On Jun 9, 2013, at 7:20 AM, "R. Benjamin Kessler" <ben.kess...@zenetra.com> wrote: > I see that there is actually a beast that will do encryption of multiple 10G > waves between Cisco ONS boxes - > > https://www.cisco.com/en/US/prod/collateral/optical/ps5724/ps2006/at_a_glance_c45-728015.pdf > > How many people are actually doing this?
Not sure why you would want the massive fail that is layer-2 DCI in the first place, but you certainly don't need this sort of ridiculously expensive gear. Packet encryption is embarrassingly parallel when you have lots of flows, and best distributed throughout the infrastructure to many endpoints. One big expensive box is one big bottleneck and one big SPOF. We actually use cluster-to-cluster and even host-to-host IPsec SAs in certain cases.
