Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
1
Replies

Is MACSEC over ACI VXLAN possible?

tobin_jim
Level 1
Level 1

‎08-10-2022 10:15 AM

Is it possible to use switch-to-switch MACSEC encryption between two Catalyst 9300s that are connected to different leaf switches, at different sites, of an Cisco ACI multipod setup? The MACSEC ports on either end would be connected to the same EPG in the same Bridge Domain. I have done similar with other layer 2 protocols such as LACP but I'm not sure if the encryption/decryption at both ends would break the MACSEC encryption.

9300 Site 1 <--> Leaf 1 (EPG-A/BD-A) <--> Interpod Network <--> Leaf 2 (EPG-A/BD-A) <--> 9300 Site 2

Labels:
0 Helpful
1 Reply 1

Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎08-10-2022 12:33 PM - edited ‎08-10-2022 12:34 PM

Hi @tobin_jim 

Technically, I guess it should work. The only pain point I see is the static path assignment in the EPG. Basically the traffic should be configured as untagged/native, because everything after the MAC header is encrypted.

Alternatively, what you can do is MACSEC between C9300 and Leaf1, MACSEC between Leafs and Spines, and MACSEC between Spine and IPN routers.

 

Stay safe,

Sergiu

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License