Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco Trustsec across QinQ provider network

Hi,

We are thinking of using manual CTS encryption on either natively routed ports, or Vlans / SVIs  (Nexus 7ks) to form OSPF adjacencies, but need to understand if this will work across a providers QinQ network. It is my understanding that Trustsec encrypts the 802.1q VLAN tag so ultimately the WAN Provider will receive an untagged packet. So in both cases whether we use a natively routed port, or a Vlan with SVIs, the frames will be untagged.

So I suppose what I am asking is: Can a QinQ WAN provider accept untagged frames, or do frames have to ingress into the providers network with an underlying Vlan Tag in place?

 

Thanks in advance.

 

Chris.

1 REPLY
New Member

Hi Chris,from my tests MacSEC

Hi Chris,

from my tests MacSEC (manual CTS) does not work across QinQ because gcm-encrypt does authenticate via 802.1x (EAPOL frames). And EAPOL ist not tunneled. EAPOL is grabbed by the QinQ interface.

br Fritz

 

232
Views
0
Helpful
1
Replies
CreatePlease login to create content