Wired Intelligent Edge

 View Only
last person joined: 14 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

MacSec get blocked over service provider MPLS network

Jump to Best Answer
This thread has been viewed 41 times
  • 1.  MacSec get blocked over service provider MPLS network

    Posted Jun 25, 2022 06:29 AM

    The service provider Layer2-VPN is terminated with a pair of [NTE/CPE]Cisco ASR 920 Series Routers.

    The link state show down immediately after any attempt to establish a MacSec enabled Trunk,

    With messages: ports: ST1-CMDR: port 1/A4 is Blocked by MACSEC

     

    The service provider state in the "Service Description"

    "VPN instance is based on the Ethernet over MPLS technology (EoMPLS)"

    "The Ethernet VPN Service gives the customer a transparent Ethernet connectivity between two or

    more geographically dispersed locations"

     

    Anyone, please respond with any knows/normal requirement for the macSec to be active,

    In this scenario.



  • 2.  RE: MacSec get blocked over service provider MPLS network

    MVP GURU
    Posted Jun 26, 2022 05:38 AM
    I'm curious too (MACsec requirements/restrictions over "transparent" WAN connection).


  • 3.  RE: MacSec get blocked over service provider MPLS network

    Posted Jun 27, 2022 03:46 AM
    are you using dot1Q?

    if, you need WAN-MACsec, cos with normal MACsec the dot1q header is crypted.

    hth
    Alex


  • 4.  RE: MacSec get blocked over service provider MPLS network

    EMPLOYEE
    Posted Jun 27, 2022 04:48 AM

    Hi,
    As a former ISP network engineer i can tell you that the issue is on the ISP CPE's (Cisco Routers in that case) .

    The ISP should enable tunneling all L2 traffic  BUM (STP\CDP\LLDP\EAP\802.3ad etc.).
    In most cases this is done on request and not as a default.




  • 5.  RE: MacSec get blocked over service provider MPLS network

    Posted Jun 30, 2022 03:56 AM

    Thanks for contributing.

    However, after the ISP enabled both CDP/LLDP, I now clearly can see my own switch from both sides.

    Clearly with names and mac-addresses, indicating a clear L2VPN.


    However, same, error, the port do not initiate traffic, with same log messages.




  • 6.  RE: MacSec get blocked over service provider MPLS network
    Best Answer

    EMPLOYEE
    Posted Jun 30, 2022 02:23 PM
    MACSEC is negotiated using EAPOL packets.
    Destination MAC should be 01:80:C2:00:00:03 by default.
    Never tested with Aruba but if compliant with the RFC this the BUM multicast traffic the ISP should be checked if tunneled correctly.




  • 7.  RE: MacSec get blocked over service provider MPLS network

    Posted 17 days ago

    Thank you;

    we are in the process of removing the Cisco as the CPE,
    hence the fact that is was not capable of traversing the EAOPL handshake.. ! sic..




  • 8.  RE: MacSec get blocked over service provider MPLS network

    Posted 10 hours ago

    The two Cisco CPE's has been removed, and the MacSec connection work flawless

    at "wire speed" 10 Gbs, with jumboframe; direct in the ISP,s mpls network.

    Thanks everyone