Comware

We want to use encrypted MacSec on 10gig interface between datacenters.

The network between the datacenters is provided by a potentially untrusted third party.

This macsec setup is working, but when somewhere in the third-party network there is a loss of connection, the mka timer mka-life 60 exceeds the 60 seconds and then the connection is lost. So the physical interface connected to the MacSEC stays up, but line-protocol is down DOWN(MACSEC)

We use device-oriented MACsec.
So macsec does not notice when the communication is back.

When we reset this setup by doing a shutdown interface / undo shutdown on one of our MacSec interfaces it works again.

We've looked at OAM, CFD, TRACK etc for an automatic solution. Could not find one that would work in our situation.

We are thinking of creating a python script on the switch to automate this.
Perhaps there is a better solution?

A unencrypted VXlan-tunnel perhaps with a loopback -> will the interface on the vxlan go down when the tunnel is down, to signal the MacSec interface?
Perhaps the client-oriented MacSec doesn't have this problem?

Thanks for your time,

Greetings,

Jan-Willem

macsec desire
mka priority 10
mka psk ckn E9AC cak simple 09DB3EF1 ( from the public example)
macsec replay-protection enable
macsec replay-protection window-size 100
macsec validation mode strict
mka enable

Hello Jan-Willem,

did you get a solution for this setup? We're facing exactly the same issue at customer site. If the provider has a problem with the 3rd party network the mka session times out and the connection is lost. After shut / undo shut everything is fine again until the next disconnection at the 3rd party network of the provider....

Best regards,
Marco Ludwig.

We want to use encrypted MacSec on 10gig interface between datacenters.

The network between the datacenters is provided by a potentially untrusted third party.

This macsec setup is working, but when somewhere in the third-party network there is a loss of connection, the mka timer mka-life 60 exceeds the 60 seconds and then the connection is lost. So the physical interface connected to the MacSEC stays up, but line-protocol is down DOWN(MACSEC)

We use device-oriented MACsec.
So macsec does not notice when the communication is back.

When we reset this setup by doing a shutdown interface / undo shutdown on one of our MacSec interfaces it works again.

We've looked at OAM, CFD, TRACK etc for an automatic solution. Could not find one that would work in our situation.

We are thinking of creating a python script on the switch to automate this.
Perhaps there is a better solution?

A unencrypted VXlan-tunnel perhaps with a loopback -> will the interface on the vxlan go down when the tunnel is down, to signal the MacSec interface?
Perhaps the client-oriented MacSec doesn't have this problem?

Thanks for your time,

Greetings,

Jan-Willem

macsec desire
mka priority 10
mka psk ckn E9AC cak simple 09DB3EF1 ( from the public example)
macsec replay-protection enable
macsec replay-protection window-size 100
macsec validation mode strict
mka enable

We are thinking going to use a phyton script, running internally on the HPE switch ( both sides).

It will check state interface, and if macsec down, wil test then what is the state of the macsec ( internal nummmber higer than 0 ) -> will reset the interface. 

Tested arround with that, not in production yet

Because i'm not sure how to start it -> to start the script every hour, and then for instance keep it running for 59 minutes ( and sleep 60 seconds) ,

Or start it every minute, etc. I don't want to generate a memory leak on the switch

Also to test how to start it from file, and how to do that in case of shutdown of one IRF switch etc. 

But when have something we will post it here. 

Or do you have any ideas?

Hello Jan-Willem,

did you get a solution for this setup? We're facing exactly the same issue at customer site. If the provider has a problem with the 3rd party network the mka session times out and the connection is lost. After shut / undo shut everything is fine again until the next disconnection at the 3rd party network of the provider....

Best regards,
Marco Ludwig.

We want to use encrypted MacSec on 10gig interface between datacenters.

The network between the datacenters is provided by a potentially untrusted third party.

This macsec setup is working, but when somewhere in the third-party network there is a loss of connection, the mka timer mka-life 60 exceeds the 60 seconds and then the connection is lost. So the physical interface connected to the MacSEC stays up, but line-protocol is down DOWN(MACSEC)

We use device-oriented MACsec.
So macsec does not notice when the communication is back.

When we reset this setup by doing a shutdown interface / undo shutdown on one of our MacSec interfaces it works again.

We've looked at OAM, CFD, TRACK etc for an automatic solution. Could not find one that would work in our situation.

We are thinking of creating a python script on the switch to automate this.
Perhaps there is a better solution?

A unencrypted VXlan-tunnel perhaps with a loopback -> will the interface on the vxlan go down when the tunnel is down, to signal the MacSec interface?
Perhaps the client-oriented MacSec doesn't have this problem?

Thanks for your time,

Greetings,

Jan-Willem

macsec desire
mka priority 10
mka psk ckn E9AC cak simple 09DB3EF1 ( from the public example)
macsec replay-protection enable
macsec replay-protection window-size 100
macsec validation mode strict
mka enable