that as its a p-t-p fibre link, this makes 
most sense in terms of throughput and least impact on the network.  Operating at layer3 the IPSEC solution introduces more complexity than I would like across this link.  As I understand 
it, with layer2 encryption devices VLANs between the sites, would "just work".  I'm interested to hear of peoples experiences with layer 2 encryption devices out there, as I don't have that 
much experience with them.

I think my subject line mentioning IPSEC is a bit confusing as I'm really after information on Layer2 encryption hardware.

Adel

On Wed   6:45 PM , Brad Fleming bdfleming at kanren.net sent:
> 
> On Nov 11, 2009, at 3:25 AM, adel@
> baklawasecrets.com wrote:
> >
> >
> > Hi,
> >
> > I have a requirement to encrypt data using IPSEC
> over a p-t-p gig  > fibre
> > link.  In the past I've normally used Juniper to
> terminate VPNs, as I> have found them excellent devices and the route
> based VPN  > functionality
> > very useful.  However looking at their range,
> only the ISG will do a  > gig
> > of IPSEC.  I'm leaning towards keeping my
> exising Juniper SSG550's for> firewall/routing capability at each site.  Then
> having a separate> encryption devices to handle the site-to-site
> vpn requiring the gig> throughput.  Does anyone have any suggestions on
> devices to use?>
> >
> >
> > Adel
> >
> >
> 
> Not knowing all your other needs, I won't swear to it... but would the 
> Juniper SRX650 work for your situation? It can pass 1.5Gbps of  
> encrypted traffic according to their datasheet. I've never actually  
> tried to move that much data through the box so I can't testify to it.
> 
> Also, the Juniper SRX3400 is advertised as handling 6Gbps of encrypted 
> traffic.
> 
> Of course, these are JunosES devices as opposed to ScreenOS, but the  
> transition isn't as painful as you might expect. We actually use the J-
> series devices with JunosES as site routers/firewalls with a great  
> deal of success.
> 
> 
> 





More information about the NANOG mailing list