Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
New Member

Macsec over VPLS not working over certain subinterfaces

I'm having a problem where my ISR 4K router at my HQ will cannot form a macsec session to 3 of our Remote Sites over 3 different VLANs.  They're all ISR 4451 routers with the same NIM-2GE-CU-SFP module.  However the 3 remote sites can form macsec sessions between each other.

 

HQ <-> RS1 over VLAN 101 doesn't work but L2 connectivity is there

HQ <-> RS2 over VLAN 102 doesn't work but L2 connectivity is there

HQ <-> RS3 over VLAN 103 doesn't work but L2 connectivity is there

R1 <->R2<->R3 over VLAN 105 works fine.

 

My ISP confirmed they are not blocking EAPoL traffic and I set the eapol destination-address broadcast  setting on ALL routers.

 

Any suggestions on what to look for?  I have a TAC case open but we're still trying to get this on figured out.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Macsec over VPLS not working over certain subinterfaces

I figured it out.  I upgraded my remote site 4451's IOS-XE 3.17.4S and that allowed me to change the macsec ether-type to B860 on all routers.  The routers were then able to establish macsec sessions.  My ISP (Level 3) says they're not blocking EAPoL but that has to be happening somewhere.  My DR site and my HQ site have 2 different last mile providers and I'm wondering if one of their networks is blocking or dropping it.

DR - AT&T (Macsec worked using eapol destination-address broadcast-address but without changing eth-type to B860)

HQ - AboveNet (Macsec worked after changing eth-type to B860 and using eapol destination-address broadcast-address)

1 REPLY
New Member

Re: Macsec over VPLS not working over certain subinterfaces

I figured it out.  I upgraded my remote site 4451's IOS-XE 3.17.4S and that allowed me to change the macsec ether-type to B860 on all routers.  The routers were then able to establish macsec sessions.  My ISP (Level 3) says they're not blocking EAPoL but that has to be happening somewhere.  My DR site and my HQ site have 2 different last mile providers and I'm wondering if one of their networks is blocking or dropping it.

DR - AT&T (Macsec worked using eapol destination-address broadcast-address but without changing eth-type to B860)

HQ - AboveNet (Macsec worked after changing eth-type to B860 and using eapol destination-address broadcast-address)

355
Views
0
Helpful
1
Replies
CreatePlease to create content