[c-nsp] Transparent WAN Encryption

Frank Bulk frnkblk at iname.com
Mon Feb 3 23:13:07 EST 2014

I've been working with MACsec over the last two weeks as a cheaper way to
get some encryption in place over some lit paths.  In our case I also manage
the transport gear.

I had to change a "frame disposition" setting on our transport gear because,
by default, the Ethertype for the initial EAPOL exchange, 0x888E, was
filtered out.  MACsec content has a 0x88E5 Ethertype.  It still didn't work,
but our transport vendor identified the issue as a bug already fixed that in
a future newer release, and they were able to patch the problem.  

So if you run the traffic through transport gear that handles those two
Ethertypes, MACsec should run fine.



-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Benny Amorsen
Sent: Monday, February 03, 2014 5:31 PM
To: Ian Henderson
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Transparent WAN Encryption

Ian Henderson <ianh at ianh.net.au> writes:

> What about MacSec? Works between 3560X/4500/4500X/Sup2T/etc for wire rate
L2 encryption.
iguration/guide/swmacsec.html#wp1334072 says:

Does that actually work over WAN links that are not just plain optical
paths? I have been wondering if you can get MacSec to work over EoMPLS.

VPLS seems unlikely, as MacSec seems to be point-to-point.


cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list