Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2163
Views
0
Helpful
2
Replies

Does ACI MultiSite CloudSec requires MACSec to be implemented?

Go to solution
SIMMN
Spotlight
Spotlight

‎03-31-2022 01:27 PM

Referencing Cisco CloudSec document, it seems like MACSec needs to be implemented within each site fabric...I can see both CloudSec and MACSec used concurrently to ensure encryption for data in-transit within the fabric and cross fabrics. I do not feel macsec is necessary if all I want is encryption for inter-site communication and I do not need the encryption within the Fabric. But I could not find any doc gives me the answer...

 

So does MACSec need to be enabled/implemented in each site fabric in order to do CloudSec in ACI Multi-Site environment?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎03-31-2022 10:09 PM - edited ‎03-31-2022 10:13 PM

Hi @SIMMN 

No, you are not required to enable MACSec inside the fabric to have the CloudSec functionality turned on.

These can work independent of each other, but can be enabled simultaneously if you wish to have "end-to-end" encryption.

 

EDIT: to give a little more context, in case of communication between two endpoints, the CloudSec is only available between spines of different sites, and communication Leaf->Spine and Spine->Leaf remains unencrypted. If its a requirement to have it enc, then MACsec can be enabled.  Starting with version 5.1(1), in case of communication EP(site1)->L3Out (site2), the CloudSec will be between Leaf(site1) -> BL (site2)

 

Stay safe,

Sergiu

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎03-31-2022 10:09 PM - edited ‎03-31-2022 10:13 PM

Hi @SIMMN 

No, you are not required to enable MACSec inside the fabric to have the CloudSec functionality turned on.

These can work independent of each other, but can be enabled simultaneously if you wish to have "end-to-end" encryption.

 

EDIT: to give a little more context, in case of communication between two endpoints, the CloudSec is only available between spines of different sites, and communication Leaf->Spine and Spine->Leaf remains unencrypted. If its a requirement to have it enc, then MACsec can be enabled.  Starting with version 5.1(1), in case of communication EP(site1)->L3Out (site2), the CloudSec will be between Leaf(site1) -> BL (site2)

 

Stay safe,

Sergiu

 

0 Helpful

Go to solution
SIMMN
Spotlight
Spotlight
In response to Sergiu.Daniluk

‎04-01-2022 04:38 AM

Thanks for the information!

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License