at "wire speed" 10 Gbs, with jumboframe; direct in the ISP,s mpls network.
Thanks everyone
Original Message:
Sent: Jul 24, 2022 07:03 AM
From: Steinar Grande
Subject: MacSec get blocked over service provider MPLS network
Thank you;
we are in the process of removing the Cisco as the CPE,
hence the fact that is was not capable of traversing the EAOPL handshake.. ! sic..
Original Message:
Sent: Jun 30, 2022 02:22 PM
From: Matan Tal
Subject: MacSec get blocked over service provider MPLS network
MACSEC is negotiated using EAPOL packets.
Destination MAC should be 01:80:C2:00:00:03 by default.
Never tested with Aruba but if compliant with the RFC this the BUM multicast traffic the ISP should be checked if tunneled correctly.
Original Message:
Sent: Jun 30, 2022 03:55 AM
From: Steinar Grande
Subject: MacSec get blocked over service provider MPLS network
Thanks for contributing.
However, after the ISP enabled both CDP/LLDP, I now clearly can see my own switch from both sides.
Clearly with names and mac-addresses, indicating a clear L2VPN.
However, same, error, the port do not initiate traffic, with same log messages.
Original Message:
Sent: Jun 27, 2022 04:47 AM
From: Matan Tal
Subject: MacSec get blocked over service provider MPLS network
Hi,
As a former ISP network engineer i can tell you that the issue is on the ISP CPE's (Cisco Routers in that case) .
The ISP should enable tunneling all L2 traffic BUM (STP\CDP\LLDP\EAP\802.3ad etc.).
In most cases this is done on request and not as a default.
Original Message:
Sent: Jun 25, 2022 06:28 AM
From: Steinar Grande
Subject: MacSec get blocked over service provider MPLS network
The service provider Layer2-VPN is terminated with a pair of [NTE/CPE]Cisco ASR 920 Series Routers.
The link state show down immediately after any attempt to establish a MacSec enabled Trunk,
With messages: ports: ST1-CMDR: port 1/A4 is Blocked by MACSEC
The service provider state in the "Service Description"
"VPN instance is based on the Ethernet over MPLS technology (EoMPLS)"
"The Ethernet VPN Service gives the customer a transparent Ethernet connectivity between two or
more geographically dispersed locations"
Anyone, please respond with any knows/normal requirement for the macSec to be active,
In this scenario.