Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Regular Contributor II

MAcSec / tunnelled node / encryption question

Hi all,

 

I have a request on my network (3810M at the access layer with Clearpass doing access control) to give a more secure connection to certain devices at the access layer. 

Ive tried to suggest we do downloadable ACLs but for accreditation reasons that won’t suffice. 

they want to see further segregation than an ACL ... I have 2 thoughts:

 

1. setup a controller and do tunnelled node so it gets segregated to a physically separate device. I’m aware the GRE tunnel this makes isn’t encrypted though? So in effect the only separation is a GRE header?

 

2. somehow use MACSec on certain connections to an upstream switch to create this separation with encryption? Can I do MACSec on only certain links that come in?

 

thanks 


Accepted Solutions
Highlighted
MVP

Re: MAcSec / tunnelled node / encryption question

with GRE tunnels and Aruba controllers, we are not only separating traffics by GRE but also the controller acts as a stateful firewall between them.

 

with MACSEC, you can enable it on specific ports but it should be directly connected. meaning you can do MACSEC between directly connected switch ports for two switches.


If a reply adequately addresses your issue, please click on the "Accept as Solution"

View solution in original post


All Replies
Highlighted
MVP

Re: MAcSec / tunnelled node / encryption question

with GRE tunnels and Aruba controllers, we are not only separating traffics by GRE but also the controller acts as a stateful firewall between them.

 

with MACSEC, you can enable it on specific ports but it should be directly connected. meaning you can do MACSEC between directly connected switch ports for two switches.


If a reply adequately addresses your issue, please click on the "Accept as Solution"

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: