cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
139
Views
0
Helpful
1
Replies

Is MACSEC over ACI VXLAN possible?

tobin_jim
Beginner
Beginner

Is it possible to use switch-to-switch MACSEC encryption between two Catalyst 9300s that are connected to different leaf switches, at different sites, of an Cisco ACI multipod setup? The MACSEC ports on either end would be connected to the same EPG in the same Bridge Domain. I have done similar with other layer 2 protocols such as LACP but I'm not sure if the encryption/decryption at both ends would break the MACSEC encryption.

9300 Site 1 <--> Leaf 1 (EPG-A/BD-A) <--> Interpod Network <--> Leaf 2 (EPG-A/BD-A) <--> 9300 Site 2

1 Reply 1

Sergiu.Daniluk
VIP Advisor VIP Advisor
VIP Advisor

Hi @tobin_jim 

Technically, I guess it should work. The only pain point I see is the static path assignment in the EPG. Basically the traffic should be configured as untagged/native, because everything after the MAC header is encrypted.

Alternatively, what you can do is MACSEC between C9300 and Leaf1, MACSEC between Leafs and Spines, and MACSEC between Spine and IPN routers.

 

Stay safe,

Sergiu

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers