topic Re: L2 Trunk encryption in Network Security

L2 Trunk encryption

Tibor M — Sun, 09 Mar 2025 01:55:05 GMT

Hi,

we are going to move our offices between buildings. Our ISP is able to provide us L2 1gbps QinQ line between buildings for 2 months so we can start moving services and servers partially. The thing is that L2 is not encrypted anyhow from them. We want to use it as trunk, and its a must because we will have to split some VLANs during movement as we are not able to move all services in those vlans at once. And we need to ensure all traffic is encrypted.

I plan to have on each side of L2 Nexus N9K-C93180YC-EX or N9K-C9372PX-E, eventually I still have ASA5516-X and ASA5508-X (where I was thinking about transparent mode, but never worked with it and do not know if it supports trunk and S2S on transparent mode).

What we can use to achieve this L2 trunk encryption please? anybody with such experience?

Re: L2 Trunk encryption

Ramblin Tech — Sun, 09 Mar 2025 02:16:24 GMT

You might take a look at IEEE 802.1AE (aka, MACSEC), to see if the concept meets your needs, as it was designed specifically for L2 encryption. If so, then you could dig into the Nexus 9K support and caveats.

Re: L2 Trunk encryption

balaji.bandi — Sun, 09 Mar 2025 09:33:56 GMT

One option is MACSEC - make sure nexus have right License :

https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/103x/configuration/security/cisco-nexus-9000-nx-os-security-configuration-guide-103x/m-configuring-macsec.html#id_72606

Other option you can have VXLAN (over engineering)

https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/104x/configuration/vxlan/cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-release-104x/m-configuring-cloudsec.html#:~:text=Secure%20VXLAN%20EVPN%20Multi%2DSite%20using%20CloudSec%20ensures%20data%20security,between%20authorized%20VXLAN%20EVPN%20endpoints.

Re: L2 Trunk encryption

Tibor M — Sun, 09 Mar 2025 11:52:21 GMT

thanks both, it looks like MACSec is not an option 😞 On both models I have only LAN_ENTERPRISE_SERVICES_PKG license, no security addon. and I do not see even "feature macsec" command.

Re: L2 Trunk encryption

Tibor M — Sun, 09 Mar 2025 12:34:32 GMT

But what about Catalyst 9200L ? I have several C9200L-24T-4X which look like support macsec too on network essential license.

Re: L2 Trunk encryption

balaji.bandi — Sun, 09 Mar 2025 15:00:08 GMT

I was suggested based on the nexus model.

The Cat 9K model also needs a license for MACSec (I have never tested Cat 9200 with MAC Sec), which are basic Access Layer switches. Cat 9300/9400/9500/9600 works as expected with the correct License.

If they are terminating to a Firewall, you can tunnel the traffic if you like and use basic Layer 2 Switches to terminate the Links.

Re: L2 Trunk encryption

Marius Gunnerud — Sun, 09 Mar 2025 19:07:22 GMT

If MACSec is not an option, would it be a possibility to setup a firewall at the remote end using a temporary subnet / link-net over the L2 line provided by the ISP, and then setup a site to site between the two.

Re: L2 Trunk encryption

Tibor M — Sun, 09 Mar 2025 20:12:36 GMT

@Marius Gunnerud That is what I can't do. I need several VLANs IDs on both sides (one VLAN i.e. 345 on both sides, with i.e. 10.1.2.0/23 on both sides) because we will move some servers on one date and rest of another. and I'm unable to readdress those servers and put to different subnet.

Re: L2 Trunk encryption

Marius Gunnerud — Sun, 09 Mar 2025 21:18:00 GMT

What about enabling trial license on the switches? If I am not mistaken you will have 90 days trial license with access to full functionality. Then enable MACSec, do your transfer, and then remove MACSec and revert the license to the original.

If you have already used up your 90 trial, then I would suggest contacting Cisco or your Cisco partner and explain the situation and request that they provide a trial so that MACSec can be implemented for the migration.

Other than that, and short of adding more hardware or permanent licensing, there is not much you can do.