Re: MacSec between DCs with vPC

katerina.dardoufa · ‎02-09-2018

Hi,

we have two DCs that are connected via WDM with layer2 connectivity. The connection between the two sites is implemented via vPC. The DC switches are Nexus 5672UP, running NX-OX 7.3(0)N1(1). In order to have encryption for the data trans-versing the two sites, we were thinking of implementing MacSec between the devices in the two datacenters. Is this achievable when vPC is implemented?

Attached you will find a topology layout.

Please advise!

Katerina

guardi · ‎04-03-2019

Hi Katerina,

Did you ever resolve this problem ? I have the same question (using C93240YC-FX2 ) - I think this can be done, but I'm wondering if it can be done without both links going down at the same time. In contrary to IOS, NX-OS requires macsec to be configured on the portchannel instead of the underlying ethernet interface. This might trigger a VPC inconsistency.

For example, starting with DC1 secondary, the portchannel between DC1 secondary and DC2 secondary might go down because:

- Macsec is not yet configured on DC2 secondary

- DC1 secondary is inconsistent with DC1 primary (VPC inconsistency)

Now when fixing DC2 secondary, at least MacSec between DC1 secondary and DC2 secondary is consistent. But the link might still stay down because:

- DC1 secondary is inconsistent with DC1 primary (VPC inconsistency)

- DC2 secondary is inconsistent with DC2 primary (VPC inconsistency)

If we then start with the portchannel between DC1 primary and DC2 primary, it will initially go down also because MacSec is not configured on both sides at the same time. This would bring the whole VPC down.

Anyone has experience with this, can it be done without downtime ? Will Macsec actually trigger a VPC inconsistency ?

Thanks.

katerina.dardoufa · ‎04-04-2019

Hello Guardi,

we have not yet implemented the solution, because we wanted to first try it in a lab, but we have not yet found a chance.

My understanding is that mac sec should be implemented on the physical interfaces and not on the port-channel.

An idea would be to remove the physical interfaces from the port-channel, apply the configuration on one link (both sides, with the interface shut). Open then interface, check it works, apply the configuration on the second link and then add them to the port-channel.

Good luck with what you are doing!

It would be great if you update the discussion whenever you get this working.

thanks!

ashleybabajee · ‎02-15-2022

@katerina.dardoufaand @guardi

Have you guys found any solution.

I have been able to configure mac sec on port-channel ( vPC ), however i saw that on only one link traffic is being encrypted and no encryption on the second link.

Does it works on port channel or should we just apply it on the physical interface, also can we use same policy on both interfaces which form the port channel or different policies ?

katerina.dardoufa · ‎02-16-2022

Hi ashleybabajee,

we did implement it on a pair of Nexus7710 with vPC. The mac sec configuration was done on both vPC and physical interfaces, using manual cts. I believe that the same policy would work on both interfaces in your case, but you should better test and see what happens.

HTH

ashleybabajee · ‎02-17-2022

Hi @katerina.dardoufa ,

It's a Nexus 9K and i think we dont have cts configuration available on it, will try to configure the mac sec on vpc and physical interface as well and see.

Thanks