Wired Intelligent Edge

 View Only
  • 1.  MacSec over ISP MPLS network Point to Multipoint

    Posted Apr 09, 2023 11:21 AM
    Edited by Steinar Grande Apr 09, 2023 11:21 AM

    I am planning to add another site (C), to the network. (On a next phase 2)

    Utilizing the ISP MPLS functionality of Point to Multipoint.

    Is this feasible??

    Meaning:

    I wish to "terminate" the site C in same port as the connection site A<> B

    (A3 in Site A)

    Anyone ?

    (Be aware, the drawing is correct, there is no ISP router)

    ------------------------------
    Steinar
    ------------------------------



  • 2.  RE: MacSec over ISP MPLS network Point to Multipoint

    Posted Apr 11, 2023 02:19 AM

    Steinar, 

    I assume this point-to-multipoint setup uses dot1q tags to distiguish traffic destined for Site B or Site C, right? If that is the case, that would require the MacSec connection to transport the dot1q tag in the Ethernet header in clear which is not usually the case. See the figure here:
    https://www.arubanetworks.com/techdocs/AOS-CX/10.11/HTML/security_8360/Content/Chp_MACsec/mac-ll-10.htm

    I know that Cisco developed "WAN extensions" to MacSec which enable exactly this ("802.1Q Tag in the Clear"). However, I'm not aware that an Aruba switch (no matter whether it is a AOS-S or AOS-CX one) is capable of this. 

    Maybe you can ask your carrier to fan-out the multipoint connection in the headend (Site A) side to two different, untagged Ethernet ports and use the setup you already have to Site B. This would most probably work but at a very limited scale. Another scenario can be to use IPSec tunnels instead, which makes you more independent of the underlaying transport but comes with other limitations depending on the network behind your MacSec switches. 

    Regards, 
    Thomas




  • 3.  RE: MacSec over ISP MPLS network Point to Multipoint

    Posted Apr 12, 2023 05:10 AM
    Edited by Steinar Grande Apr 12, 2023 05:40 AM

    Hi, thank you for your swift response.

    The last first,

    There will be no change to the topology now J,

    (Meaning, no fan-out, due to no edge isp router, and IPSec is out)

    Yes, the manual is somewhat unclear, I am aware,

    I am chasing the carrier now, to have they clarify, their definition,

    on the solution: point to MultiPoint (and Multipoint to Multipoint)

    Yes, the manual for AOS-CX, clearly state on its first bullet point:

    Provides a Layer 2 hop-by-hop encryption on point-to-point Ethernet links,
    enabling a bi-directional secure link after an exchange and verification of security keys between two connected devices

    Which of course was the basis for the setup A><B.

    The real questing from me is whether or not: 

    • Can my single macsec switchport (A3)[Site A] handle two MacSec connections?



    ------------------------------
    Steinar
    ------------------------------



  • 4.  RE: MacSec over ISP MPLS network Point to Multipoint

    Posted Apr 12, 2023 05:56 AM

    Hi Steinar

    >Can my single macsec switchport (A3)[Site A] handle two MacSec connections?
    IMHO at the moment no, as there is no such extension documented. As I said, Cisco has such a feature and I found hint in Huawei docs as well. So maybe one day Aruba will implement it, too. Perhaps an Aruba employee can say something about this?

    Did you think of posting this use case to Aruba Innovation Zone?
    http://innovate.arubanetworks.com/

    Regards, 
    Thomas




  • 5.  RE: MacSec over ISP MPLS network Point to Multipoint

    Posted Apr 12, 2023 06:09 AM
    Edited by Steinar Grande Apr 12, 2023 06:09 AM

    Thanks you again, i am waiting a decisive response.. :)
    A negative one, will of course force me to get the excavator out and dig a secondary fiber channel ditch at Site A :(

    At that point then, opens up a redundancy possibility,, with a site B ><C connection !


    ------------------------------
    Steinar
    ------------------------------



  • 6.  RE: MacSec over ISP MPLS network Point to Multipoint

    Posted Apr 24, 2023 04:32 AM

    @Steinar Grande - Will all 3 sites be part of the same CA? i.e., does port A3 on all the 3 sites have the same MKA and MACsec policy configured?

    AOS-CX does not support the WAN MACsec extensions (802.1q in clear, Custom EAPoL destination MAC) yet. It also does not support P2MP connections.
    But I would like to understand if the ask it to support a P2MP deployment with the same CA or different CA with each site on the same interface.