[c-nsp] Cisco TrustSec/MACsec
Tim Durack
tdurack at gmail.com
Wed Jul 24 16:25:30 EDT 2013
I have a simple macsec lab setup, to test the feasibility of macsec over
various flavours of P2P Ethernet circuits. This varies from
ethernet-over-fiber, ethernet-over-wave, ethernet-oversonet,
ethernet-over-mpls-ethernet, ethernet-over-carrier-pigeon (you get the
idea.)
macsec encryption works fine, as it uses unicast dmac/smac etype 0x88e5.
The initial keying uses 802.1x/eapol with a reserved dmac of
01:80:0c:00:00:03 etype 0x888e. I believe this is going to cause problems
with some flavours of ethernet-over-something, as the eapol traffic will be
consumed by the carrier ethernet equipment.
On the carrier side I need something like:
int g1/0/1
l2protocol-tunnel 802.1x
end
I don't believe this exists. In my lab, I have a dumb ethernet switch
(Cisco SF302) simulating the carrier. This switch supports the following
config:
bridge multicast reserved-address 01:80:c2:00:00:03 bridge
This forces the eapol packets to be bridged, allowing the keying to work.
If it were possible to configure unicast eapol neighbors, I would be done.
I'm not finding that to be possible.
Anyone run into this? Suggestions?
--
Tim:>
More information about the cisco-nsp
mailing list