Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

MacSec get blocked over service provider MPLS network

This thread has been viewed 52 times

  • 1.  MacSec get blocked over service provider MPLS network

    Posted Jun 25, 2022 06:29 AM

    The service provider Layer2-VPN is terminated with a pair of [NTE/CPE]Cisco ASR 920 Series Routers.

    The link state show down immediately after any attempt to establish a MacSec enabled Trunk,

    With messages: ports: ST1-CMDR: port 1/A4 is Blocked by MACSEC

     

    The service provider state in the "Service Description"

    "VPN instance is based on the Ethernet over MPLS technology (EoMPLS)"

    "The Ethernet VPN Service gives the customer a transparent Ethernet connectivity between two or

    more geographically dispersed locations"

     

    Anyone, please respond with any knows/normal requirement for the macSec to be active,

    In this scenario.



  • 2.  RE: MacSec get blocked over service provider MPLS network

    MVP GURU
    Posted Jun 26, 2022 05:38 AM
    I'm curious too (MACsec requirements/restrictions over "transparent" WAN connection).
    Original Message


  • 3.  RE: MacSec get blocked over service provider MPLS network

    Posted Jun 27, 2022 03:46 AM
    are you using dot1Q?

    if, you need WAN-MACsec, cos with normal MACsec the dot1q header is crypted.

    hth
    Alex
    Original Message


  • 4.  RE: MacSec get blocked over service provider MPLS network

    EMPLOYEE
    Posted Jun 27, 2022 04:48 AM

    Hi,
    As a former ISP network engineer i can tell you that the issue is on the ISP CPE's (Cisco Routers in that case) .

    The ISP should enable tunneling all L2 traffic  BUM (STP\CDP\LLDP\EAP\802.3ad etc.).
    In most cases this is done on request and not as a default.


    Original Message


  • 5.  RE: MacSec get blocked over service provider MPLS network

    Posted Jun 30, 2022 03:56 AM

    Thanks for contributing.

    However, after the ISP enabled both CDP/LLDP, I now clearly can see my own switch from both sides.

    Clearly with names and mac-addresses, indicating a clear L2VPN.


    However, same, error, the port do not initiate traffic, with same log messages.


    Original Message


  • 6.  RE: MacSec get blocked over service provider MPLS network
    Best Answer

    EMPLOYEE
    Posted Jun 30, 2022 02:23 PM
    MACSEC is negotiated using EAPOL packets.
    Destination MAC should be 01:80:C2:00:00:03 by default.
    Never tested with Aruba but if compliant with the RFC this the BUM multicast traffic the ISP should be checked if tunneled correctly.


    Original Message


  • 7.  RE: MacSec get blocked over service provider MPLS network

    Posted Jul 24, 2022 07:03 AM

    Thank you;

    we are in the process of removing the Cisco as the CPE,
    hence the fact that is was not capable of traversing the EAOPL handshake.. ! sic..


    Original Message


  • 8.  RE: MacSec get blocked over service provider MPLS network

    Posted Aug 10, 2022 04:59 AM

    The two Cisco CPE's has been removed, and the MacSec connection work flawless

    at "wire speed" 10 Gbs, with jumboframe; direct in the ISP,s mpls network.

    Thanks everyone


    Original Message