The service provider Layer2-VPN is terminated with a pair of [NTE/CPE]Cisco ASR 920 Series Routers.
The link state show down immediately after any attempt to establish a MacSec enabled Trunk,
With messages: ports: ST1-CMDR: port 1/A4 is Blocked by MACSEC
The service provider state in the "Service Description"
"VPN instance is based on the Ethernet over MPLS technology (EoMPLS)"
"The Ethernet VPN Service gives the customer a transparent Ethernet connectivity between two or
more geographically dispersed locations"
Anyone, please respond with any knows/normal requirement for the macSec to be active,
In this scenario.
Hi,As a former ISP network engineer i can tell you that the issue is on the ISP CPE's (Cisco Routers in that case) .
The ISP should enable tunneling all L2 traffic BUM (STP\CDP\LLDP\EAP\802.3ad etc.).In most cases this is done on request and not as a default.
Thanks for contributing.
However, after the ISP enabled both CDP/LLDP, I now clearly can see my own switch from both sides.
Clearly with names and mac-addresses, indicating a clear L2VPN.
However, same, error, the port do not initiate traffic, with same log messages.
we are in the process of removing the Cisco as the CPE,hence the fact that is was not capable of traversing the EAOPL handshake.. ! sic..
The two Cisco CPE's has been removed, and the MacSec connection work flawless
at "wire speed" 10 Gbs, with jumboframe; direct in the ISP,s mpls network.Thanks everyone
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.