Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4752
Views
10
Helpful
2
Replies

Macsec over EoMPLS

Go to solution
unfraget
Level 1
Level 1

‎06-28-2019 01:00 AM

Hi here!


guys i've a question about macsec implementation over a ISP mpls network.

we're planning connect our branches to HQ over ISP network, ISP will provide us with EoMPLS

my question is that will the following protocols be transparently passed - STP/LACP BPD/MACSec over EoMPLS?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-28-2019 06:25 AM - edited ‎06-28-2019 06:31 AM

Hello unfraget,

EoMPLS can transport any L2 protocol except MACSec with any configuration option.

 

To support MACSec transport over EoMPLS the PE nodes must use Port based EoMPLS I have configured it successfully on  ME 3600 with IOS XE 15.5.3.

So be prepared for possibled issues with MACSec if the provider using modern syntax EVC based EoMPLS.

For all the other protocols any type of EoMPLS works well.

A port based EoMPLS is configured like the following:

 

interface GigabitEthernet0/9
description Port Based EoMPLS for trustsec
no switchport
no ip address

! the following command may be not needed it can be used to make the pseudowire up even not connected
!no keepalive
xconnect 192.168.246.19 3002 encapsulation mpls
!

 

TrustSec is another hame for MACSec. These protocols use destination addresses that are sent to main cpu of every device working at OSI layer2. This is done by design to avoid to have L2 devices in the middle of a MACsec session.

Port based EoMPLS make the PE interface so dumb/stupid that is only  OSI layer1 and allow to pass these frames.

When using EoMPLS based on EVC these frames cannot pass they are sent to cpu of the PE node. Because EoMPLS with EVC are OSI layer 2 entities.

 

So ask the provide to give you port based EoMPLS for the reasons explained above and you wil be able to pass also MACSec frames.

 

Note: no form of Ethernet OAM is supported on port based EoMPLS. this is the price to pay to support MACSec / TrustSec over EoMPLS.

 

Hope to help

Giuseppe

 

View solution in original post

2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-28-2019 06:25 AM - edited ‎06-28-2019 06:31 AM

Hello unfraget,

EoMPLS can transport any L2 protocol except MACSec with any configuration option.

 

To support MACSec transport over EoMPLS the PE nodes must use Port based EoMPLS I have configured it successfully on  ME 3600 with IOS XE 15.5.3.

So be prepared for possibled issues with MACSec if the provider using modern syntax EVC based EoMPLS.

For all the other protocols any type of EoMPLS works well.

A port based EoMPLS is configured like the following:

 

interface GigabitEthernet0/9
description Port Based EoMPLS for trustsec
no switchport
no ip address

! the following command may be not needed it can be used to make the pseudowire up even not connected
!no keepalive
xconnect 192.168.246.19 3002 encapsulation mpls
!

 

TrustSec is another hame for MACSec. These protocols use destination addresses that are sent to main cpu of every device working at OSI layer2. This is done by design to avoid to have L2 devices in the middle of a MACsec session.

Port based EoMPLS make the PE interface so dumb/stupid that is only  OSI layer1 and allow to pass these frames.

When using EoMPLS based on EVC these frames cannot pass they are sent to cpu of the PE node. Because EoMPLS with EVC are OSI layer 2 entities.

 

So ask the provide to give you port based EoMPLS for the reasons explained above and you wil be able to pass also MACSec frames.

 

Note: no form of Ethernet OAM is supported on port based EoMPLS. this is the price to pay to support MACSec / TrustSec over EoMPLS.

 

Hope to help

Giuseppe

 

Go to solution
rloredo80
Level 1
Level 1
In response to Giuseppe Larosa

‎04-09-2024 08:59 AM

Hello Giuseppe hoping you are doing well, 

jus to tell you that this post was very helpful for my customer with ME 3600,  Colud you please tell me if there is anything similar but with ASR920, I have configured like this for another customer: but it just works MACSec but CDP and LLDP doesn´t work .

interface TenGigabitEthernet0/0/24
mtu 9184
no ip address
no keepalive
service instance 100 ethernet
encapsulation default
l2protocol tunnel cdp dot1x lldp 
xconnect 12.18.4.2 10117 encapsulation mpls

 

0 Helpful
Customers Also Viewed These Support Documents