[c-nsp] Cisco TrustSec/MACsec

Tim Durack tdurack at gmail.com
Wed Jul 24 16:25:30 EDT 2013

I have a simple macsec lab setup, to test the feasibility of macsec over
various flavours of P2P Ethernet circuits. This varies from
ethernet-over-fiber, ethernet-over-wave, ethernet-oversonet,
ethernet-over-mpls-ethernet, ethernet-over-carrier-pigeon (you get the

macsec encryption works fine, as it uses unicast dmac/smac etype 0x88e5.

The initial keying uses 802.1x/eapol with a reserved dmac of
01:80:0c:00:00:03 etype 0x888e. I believe this is going to cause problems
with some flavours of ethernet-over-something, as the eapol traffic will be
consumed by the carrier ethernet equipment.

On the carrier side I need something like:

int g1/0/1
 l2protocol-tunnel 802.1x

I don't believe this exists. In my lab, I have a dumb ethernet switch
(Cisco SF302) simulating the carrier. This switch supports the following

bridge multicast reserved-address 01:80:c2:00:00:03 bridge

This forces the eapol packets to be bridged, allowing the keying to work.

If it were possible to configure unicast eapol neighbors, I would be done.
I'm not finding that to be possible.

Anyone run into this? Suggestions?


More information about the cisco-nsp mailing list