Toerless Eckert <[email protected]> wrote: > "i have a switched LAN and my switch is ACP capable"
> That solution should be easily solvable if the switch can use a
> solution where it can simply act as a router for the purpose of ACP -
> while continuing to act as an L2 switch for the data plane.
I think that is entirely possible, but it's a case where the discovery would
be easier if it was L2-based, and did not propogate beyond the ToR switch.
That was the topic of draft-richardson-anima-l2-friendly-acp-02
> With Michaels ACP implementation approach of allocating for ACP (in
> linux) a separate MAC-address interface this is simple. Of course this
> is still software forwarding of the ACP traffic then. This would not be
> my preferred long-term high-performance model for a DC of course, but i
> think the original problem for the DC is simply that there likely is no
> Broadcom switch that does IPsec. So for such an ACP one would hope that
> DC switches can do MacSEC.
Yes, that could work.
Another way is that the ToR switch could have a mirror-ish port that
connected to some kind of concentrator device.
> Alas, last time (long time go) i looked into MacSEC NICs, you could at
> best only do MacSEC on a per-VLAN basis - or for the whole
> interface. Not per-MAC address. But that may not be todays state of
> affairs.
> Too bad that still none of the low-end L2 switch ASIC / NIC like those
> found on eay-to-experiment-on OpenWRT routers do seem to have MacSEC...
My opinion is that it's okay for the ACP to be relatively low bandwidth, if
things like MPTCP (or it's QUIC variations) are used, and traffic can go via
the "production" network as well.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list -- [email protected] To unsubscribe send an email to [email protected]
