vtp over encrypted inter-switch links 1

[pehi]

Hello,
I have the unenviable scenario of being forced to use encryption on the links between switches. They will be point-to-point gigabit links via SFP/GBIC adapters. (I know encryption shouldn’t be necessary on a point-to-point topology, but it’s been decided from so high it needs oxygen, and is totally unarguable).

They are going to be 3750’s, so as a last resort, I’ll have to muck about with subnets on a per-switch basis, and configuring DHCP helper to match. However I’d rather keep it as vanilla a switch fabric as possible so site engineers can do a more rapid swap-out if required.

What I’d like to do is configure encryption between the switches while using either dot1q or ISL to carry VTP.

Has anyone ever done this? Is there a native layer-2 encryption process I can use?

All tips most welcome, and thanks in advance.

 

[chipk]

That's just crazy! You're right, I don't envy you.

Encryption takes place in the upper layers, and is typically provided by the application; I have never heard of an encryption mechanism solely between switches (that doesn't mean it doesn't exist). I would think you would need an appliance to make this happen.

An illustration would be if you were concerned about web traffic on your LAN/WAN being interecepted - the solution would include implementing SSL and making sure you had some kind of IDS/IPS, not try to encrypt frames/packets at the lower layers.

Can you share what exactly the concern or reasoning is behind this requirement?

 

[pehi]

ChipK - The fibre is managed by a 3rd party, we only have control up to the wall-ports, and requirement is due to the possibility of interception of inter-switch traffic.

Datacryptor 2000's gigabit platform has been floated, but from what I can see this works at layer 3 only, so will therefore kill off vtp as well.

I think I'll have to assemble a lab and try tunneling.

 

[chipk]

Have you seen this article and the referenced materials at the end?

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

 

[pehi]

I haven't - thanks for this, I'll read through it.

 

[brianinms]

Is it dark fiber, or metro E?

 

[pehi]

BrianinMS - It's Fibre - Single-mode long distance runs.

 

[BuckWeet]

3750's don't offer ethernet encryption. you will have to get an offload device to do that..

 

[burtsbees]

Have you thought about MD5 via EIGRP or another RP? That at least encrypts the routes/routing information, in a 1-way hash...

Burt

 

[pehi]

Burtsbees - Thanks, I have considered it - that's probably what we will have to go with along with separated subnets and routing utilising the 3750's L3 capabilities. Unfortunate as I wanted to keep the switch fabric at L2...

 

[burtsbees]

I hear ya, but given your "unenviable" situation...lol
Good luck!

Burt

 

[brianinms]

Well if its a cisco to cisco direct connection you could use UDLD to detect if the fiber was unplugged and a tap inserted.

 

[chrj]

There are a bunch of layer 2 encryption appliance solutions out there. Among others, Thales has a complete range of Ethernet Layer 2 encryptors (100Mb, 1Gb, 10Gb) that should be able to do the job.

http://thalesesec.com/Solutions/documents/Thales_Layers1_and_2_Network_Encryption_Brochure.pdf

Other vendors with a complete range of Ethernet Layer 2 encryptors would be ATMedia (

http://www.atmedia.de)

and Crypto AG (

http://www.crypto.ch)

 

[pehi]

The Design Authority have spoken, and we will indeed be using 3rd-party L3 encryption offload. Thanks to all, I shall now start calculating variable sized subnets!