Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1585
Views
5
Helpful
5
Replies

Problem with MACSec Connection between two CISCO 9500 over OSPF and BFD

appelwoin
Level 1
Level 1

‎04-14-2021 12:13 AM

Hi,

 

I have a question. 

 

I want to activate MACSec between a WAN connection 10Gbit. My end systems are CISCO 9500 .

 

Routing Protocoll OSPF with BFD.

Without BFD the MACSec connection is running stable. When I configure BFD , every few seconds the OSPF,BFD neighborship is going down and UP .

 

MACSec is from the provider transparent and there is a MTU from 9100 configured on the provider equipment.

 

Can somebody assist me ?

 

Best regards

 

Markus

Labels:
0 Helpful
5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎04-14-2021 12:57 AM - edited ‎04-14-2021 01:01 AM

Hello @appelwoin 

>> MACSec is from the provider transparent and there is a MTU from 9100 configured on the provider equipment.

This means the provider is using a port based EoMPLS service I tested this in the past and makes the PE node to stay at OSI layer 1 otherwise MACsec frames do not pass ( their destination adddress is thought to be processed by first OSI layer 2 device in the path so EVC does not wotk ).

 

I think you are facing issues with the way BFD is implemented: BFD offloading allows for avoiding to use main CPU to set up and mantain BFD sessions. Now you would like to add MACSec this might be  beyond the capabilities of BFD offload to linecards/ modules.

 

To see if there is total incompatibiity between MACsec and BFD you can try to increase BFD timers to see if you achieve a more stable scenario.  If even with high timers BFD still fail you have an incompatibility between the two features.

 

Edit:

depending on your security policy using OSPF authenticaton may be enough. You may combine it with uRPF.

 

Hope to help

Giuseppe

 

 

 

0 Helpful

appelwoin
Level 1
Level 1
In response to Giuseppe Larosa

‎04-14-2021 01:53 AM - edited ‎04-14-2021 01:54 AM

Another information it is not possible to make a ping with df bit and a biger size then MTU 1500.

 

Without DF bit i can make a ping as a example MTU 6000

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to appelwoin

‎04-14-2021 05:40 AM - edited ‎04-14-2021 05:41 AM

Hello Markus,

if your ping tests fail with DF bit set and size greater then 1500, then the following sentence:

 

>> there is a MTU from 9100 configured on the provider equipment.

 

this is not true.

 

However, this does not explain why BFD fails as  I would not expect BFD packets to be padded  to the max size of the IP packet on the interface.

They the BFD messages  should be small packets.

 

However, issues with MTU can prevent OSPF from reaching the FULL state as OSPF Database Descriptiors are exchanged with DF bit set and using the max MTU if needed.

 

Hope to help

Giuseppe

 

0 Helpful

appelwoin
Level 1
Level 1
In response to Giuseppe Larosa

‎04-14-2021 08:10 AM

Is there a problem with the system default MTU . Must I configure the system MTU from 1500 to 9100 ? 

 

 

0 Helpful

appelwoin
Level 1
Level 1

‎04-14-2021 01:15 AM

Hi ,

 

thanks for your answer. We have the same configuration at a other location and it is working with the same configuration. BFD Timer are the same.

 

Best regards

 

Markus

0 Helpful
Customers Also Viewed These Support Documents