Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4162
Views
5
Helpful
5
Replies

MACSec across QinQ provider network

n-russell-biggie
Level 1
Level 1

‎11-28-2017 10:23 AM - edited ‎02-20-2020 09:44 PM

Hi,

 

I have three switches (3650's), in three different locations connected together through service provider circuits.

The provider gives me QinQ tunnels in order for me to trunk my switches together. They also tell me  that the tunnels are fully transparent and effectively means I have point-to-point connections for my switches.

 

Prior to MACSec configuration CDP neighbors show our switches as neighbors and I see no provider switch info.

 

On that basis of this I have deployed manual MACSec on the trunk interfaces of my switches with the below commands:

 

#cts manual

##no propergate sgt

## sap pmk [KEY] mode-list gcm-encrypt

 

We are unable to get the trunks to come up. We see the line protocol as "down"

 

In tests with the switches physically connected together in a lab the manual MACSec works perfectly.

 

Is it the case that running MACSec across a providers network in a QinQ tunnel is not possible or is there a workaround?

 

Thanks

Nick

 

Labels:
0 Helpful
5 Replies 5

Bogdan Nita
VIP Alumni
VIP Alumni

‎11-30-2017 03:44 AM

MACSec over QinQ will not work, MACsec is desigened to protect communication between directly connected trusted components, so it will not work over multiple hops.

bohumir.hejduk
Level 1
Level 1
In response to Bogdan Nita

‎05-04-2018 05:52 AM

Hi Bogdan Nita, are you pretty sure that MACSec on QinQ leased line will not work? Did you test that? I had a chat with Cisco representative and he said that he doesn't see any problem with running MACSec on Q-in-Q ISP WAN line. Bohumir

0 Helpful

n-russell-biggie
Level 1
Level 1
In response to bohumir.hejduk

‎05-04-2018 06:07 AM

Hello,

 

Actually we did get this to work across a providers network that I believe is using QinQ. We had three switches connected together between an office and two data centers. The MACSec all came up correctly.

 

The issue we have now is that when we reboot one of the switches in the triangle it appears that for 30 minutes we get uni-directional issues and broadcast storms. This lasts approx 30 minutes and then the MACSec appears to work again and the network stabilizes.

 

We have a TAC case open for this and will be carrying out some troubleshooting on Tuesday evening. I will post any relevant updates to here following the troubleshooting with TAC.

 

Thanks

Nick

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to n-russell-biggie

‎05-11-2018 06:55 AM

Hi Nick,

 

Thanks for sharing the information.
Would be interesting to know how you configured MACSec and how is your service provider forwarding the packets.

 

As far as I understand MACSec as described in 802.1AE–2006 does not offer the possibility (at least in theory) to run MACsec over PBNs.
Here is a paper on it: http://www.ieee802.org/1/files/public/docs2013/ae-seaman-macsec-hops-0626-v03.pdf

 

That being said it, Cisco has added additional capabilities to MACSec in order to be able to run MACSec over PBNs:
The WAN MACsec offering is standards based but offers additional capabilities not found in earlier MACsec capabilities. More specifically, MACsec can be leveraged by enterprise customers over public carrier Ethernet offerings, allowing customers to adapt to the public carrier Ethernet service offering and capabilities (or restrictions).
New enhancements for WAN MACsec include:
1. 802.1Q Tag in the Clear
2. Standard IEEE 802.1X-rev MACsec Key Agreement
3. Integrated MACsec authentication adaptability over public Carrier Ethernet transport
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/white-paper-c11-737544.html

 

Regards,
Bogdan

0 Helpful

n-russell-biggie
Level 1
Level 1
In response to Bogdan Nita

‎05-11-2018 07:15 AM - edited ‎05-11-2018 07:18 AM

Hi Bogdan,

 

The three switches are connected in a triangle. One switch in each of the two Data Centres and one switch in the clients office.

 

MACsec is configures as below on the trunks to each of the switches:

 

interface GigabitEthernet1/1/1
description Trunk xxxxxxxx Gig 1/1/1
switchport mode trunk
cts manual
no propagate sgt
sap pmk A0646E7153F9837DDB992AA4983852255181B17B71D0A2D55AFBEBE267F8D76D mode-list gcm-encrypt
spanning-tree guard loop
end
 

 

I am unsure on what the providers are using to connect the three switches together but I would gues dot1q or the likes. We did supply them with ethertype codes that are detailed in MACsec documentation but am not sure which ones if any they are using.

 

MACsec appears to work perfectly in this scenario. However, the client states that when a reload of one of the switches is carried out they experience uni-directional traffic and broadcast storms. We are working with TAC to try and replicate the issues but so far we are unable to do so and MACsec is functioning correctly.

 

Thanks

Nick

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents