Hey all,
I work for a company which handles alot of patient data. We have multiple sites (site A = head office, B = diagnostic imaging office).
Right now we have two Sonicwall TZ205, one sitting at each site. We have dark fiber connecting the sites through a local small emerging ISP. Due to the nature of our data, the visibility the ISP would have into the line if needed, we need to secure the traffic before it leaves each site. Because of this, we have been using site-to-site VPN. While this works, the TZ-205 is not handling this well, and strangles our internet due to the throughput limitations.
The provider gives us an EPL:
that the EPL would be considered a “private Line data service”. We align with the Metro Ethernet Forum’s (MEF) ”CE 2.0” standard.
Every Frame that comes into your EPL port (AKA UNI port) is mapped into a virtual tunnel across our network to the UNI port on the other end of the EPL. This includes all untagged, tagged VID 1-4096, and the majority of L2 control frames.
We provide no encryption and, if need be, network engineers have the ability to mirror traffic from your circuit into a packet capture device, which would only be done if they were troubleshooting an issue.
So we actually have the hardware portion of the EPL in place on both sites, just not wired into anything yet.
Our switches are all SG200 series hardware (we are not a huge enterprise)- and we are in the process of upgrading our firewalls, I would like to leverage the EPL for our site-to-site traffic.
Is this a proper use case of MACSec? Is there a better way to do this?
Thanks for the help!
No comments:
Post a Comment