Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Layer 2 WAN and MACSec

Hi All,

Will MACSec between two 3560X switches work across a Layer 2 WAN?

Sachin

Everyone's tags (3)
9 REPLIES
Community Member

Layer 2 WAN and MACSec

According to what I understand or know, it is a Mac based security feature or standard. Data Link Layer of the OSI Model has 2 sub layers :

1) Logical Link Control(LLC).

2) Mac(media access control).

As it is a Mac based standard, it can support Layer 2 WAN.

Mac layer acts as an interface between Logical layer and the physical layer of the OSI model.

Community Member

Layer 2 WAN and MACSec

Thanks Fahad. From my understanding, MACSec operates on a hop-by-hop basis, so encryption is supposed to take place between hops and not over it, according to this document:

http://www.ieee802.org/1/files/public/docs2013/ae-seaman-macsec-hops-0213-v02.pdf

I've come across something that indicates it works over EoMPLS:

http://www.networklabs.info/2013/04/cisco-macsec-over-junipercisco-mpls.html

But I wanted to know if anyone has actually done it. Also if it works with providers who use Q-in-Q.

Sachin

Community Member

Layer 2 WAN and MACSec

you are correct sganpat, it works on L3 interfaces.

Layer 2 WAN and MACSec

Hello Sachin,

I'd like to ask whether the MACSec worked for you over the MPLS I guess you have used p2p PW right?

Thank you very much

adam

adam
Community Member

Layer 2 WAN and MACSec

Hi Adam.

We didn't bother with it. We ended up going with 15Mb WAN links and using firewalls w/VPN at the edge instead. It came out cheaper and it works so far.

I'm sorry that I couldn't be of more help to you.

Sachin

Community Member

I've seen MACSEC work over

I've seen MACSEC work over SDH and other carrier links. Oddly am seeing some issues with a Cisco only provider who is using qinq and they cannot get it to pass. The ethertypes 0x888e eapol and 0x88e5 MACSEC are critical in the negotiation. 

Community Member

I am also planning MACsec

I am also planning MACsec encryption for the DCI links. Since MACsec encryption on a hop-by-hop basis, DCI link should not expect to have ethernet encapsulation happening in the telco side (there could be exception with EoMPLS or some pseudowire tunnels).

The link I am planning is Unprotected wave (transparent layer1 service with optical encapsulation in carrier network).

 

Please let me know if any body have successfully implemented MACsec over long distance carrier network?

 

 

Community Member

Have it implemented globally.

Have it implemented it across many WAN's. Had an issue with Cogent on a 7600 and they replaced a line-card and its online. Have deployed over carriers with SDH, DWDM and long-haul L2 circuits. At times you have to battle with carrier to ensure they support ethertypes 0x888e eapol and 0x88e5 macsec, would recommend you provide a minimum requirements list in contract so you can hold them to support it. 

Community Member

Re: Have it implemented globally.

Hi,

 

Did you use Cisco swithes or routers for MACSec over DWDM? Did you see that MACSec works between two Cisco swithes over DWDM or EoMPLS?

5284
Views
0
Helpful
9
Replies
CreatePlease to create content