Hi

If you had a 10Gb/s link between 2 CCR's and you wanted to encrypt the link what tunnel/encryption would you use and what speed do you lose due to the tunnel/encryption? Is it possible with CCR's to encrypt that link?

While I do lots of encrypted tunnels with microtik I have never wanted to take a 10Gb/s link and encrypt the link, ie all traffic goes down the encrypted tunnel from 1 data centre to another.

So my question relates to the performance of the encrypted link and what over head there is, what bandwidth do we lose by encrypting the link.

There is no point encrypting a 10Gb/s link if I can then only send 2Gb/s data down it due to overhead.

Does anyone have any stats on the most efficient encrypted tunnel with 2 x CCR's on 10Gb/s.

Anyone got a lab with 2 x CCR's and could whiz a link up and see? (I only have CCR's in production currently.)

Thanks

Tony

We have a full lab of everything from Cisco 6509-E to just about ever flavor of CCR and rack mount MikroTik. When I get a chance I'll try this on a couple of VMs that go through our 40 Gbps CCR Data Center lab.

Here is thread where MikroTik comments on IPSEC throughput in CCRs and it appears to top out around 3 Gbps in the best case scenario.

http://forum.mikrotik.com/viewtopic.php?t=87892

Sounds like you might need something like this.

http://www.senetas.com/encryptors/layer-2-encryptors/

They look reassuringly expensive!

We have a full lab of everything from Cisco 6509-E to just about ever flavor of CCR and rack mount MikroTik. When I get a chance I'll try this on a couple of VMs that go through our 40 Gbps CCR Data Center lab.

Here is thread where MikroTik comments on IPSEC throughput in CCRs and it appears to top out around 3 Gbps in the best case scenario.

http://forum.mikrotik.com/viewtopic.php?t=87892

thanks anything else faster such as SSTP

I think you ultimately need to encrypt layer 2 but that's hop by hop so I don't think you can.

regards

Tony

Sounds like you might need something like this.

http://www.senetas.com/encryptors/layer-2-encryptors/

They look reassuringly expensive!

Can you encrypt data layer 2 multi hop when we only have control of devices both ends not in the middle?

regards

Tony

Can you encrypt data layer 2 multi hop when we only have control of devices both ends not in the middle?

Depends on the type of service. If its a MetroEthernet e-line service like EPL it should work fine. If it is a EVPL service there will be issues. If your switches connecting to the service support MACsec you can achieve line rate encryption speeds with sub millisecond latency. With the newer WAN MACsec extensions coming it will allow EVPL and e-lan services to work with MACsec.

That said none of Mikrotik's product line supports MACsec so you will need to rely on a third party solution.