Hello @ja.aljaloud ,

you mean the following description :

>>

About the topology:

Each site has two Cisco 9300 switches, the two switches are connected with LACP, and the same for the other site.

Ok so we can suppose each site has two indipendent Cat9300 and you are not using SVL to stack them ?

SiteA-Switch 1 ------   connected via ?   -----  SiteB Switch1

Site A- SWitch2 -----   connected via ? ------  Siteb Switch 2

And Site Aswitch1 ===== lacp ====== SiteA Switch2

And

Site B switch1 ===== lacp ============= SiteB switch 2

is this your topology ?

MACSec applies only to directly connected devices if any L2 device is on the path the MACsec negotiation fails.

So I would go for OSPF protection using key chain as suggested by @David Ruess 

Edit :

if your topology is confirmed you can easily make the second inter site link less preferred by using ip ospf cost 1000 on both sides of the link.

With default settings you get ECMP equal cost multi path over the two inter site links.

Hope to help

Giuseppe

Hey, that's correct i don't use Stack.

they are connectet with LWL Cabel SW1-1 and SW1-2 and the same on Site B.

Site A SW1-1 connectet with Site B SW2-1 with LWL 10G Cabel.

Site A SW1-2 connectet with Site B SW2-2 with LWL 10G Cabel.

With OSPF Configuration i wanna redistribute alle Static Routes.

So i can configure this Topology as follow:

1: Site A SW1-1 and SW1-2 connected with LACP, and Configure these Switches as VRRP.

2: Site B SW2-1 and SW2-2 connected with LACP, and Configure these Switches as VRRP.

3: Configure OSPF Protocol as mentioned David plus Redistribution Static Routes.

4: Configures Costs

Is so i am on the correct way?!

Thanks

Hello @ja.aljaloud ,

no you need to run OSPF also on the LACP port-channel between co-located switches , VRRP on the LACP bundle makes little sense. VRRP or other FHRP ( HSRP or GLBP) just provide a virtual default gateway to end user PCs or a resilient next-hop for static routes.

So you should use VRRP on the user facing VLANs that are permitted on the port channel but you should run OSPF on two SVIs between colocated switches ( for redundancy)

Redistributing static routes if done on two different OSPF devices you should use OSPF type 1 as  external metric type 1 and you can influence the primary exit point using different seed metric.

route-map Static-into-OSPF permit 10

match address prefix Statics

set metric type 1

set metric 50

Edit:

are you sure you need to redistribute static routes ?  Or  this need comes for attempting to use VRRP on the LACP port-channel ?

If so just run OSPF on the bundle and avoid each static redistribution that allows you to build a simpler solution.

router ospf 10

redistribute static subnet route-map Static-into-OSPF

route-map Static-into-OSPF permit 10

match address prefix Statics

set metric type 1

set metric 5000

on the other colocated switch

Hope to help

Giuseppe

Thanks a lot for your explantion:)

I wanna redistribute static routes, because i have on Site A cluster of Firewall ( Active and Standby), its connect to SW1-1 and SW1-2 as Layer 3 and the same topolgy on Site B.

Anyway tommorow i will be on site to configure them and i will see how i can configure them.

Thanks in advanced

what is the name of the licence do i need to activate the MACSEC?

Above document should have that information as pre-requisites.

MACsec should support essential (basic)

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9300-series-switches/nb-06-cat9300-ser-data-sheet-cte-en.html#Licensing

FAQ :

https://www.cisco.com/c/en/us/products/collateral/software/one-wireless-subscription/nb-06-dna-acces-wl-sw-faq-ctp-en.html