Layer 2 WAN and MACSec

sganpat · ‎07-22-2013

Hi All,

Will MACSec between two 3560X switches work across a Layer 2 WAN?

Sachin

Fahad Wasi · ‎07-23-2013

According to what I understand or know, it is a Mac based security feature or standard. Data Link Layer of the OSI Model has 2 sub layers :

1) Logical Link Control(LLC).

2) Mac(media access control).

As it is a Mac based standard, it can support Layer 2 WAN.

Mac layer acts as an interface between Logical layer and the physical layer of the OSI model.

sganpat · ‎07-23-2013

Thanks Fahad. From my understanding, MACSec operates on a hop-by-hop basis, so encryption is supposed to take place between hops and not over it, according to this document:

http://www.ieee802.org/1/files/public/docs2013/ae-seaman-macsec-hops-0213-v02.pdf

I've come across something that indicates it works over EoMPLS:

http://www.networklabs.info/2013/04/cisco-macsec-over-junipercisco-mpls.html

But I wanted to know if anyone has actually done it. Also if it works with providers who use Q-in-Q.

Sachin

usasigcis · ‎07-23-2013

you are correct sganpat, it works on L3 interfaces.

Adam Vitkovsky · ‎02-17-2014

Hello Sachin,

I'd like to ask whether the MACSec worked for you over the MPLS I guess you have used p2p PW right?

Thank you very much

adam

sganpat · ‎02-17-2014

Hi Adam.

We didn't bother with it. We ended up going with 15Mb WAN links and using firewalls w/VPN at the edge instead. It came out cheaper and it works so far.

I'm sorry that I couldn't be of more help to you.

Sachin

Aaron D · ‎06-11-2014

I've seen MACSEC work over SDH and other carrier links. Oddly am seeing some issues with a Cisco only provider who is using qinq and they cannot get it to pass. The ethertypes 0x888e eapol and 0x88e5 MACSEC are critical in the negotiation.

pratheesh.venu · ‎06-26-2014

I am also planning MACsec encryption for the DCI links. Since MACsec encryption on a hop-by-hop basis, DCI link should not expect to have ethernet encapsulation happening in the telco side (there could be exception with EoMPLS or some pseudowire tunnels).

The link I am planning is Unprotected wave (transparent layer1 service with optical encapsulation in carrier network).

Please let me know if any body have successfully implemented MACsec over long distance carrier network?

Aaron D · ‎12-21-2015

Have it implemented it across many WAN's. Had an issue with Cogent on a 7600 and they replaced a line-card and its online. Have deployed over carriers with SDH, DWDM and long-haul L2 circuits. At times you have to battle with carrier to ensure they support ethertypes 0x888e eapol and 0x88e5 macsec, would recommend you provide a minimum requirements list in contract so you can hold them to support it.

Mario Erceg · ‎12-26-2017

Hi,

Did you use Cisco swithes or routers for MACSec over DWDM? Did you see that MACSec works between two Cisco swithes over DWDM or EoMPLS?

Aaron D · ‎02-10-2022

Used 3750, 6880's and 9500s. 9500's support MKA and now 6880's (SY7) do as well (standards based) so provide for migration path to MKA. 9500X will support only MKA and not CTS.