I've seen MACSEC work over SDH and other carrier links. Oddly am seeing some issues with a Cisco only provider who is using qinq and they cannot get it to pass. The ethertypes 0x888e eapol and 0x88e5 MACSEC are critical in the negotiation.
I am also planning MACsec encryption for the DCI links. Since MACsec encryption on a hop-by-hop basis, DCI link should not expect to have ethernet encapsulation happening in the telco side (there could be exception with EoMPLS or some pseudowire tunnels).
The link I am planning is Unprotected wave (transparent layer1 service with optical encapsulation in carrier network).
Please let me know if any body have successfully implemented MACsec over long distance carrier network?
Have it implemented it across many WAN's. Had an issue with Cogent on a 7600 and they replaced a line-card and its online. Have deployed over carriers with SDH, DWDM and long-haul L2 circuits. At times you have to battle with carrier to ensure they support ethertypes 0x888e eapol and 0x88e5 macsec, would recommend you provide a minimum requirements list in contract so you can hold them to support it.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...