Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

MacSec get blocked over service provider MPLS network

Jump to Best Answer
This thread has been viewed 44 times
  • 1.  MacSec get blocked over service provider MPLS network

    Posted Jun 25, 2022 06:29 AM

    The service provider Layer2-VPN is terminated with a pair of [NTE/CPE]Cisco ASR 920 Series Routers.

    The link state show down immediately after any attempt to establish a MacSec enabled Trunk,

    With messages: ports: ST1-CMDR: port 1/A4 is Blocked by MACSEC

     

    The service provider state in the "Service Description"

    "VPN instance is based on the Ethernet over MPLS technology (EoMPLS)"

    "The Ethernet VPN Service gives the customer a transparent Ethernet connectivity between two or

    more geographically dispersed locations"

     

    Anyone, please respond with any knows/normal requirement for the macSec to be active,

    In this scenario.



  • 2.  RE: MacSec get blocked over service provider MPLS network

    MVP GURU
    Posted Jun 26, 2022 05:38 AM
    I'm curious too (MACsec requirements/restrictions over "transparent" WAN connection).


  • 3.  RE: MacSec get blocked over service provider MPLS network

    Posted Jun 27, 2022 03:46 AM
    are you using dot1Q?

    if, you need WAN-MACsec, cos with normal MACsec the dot1q header is crypted.

    hth
    Alex


  • 4.  RE: MacSec get blocked over service provider MPLS network

    EMPLOYEE
    Posted Jun 27, 2022 04:48 AM

    Hi,
    As a former ISP network engineer i can tell you that the issue is on the ISP CPE's (Cisco Routers in that case) .

    The ISP should enable tunneling all L2 traffic  BUM (STP\CDP\LLDP\EAP\802.3ad etc.).
    In most cases this is done on request and not as a default.




  • 5.  RE: MacSec get blocked over service provider MPLS network

    Posted Jun 30, 2022 03:56 AM

    Thanks for contributing.

    However, after the ISP enabled both CDP/LLDP, I now clearly can see my own switch from both sides.

    Clearly with names and mac-addresses, indicating a clear L2VPN.


    However, same, error, the port do not initiate traffic, with same log messages.




  • 6.  RE: MacSec get blocked over service provider MPLS network
    Best Answer

    EMPLOYEE
    Posted Jun 30, 2022 02:23 PM
    MACSEC is negotiated using EAPOL packets.
    Destination MAC should be 01:80:C2:00:00:03 by default.
    Never tested with Aruba but if compliant with the RFC this the BUM multicast traffic the ISP should be checked if tunneled correctly.




  • 7.  RE: MacSec get blocked over service provider MPLS network

    Posted 23 days ago

    Thank you;

    we are in the process of removing the Cisco as the CPE,
    hence the fact that is was not capable of traversing the EAOPL handshake.. ! sic..




  • 8.  RE: MacSec get blocked over service provider MPLS network

    Posted 6 days ago

    The two Cisco CPE's has been removed, and the MacSec connection work flawless

    at "wire speed" 10 Gbs, with jumboframe; direct in the ISP,s mpls network.

    Thanks everyone