Re: L2 Trunk encryption

Tibor M · ‎03-08-2025

Hi,

we are going to move our offices between buildings. Our ISP is able to provide us L2 1gbps QinQ line between buildings for 2 months so we can start moving services and servers partially. The thing is that L2 is not encrypted anyhow from them. We want to use it as trunk, and its a must because we will have to split some VLANs during movement as we are not able to move all services in those vlans at once. And we need to ensure all traffic is encrypted.

I plan to have on each side of L2 Nexus N9K-C93180YC-EX or N9K-C9372PX-E, eventually I still have ASA5516-X and ASA5508-X (where I was thinking about transparent mode, but never worked with it and do not know if it supports trunk and S2S on transparent mode).

What we can use to achieve this L2 trunk encryption please? anybody with such experience?

Ramblin Tech · ‎03-08-2025

You might take a look at IEEE 802.1AE (aka, MACSEC), to see if the concept meets your needs, as it was designed specifically for L2 encryption. If so, then you could dig into the Nexus 9K support and caveats.

Disclaimers: I am long in CSCO. Bad answers are my own fault as they are not AI generated.

balaji.bandi · ‎03-09-2025

One option is MACSEC - make sure nexus have right License :

https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/103x/configuration/security/cisco-nexus-9000-nx-os-security-configuration-guide-103x/m-configuring-macsec.html#id_72606

Other option you can have VXLAN (over engineering)

https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/104x/configuration/vxlan/cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-release-104x/m-configuring-cloudsec.html#:~:text=Secure%20VXLAN%20EVPN%20Multi%2DSite%20using%20CloudSec%20ensu....

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tibor M · ‎03-09-2025

thanks both, it looks like MACSec is not an option On both models I have only LAN_ENTERPRISE_SERVICES_PKG license, no security addon. and I do not see even "feature macsec" command.

Tibor M · ‎03-09-2025

But what about Catalyst 9200L ? I have several C9200L-24T-4X which look like support macsec too on network essential license.

balaji.bandi · ‎03-09-2025

I was suggested based on the nexus model.

The Cat 9K model also needs a license for MACSec (I have never tested Cat 9200 with MAC Sec), which are basic Access Layer switches. Cat 9300/9400/9500/9600 works as expected with the correct License.

If they are terminating to a Firewall, you can tunnel the traffic if you like and use basic Layer 2 Switches to terminate the Links.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marius Gunnerud · ‎03-09-2025

If MACSec is not an option, would it be a possibility to setup a firewall at the remote end using a temporary subnet / link-net over the L2 line provided by the ISP, and then setup a site to site between the two.

--
Please remember to select a correct answer and rate helpful posts

Tibor M · ‎03-09-2025

@Marius Gunnerud That is what I can't do. I need several VLANs IDs on both sides (one VLAN i.e. 345 on both sides, with i.e. 10.1.2.0/23 on both sides) because we will move some servers on one date and rest of another. and I'm unable to readdress those servers and put to different subnet.

Marius Gunnerud · ‎03-09-2025

What about enabling trial license on the switches? If I am not mistaken you will have 90 days trial license with access to full functionality. Then enable MACSec, do your transfer, and then remove MACSec and revert the license to the original.

If you have already used up your 90 trial, then I would suggest contacting Cisco or your Cisco partner and explain the situation and request that they provide a trial so that MACSec can be implemented for the migration.

Other than that, and short of adding more hardware or permanent licensing, there is not much you can do.

--
Please remember to select a correct answer and rate helpful posts