RE: OT: IPsec throughput over 4 Gbps

In general MACsec is implemented in the ASIC, so it should be line rate.
Check the hardware release notes of whichever platform you're going to use
though just to be sure. 3750X does say it's line rate, so 4Gbps throughput in
MACsec on a 10GigE link shouldn't be a problem. As for the actual security
of the data plane, it uses AES just like IPsec does so they're comparable
levels of encryption.

One of the key differences between MACsec and IPsec though is that MACsec a
hop-by-hop encryption, while IPsec is an end-to-end tunnel. So for example if
you're routing your traffic as regular IPv4 over the Internet, you can't use
MACsec because you'd have to do it on every single link. However if the link
is yours as layer 2 end-to-end, like dark fiber CWDM/DWDM or even MPLS AToM or
VPLS then MACsec will work fine.

This would be a good starting place for it:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/rel
ease/15.0_1_se/configuration/guide/swmacsec.pdf

Good luck!

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com

From: Mohammad Moghaddas [mailto:moghaddas.it_at_gmail.com]
Sent: Saturday, September 01, 2012 8:02 AM
To: Brian McGahan
Cc: Ryan West; Cisco certification
Subject: Re: OT: IPsec throughput over 4 Gbps

And another question, how does MACsec affect switch performance?
Could a 3750X handle 4 Gbps of throughput using MACsec?

On Sat, Sep 1, 2012 at 7:24 PM, Mohammad Moghaddas
<moghaddas.it_at_gmail.com<mailto:moghaddas.it_at_gmail.com>> wrote:

Hi Brian,
You mean that I can use 3750X platform plus 10G module and MACsec?
Is it as secure as IPsec?

On Sat, Sep 1, 2012 at 6:42 PM, Brian McGahan
<bmcgahan_at_ine.com<mailto:bmcgahan_at_ine.com>> wrote:
Is it an Ethernet link? If its already point to point layer 2 you could look
into running MACsec instead of IPsec.

HTH,

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com

On Sep 1, 2012, at 6:05 AM, "Ryan West"
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:

> 5585-x with SSP60, 5gbps capable.
>
> Sent from handheld
>
> On Sep 1, 2012, at 8:38 AM, "Mohammad Moghaddas"
>
<moghaddas.it_at_gmail.com<mailto:moghaddas.it_at_gmail.com><mailto:moghaddas.it_at_gm
ail.com<mailto:moghaddas.it_at_gmail.com>>> wrote:
>
> Thanks for your quick response Ryan.
> What about ASA?
> Is there any other solutions out there? Even from another vendor than
Cisco?
>
>
> On Sat, Sep 1, 2012 at 4:47 PM, Ryan West
>
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com><mailto:rwest_at_zyedge.com<mailto:rwe
st_at_zyedge.com>>> wrote:
> It's going to be expensive, look at your options in the ASR line. Afaik,
none
> of the G2's are going to push, even unencrypted.
>
> Sent from handheld
>
> On Sep 1, 2012, at 8:12 AM, "Mohammad Moghaddas"
>
<moghaddas.it_at_gmail.com<mailto:moghaddas.it_at_gmail.com><mailto:moghaddas.it_at_gm
ail.com<mailto:moghaddas.it_at_gmail.com>>> wrote:
>
>> Hi there.
>> I need to run IPsec between two directly connected points with fiber, but
>> the traffic throughput will be about 4 Gbps.
>> Only IPsec will be run on these two points and no other protocols (no
>> routing, no pbr, no nat, no qos, nothing)
>> Is there any option except using 7600 series plus IPsec SPA?
>> Is it possible on 3900 plus HSEC? But I didn't find any 10G module for
>> these routers. And what about 2900?
>> Sharing your experiences will be appreciated.
>>
>> Best Regards.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Sep 01 2012 - 14:50:17 ART