Re: Gig Throughput on IPSEC
> On second thoughts, thinking about this I am probably looking for some > kind of Layer2 encryption devices. This will make things a lot easier > for the deployment. Any experiences, thoughts on these types of devices, > would be much appreciated. You could use OpenVPN, but that would be cheating. 8-) -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
Re: Gig Throughput on IPSEC
* Truman Boyes (tru...@suspicious.org) wrote: > > an SRX 3400/3600 you can scale up the performance of IPSEC VPN > throughput with additional SPCs. You should be able to scale to over > 6Gbps of IPSEC with enough SPCs. > > Truman Yes, the SRX line of products is the most future-proof way to go. I had a meeting with Juniper technical sales a short while ago and they also stated that "performace figures of the SRX is more in line what you get in real deployments" (compared to the ISG and NS marketing material which have IPsec throughput figures which you probably not will see in the field, same as most vendors). In the ISG and NS series you also need to be aware on capacity limitations in the cards and the backplane. ...and as no one else has commented on L2 security devices I assume that there is not many products for this (IEEE 802.1AE MAC Security). But on the other hand I suppose that there is mostly L3 people on this list and that the Metro Ethernet folks hangs elsewhere.. (I would go for IPsec.) Cheers, /Joakim
Re: Gig Throughput on IPSEC
On 12/11/2009, at 5:45 AM, Brad Fleming wrote: On Nov 11, 2009, at 3:25 AM, a...@baklawasecrets.com wrote: Hi, I have a requirement to encrypt data using IPSEC over a p-t-p gig fibre link. In the past I've normally used Juniper to terminate VPNs, as I have found them excellent devices and the route based VPN functionality very useful. However looking at their range, only the ISG will do a gig of IPSEC. I'm leaning towards keeping my exising Juniper SSG550's for firewall/routing capability at each site. Then having a separate encryption devices to handle the site-to-site vpn requiring the gig throughput. Does anyone have any suggestions on devices to use? Adel Not knowing all your other needs, I won't swear to it... but would the Juniper SRX650 work for your situation? It can pass 1.5Gbps of encrypted traffic according to their datasheet. I've never actually tried to move that much data through the box so I can't testify to it. Also, the Juniper SRX3400 is advertised as handling 6Gbps of encrypted traffic. Of course, these are JunosES devices as opposed to ScreenOS, but the transition isn't as painful as you might expect. We actually use the J-series devices with JunosES as site routers/firewalls with a great deal of success. The usual caveats apply: packet size, packets per second, etc; but with an SRX 3400/3600 you can scale up the performance of IPSEC VPN throughput with additional SPCs. You should be able to scale to over 6Gbps of IPSEC with enough SPCs. Truman
Re: Gig Throughput on IPSEC - alternatively Layer2 encryption devices
Hi, Thanks for the pointers to the Juniper devices. I think I'm really thinking about layer2 encryption, rather than do the encryption using IPSEC. I feel that as its a p-t-p fibre link, this makes most sense in terms of throughput and least impact on the network. Operating at layer3 the IPSEC solution introduces more complexity than I would like across this link. As I understand it, with layer2 encryption devices VLANs between the sites, would "just work". I'm interested to hear of peoples experiences with layer 2 encryption devices out there, as I don't have that much experience with them. I think my subject line mentioning IPSEC is a bit confusing as I'm really after information on Layer2 encryption hardware. Adel On Wed 6:45 PM , Brad Fleming bdflem...@kanren.net sent: > > On Nov 11, 2009, at 3:25 AM, adel@ > baklawasecrets.com wrote: > > > > > > Hi, > > > > I have a requirement to encrypt data using IPSEC > over a p-t-p gig > fibre > > link. In the past I've normally used Juniper to > terminate VPNs, as I> have found them excellent devices and the route > based VPN > functionality > > very useful. However looking at their range, > only the ISG will do a > gig > > of IPSEC. I'm leaning towards keeping my > exising Juniper SSG550's for> firewall/routing capability at each site. Then > having a separate> encryption devices to handle the site-to-site > vpn requiring the gig> throughput. Does anyone have any suggestions on > devices to use?