cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2255
Views
0
Helpful
1
Replies

Macsec over VPLS not working over certain subinterfaces

Ric Hernandez
Level 1
Level 1

I'm having a problem where my ISR 4K router at my HQ will cannot form a macsec session to 3 of our Remote Sites over 3 different VLANs.  They're all ISR 4451 routers with the same NIM-2GE-CU-SFP module.  However the 3 remote sites can form macsec sessions between each other.

 

HQ <-> RS1 over VLAN 101 doesn't work but L2 connectivity is there

HQ <-> RS2 over VLAN 102 doesn't work but L2 connectivity is there

HQ <-> RS3 over VLAN 103 doesn't work but L2 connectivity is there

R1 <->R2<->R3 over VLAN 105 works fine.

 

My ISP confirmed they are not blocking EAPoL traffic and I set the eapol destination-address broadcast  setting on ALL routers.

 

Any suggestions on what to look for?  I have a TAC case open but we're still trying to get this on figured out.

1 Accepted Solution

Accepted Solutions

Ric Hernandez
Level 1
Level 1

I figured it out.  I upgraded my remote site 4451's IOS-XE 3.17.4S and that allowed me to change the macsec ether-type to B860 on all routers.  The routers were then able to establish macsec sessions.  My ISP (Level 3) says they're not blocking EAPoL but that has to be happening somewhere.  My DR site and my HQ site have 2 different last mile providers and I'm wondering if one of their networks is blocking or dropping it.

DR - AT&T (Macsec worked using eapol destination-address broadcast-address but without changing eth-type to B860)

HQ - AboveNet (Macsec worked after changing eth-type to B860 and using eapol destination-address broadcast-address)

View solution in original post

1 Reply 1

Ric Hernandez
Level 1
Level 1

I figured it out.  I upgraded my remote site 4451's IOS-XE 3.17.4S and that allowed me to change the macsec ether-type to B860 on all routers.  The routers were then able to establish macsec sessions.  My ISP (Level 3) says they're not blocking EAPoL but that has to be happening somewhere.  My DR site and my HQ site have 2 different last mile providers and I'm wondering if one of their networks is blocking or dropping it.

DR - AT&T (Macsec worked using eapol destination-address broadcast-address but without changing eth-type to B860)

HQ - AboveNet (Macsec worked after changing eth-type to B860 and using eapol destination-address broadcast-address)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco