MP-BGP inside MACsec inside VPLS network

Bartlomiej Orzechowski · ‎07-02-2018

Dear community,

is it possible to create MACsec peering via VPLS network ?

Please find attached drawing.

https://drive.google.com/drive/folders/1zDvfm09pzZBNfwxWuWUOrgzA9Yj0gce5?usp=sharing

I've got MP-BGP peering with this config but without CTS enabled on port Gi1/0/48.
With MACsec enabled, BGP doesn't work.

Advice me please.

Interface CTS output:

#show cts interface gigabitEthernet 1/0/48
Global Dot1x feature is Disabled
Interface GigabitEthernet1/0/48:
    CTS is enabled, mode:    MANUAL
    IFC state:               SAP_NEGOTIATING
    Authentication Status:   NOT APPLICABLE
        Peer identity:       "unknown"
        Peer's advertised capabilities: "sap"
    Authorization Status:    NOT APPLICABLE
    SAP Status:              UNKNOWN
        Configured pairwise ciphers:
            gcm-encrypt

        Replay protection:      enabled
        Replay protection mode: STRICT

        Selected cipher:        

    Propagate SGT:           Enabled
    Cache Info:
        Expiration            : N/A
        Cache applied to link : NONE

    Statistics:
        authc success:              0
        authc reject:               0
        authc failure:              0
        authc no response:          0
        authc logoff:               0
        sap success:                0
        sap fail:                   5225
        authz success:              0
        authz fail:                 0
        port auth fail:             0

    L3 IPM:   disabled.

    CTS sgt-caching Ingress : Disabled

    CTS sgt-caching Egress  : Disabled