> > > > > > > Adel > > > > > > Not knowing all your other needs, I won't swear to it... but would the > Juniper SRX650 work for your situation? It can pass 1.5Gbps of > encrypted traffic according to their datasheet. I've never actually > tried to move that much data through the box so I can't testify to it. > > Also, the Juniper SRX3400 is advertised as handling 6Gbps of encrypted > traffic. > > Of course, these are JunosES devices as opposed to ScreenOS, but the > transition isn't as painful as you might expect. We actually use the J- > series devices with JunosES as site routers/firewalls with a great > deal of success. > > >
Re: Gig Throughput on IPSEC
On Nov 11, 2009, at 3:25 AM, a...@baklawasecrets.com wrote: Hi, I have a requirement to encrypt data using IPSEC over a p-t-p gig fibre link. In the past I've normally used Juniper to terminate VPNs, as I have found them excellent devices and the route based VPN functionality very useful. However looking at their range, only the ISG will do a gig of IPSEC. I'm leaning towards keeping my exising Juniper SSG550's for firewall/routing capability at each site. Then having a separate encryption devices to handle the site-to-site vpn requiring the gig throughput. Does anyone have any suggestions on devices to use? Adel Not knowing all your other needs, I won't swear to it... but would the Juniper SRX650 work for your situation? It can pass 1.5Gbps of encrypted traffic according to their datasheet. I've never actually tried to move that much data through the box so I can't testify to it. Also, the Juniper SRX3400 is advertised as handling 6Gbps of encrypted traffic. Of course, these are JunosES devices as opposed to ScreenOS, but the transition isn't as painful as you might expect. We actually use the J- series devices with JunosES as site routers/firewalls with a great deal of success.
Re: Gig Throughput on IPSEC
You can run L2TPv3 (available on IOS routers) between sites, not sure about the throughput though. On Wed, Nov 11, 2009 at 2:01 AM, wrote: > > > On second thoughts, thinking about this I am probably looking for some > kind of Layer2 encryption devices. This will make things a lot easier > for the deployment. Any experiences, thoughts on these types of devices, > would be much appreciated. > > Adel > > On Wed 9:25 AM , a...@baklawasecrets.com sent: > > Hi, > > I have a requirement to encrypt data using IPSEC over a p-t-p gig fibre > link. In the past I've normally used Juniper to terminate VPNs, as I > have found them excellent devices and the route based VPN functionality > very useful. However looking at their range, only the ISG will do a gig > of IPSEC. I'm leaning towards keeping my exising Juniper SSG550's for > firewall/routing capability at each site. Then having a separate > encryption devices to handle the site-to-site vpn requiring the gig > throughput. Does anyone have any suggestions on devices to use? > > > > Adel > > >
Re: Gig Throughput on IPSEC
On second thoughts, thinking about this I am probably looking for some kind of Layer2 encryption devices. This will make things a lot easier for the deployment. Any experiences, thoughts on these types of devices, would be much appreciated. Adel On Wed 9:25 AM , a...@baklawasecrets.com sent: Hi, I have a requirement to encrypt data using IPSEC over a p-t-p gig fibre link. In the past I've normally used Juniper to terminate VPNs, as I have found them excellent devices and the route based VPN functionality very useful. However looking at their range, only the ISG will do a gig of IPSEC. I'm leaning towards keeping my exising Juniper SSG550's for firewall/routing capability at each site. Then having a separate encryption devices to handle the site-to-site vpn requiring the gig throughput. Does anyone have any suggestions on devices to use? Adel
Gig Throughput on IPSEC
Hi, I have a requirement to encrypt data using IPSEC over a p-t-p gig fibre link. In the past I've normally used Juniper to terminate VPNs, as I have found them excellent devices and the route based VPN functionality very useful. However looking at their range, only the ISG will do a gig of IPSEC. I'm leaning towards keeping my exising Juniper SSG550's for firewall/routing capability at each site. Then having a separate encryption devices to handle the site-to-site vpn requiring the gig throughput. Does anyone have any suggestions on devices to use? Adel