[c-nsp] Transparent WAN Encryption
Frank Bulk
frnkblk at iname.com
Mon Feb 3 23:13:07 EST 2014
I've been working with MACsec over the last two weeks as a cheaper way to
get some encryption in place over some lit paths. In our case I also manage
the transport gear.
I had to change a "frame disposition" setting on our transport gear because,
by default, the Ethertype for the initial EAPOL exchange, 0x888E, was
filtered out. MACsec content has a 0x88E5 Ethertype. It still didn't work,
but our transport vendor identified the issue as a bug already fixed that in
a future newer release, and they were able to patch the problem.
So if you run the traffic through transport gear that handles those two
Ethertypes, MACsec should run fine.
Regards,
Frank
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Benny Amorsen
Sent: Monday, February 03, 2014 5:31 PM
To: Ian Henderson
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Transparent WAN Encryption
Ian Henderson <ianh at ianh.net.au> writes:
> What about MacSec? Works between 3560X/4500/4500X/Sup2T/etc for wire rate
L2 encryption.
>
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1/XE_330SG/conf
iguration/guide/swmacsec.html#wp1334072 says:
Does that actually work over WAN links that are not just plain optical
paths? I have been wondering if you can get MacSec to work over EoMPLS.
VPLS seems unlikely, as MacSec seems to be point-to-point.
/Benny
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list