I've been working with MACsec over the last two weeks as a cheaper way to get some encryption in place over some lit paths. In our case I also manage the transport gear.
I had to change a "frame disposition" setting on our transport gear because, by default, the Ethertype for the initial EAPOL exchange, 0x888E, was filtered out. MACsec content has a 0x88E5 Ethertype. It still didn't work, but our transport vendor identified the issue as a bug already fixed that in a future newer release, and they were able to patch the problem. So if you run the traffic through transport gear that handles those two Ethertypes, MACsec should run fine. Regards, Frank -----Original Message----- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Benny Amorsen Sent: Monday, February 03, 2014 5:31 PM To: Ian Henderson Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Transparent WAN Encryption Ian Henderson <i...@ianh.net.au> writes: > What about MacSec? Works between 3560X/4500/4500X/Sup2T/etc for wire rate L2 encryption. > > http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1/XE_330SG/conf iguration/guide/swmacsec.html#wp1334072 says: Does that actually work over WAN links that are not just plain optical paths? I have been wondering if you can get MacSec to work over EoMPLS. VPLS seems unlikely, as MacSec seems to be point-to-point. /Benny _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/