10-12-2017 01:10 PM - edited 03-05-2019 09:17 AM
I'm having a problem where my ISR 4K router at my HQ will cannot form a macsec session to 3 of our Remote Sites over 3 different VLANs. They're all ISR 4451 routers with the same NIM-2GE-CU-SFP module. However the 3 remote sites can form macsec sessions between each other.
HQ <-> RS1 over VLAN 101 doesn't work but L2 connectivity is there
HQ <-> RS2 over VLAN 102 doesn't work but L2 connectivity is there
HQ <-> RS3 over VLAN 103 doesn't work but L2 connectivity is there
R1 <->R2<->R3 over VLAN 105 works fine.
My ISP confirmed they are not blocking EAPoL traffic and I set the eapol destination-address broadcast setting on ALL routers.
Any suggestions on what to look for? I have a TAC case open but we're still trying to get this on figured out.
Solved! Go to Solution.
10-23-2017 12:06 PM
I figured it out. I upgraded my remote site 4451's IOS-XE 3.17.4S and that allowed me to change the macsec ether-type to B860 on all routers. The routers were then able to establish macsec sessions. My ISP (Level 3) says they're not blocking EAPoL but that has to be happening somewhere. My DR site and my HQ site have 2 different last mile providers and I'm wondering if one of their networks is blocking or dropping it.
DR - AT&T (Macsec worked using eapol destination-address broadcast-address but without changing eth-type to B860)
HQ - AboveNet (Macsec worked after changing eth-type to B860 and using eapol destination-address broadcast-address)
10-23-2017 12:06 PM
I figured it out. I upgraded my remote site 4451's IOS-XE 3.17.4S and that allowed me to change the macsec ether-type to B860 on all routers. The routers were then able to establish macsec sessions. My ISP (Level 3) says they're not blocking EAPoL but that has to be happening somewhere. My DR site and my HQ site have 2 different last mile providers and I'm wondering if one of their networks is blocking or dropping it.
DR - AT&T (Macsec worked using eapol destination-address broadcast-address but without changing eth-type to B860)
HQ - AboveNet (Macsec worked after changing eth-type to B860 and using eapol destination-address broadcast-address)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: