Black Box ET0010A User Manual
EncrypTight User Guide
25
2
EncrypTight Deployment Planning
When deploying EncrypTight, you must plan the following:
EncrypTight Component Connections
EncrypTight can be managed in-line or out-of-band. When managing in-line, management traffic flows
through the data path. You must enable the Passing TLS traffic in the clear feature on all PEPs for
proper communication among EncrypTight components (ETEMS, ETPM, ETKMS, PEPs). When passing
TLS in the clear is enabled on Layer 2 PEPs, TLS and ARP packets are sent unencrypted.
through the data path. You must enable the Passing TLS traffic in the clear feature on all PEPs for
proper communication among EncrypTight components (ETEMS, ETPM, ETKMS, PEPs). When passing
TLS in the clear is enabled on Layer 2 PEPs, TLS and ARP packets are sent unencrypted.
If your network uses other routing protocols that need to pass in the clear, consider the following:
●
At Layer 3, create policies to pass the routing protocols in the clear. The PEPs must also be
configured to pass non-IP traffic in the clear (this is the default setting on the Advanced tab in
ETEMS).
configured to pass non-IP traffic in the clear (this is the default setting on the Advanced tab in
ETEMS).
●
At Layer 2, consider a separate out-of-band management network, or put the management traffic on a
separate VLAN and create a Layer 2 policy to pass packets with this VLAN tag in the clear.
Customer support can advise you on a solution that works best in your network.
separate VLAN and create a Layer 2 policy to pass packets with this VLAN tag in the clear.
Customer support can advise you on a solution that works best in your network.
●
Use local site policies
Local site policies allow you to create locally configured policies using CLI commands, without
requiring an EncrypTight ETKMS for key distribution. Using the local-site CLI commands you can
create manual key encryption policies, bypass policies, and discard policies at either Layer 2 or Layer
3. Mesh policies can be created by adding policies that share the identical keys and SPIs to multiple
ETEPs.
The primary use for local site policies is to facilitate in-line management in Layer 2 encrypted
networks. These policies supplement existing encryption policies, adding the flexibility to encrypt or
pass in the clear specific Layer 3 routing protocols, or Layer 2 Ethertypes and VLAN IDs.
For information on creating and using local site policies, see the CLI User Guide.
Local site policies allow you to create locally configured policies using CLI commands, without
requiring an EncrypTight ETKMS for key distribution. Using the local-site CLI commands you can
create manual key encryption policies, bypass policies, and discard policies at either Layer 2 or Layer
3. Mesh policies can be created by adding policies that share the identical keys and SPIs to multiple
ETEPs.
The primary use for local site policies is to facilitate in-line management in Layer 2 encrypted
networks. These policies supplement existing encryption policies, adding the flexibility to encrypt or
pass in the clear specific Layer 3 routing protocols, or Layer 2 Ethertypes and VLAN IDs.
For information on creating and using local site policies, see the CLI User Guide.
This chapter discusses connections between each of the EncrypTight components, providing in-line and
out-of-band examples.
out-of-band examples.