I have a simple macsec lab setup, to test the feasibility of macsec over various flavours of P2P Ethernet circuits. This varies from ethernet-over-fiber, ethernet-over-wave, ethernet-oversonet, ethernet-over-mpls-ethernet, ethernet-over-carrier-pigeon (you get the idea.)
macsec encryption works fine, as it uses unicast dmac/smac etype 0x88e5. The initial keying uses 802.1x/eapol with a reserved dmac of 01:80:0c:00:00:03 etype 0x888e. I believe this is going to cause problems with some flavours of ethernet-over-something, as the eapol traffic will be consumed by the carrier ethernet equipment. On the carrier side I need something like: int g1/0/1 l2protocol-tunnel 802.1x end I don't believe this exists. In my lab, I have a dumb ethernet switch (Cisco SF302) simulating the carrier. This switch supports the following config: bridge multicast reserved-address 01:80:c2:00:00:03 bridge This forces the eapol packets to be bridged, allowing the keying to work. If it were possible to configure unicast eapol neighbors, I would be done. I'm not finding that to be possible. Anyone run into this? Suggestions? -- Tim:> _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
