Solved

EXOS MAC Sec Questions

  • 7 July 2019
  • 5 replies
  • 327 views

Userlevel 6
We want to use MAC Sec Adapters to secure fiber Uplinks from branch office switches to core switches. Because passive fiber closets and patch-panels are access-able also from other companies.

In core we using x690 Switches. At branch X440-G2 Switches.
For MAC Sec we using MACSec-Adapters. Latest EXOS V30.x.

Is it possible to run through one MAC Sec Adapter at core switch two different branch switches ?

Is it possible to combine feature like LACP or mLAG (multi Switch LAG) or RSTP through MAC Sec secured uplinks ?

MAC Sec generated 24 Byte of huger pakets (overhead) so i have to care about that if a link goes through an active managed connection (ISP equipment).
Any other things to keep in mind because MAC Sec packets are oversized ?

Thanks for feedback.
icon

Best answer by Drew C. 28 July 2019, 00:46

Here's some answers on this from one of the developers:

Is it possible to run through one MAC Sec Adapter at core switch two different branch switches ?
You cannot “straddle” the two switch-side links of a MACsec/LRM Adapter across different switches. You can send the two line-side links to different switches. Therefore, one core switch with one LRM/MACsec Adapter sending to two different branch switches (each with their own LRM/MACsec Adapter) is a valid configuration.

Is it possible to combine feature like LACP or mLAG (multi Switch LAG) or RSTP through MAC Sec secured uplinks ?
Yes. MACsec is a layer-2 protocol. All traffic (regardless of protocol) is encrypted just before leaving the switch an decrypted immediately upon arrival. Note that if a MACsec link drops (due to key mismatch, etc.) then all traffic will be blocked (as if link is down).

MAC Sec generated 24 Byte of huger pakets (overhead) so i have to care about that if a link goes through an active managed connection (ISP equipment).
Any other things to keep in mind because MAC Sec packets are oversized ?
By default MACsec adds 24-octets to each data packet; 32-octets if “macsec include-sci” is enabled (for combability with some 3rd party MACsec devices). The profile of customer traffic will determine the loss in throughput (i.e., smaller packets equates to higher overhead).
Also note that for MACsec protocol to work the ISP must forward MACsec PDUs (MKDPUs). These protocol packets have a destination address of 01-80-c2-00-00-03 (PAE Group Address) and are of Ethertype 0x888E (EAPOL).
View original

5 replies

Userlevel 6
No one outside who have experience with that topic?
I cannot believe!

Regards
Userlevel 7
Let me send some emails internally to try and get an answer...
Userlevel 3
There certainly are experts, but a community works on a best-effort basis. If you are a customer you can ask GTAC to get very competent answers. If you are not a customer yet, pre-sales will certainly be more than glad to help.

Now to your questions:

> Is it possible to run through one MAC Sec Adapter at core switch two different branch switches ?

As you have probably noticed by looking at the Macsec adapter while installing it, each Macsec adapter has two independent ports, that is why there are two host cables from the switch to the Macsec adapter. You can do with each of these two ports whatever you like.

> Is it possible to combine feature like LACP or mLAG (multi Switch LAG) or RSTP through MAC Sec secured uplinks ?

Have you tried and it didn't work (what was the error?) or is this a pre-sales question? I believe you will be able to use any feature on a Macsec secured link because, as stated above, these ports behave like normal ports. We are in fact using MLAG, LACP and RSTP. There is no problem.

> MAC Sec generated 24 Byte of huger pakets (overhead) so i have to care about that if a link goes through an active managed connection (ISP equipment). Any other things to keep in mind because MAC Sec packets are oversized ?

When ISP connections come into play I'd be careful in general. What type of ISP connection exactly are we talking about? Obviously, Macsec is a point-to-point thing. Meaning you certainly can't perform Macsec across routed networks. Macsec uses its own Ethertype so the ISP may just drop that traffic anyway.
Userlevel 7
Here's some answers on this from one of the developers:

Is it possible to run through one MAC Sec Adapter at core switch two different branch switches ?
You cannot “straddle” the two switch-side links of a MACsec/LRM Adapter across different switches. You can send the two line-side links to different switches. Therefore, one core switch with one LRM/MACsec Adapter sending to two different branch switches (each with their own LRM/MACsec Adapter) is a valid configuration.

Is it possible to combine feature like LACP or mLAG (multi Switch LAG) or RSTP through MAC Sec secured uplinks ?
Yes. MACsec is a layer-2 protocol. All traffic (regardless of protocol) is encrypted just before leaving the switch an decrypted immediately upon arrival. Note that if a MACsec link drops (due to key mismatch, etc.) then all traffic will be blocked (as if link is down).

MAC Sec generated 24 Byte of huger pakets (overhead) so i have to care about that if a link goes through an active managed connection (ISP equipment).
Any other things to keep in mind because MAC Sec packets are oversized ?
By default MACsec adds 24-octets to each data packet; 32-octets if “macsec include-sci” is enabled (for combability with some 3rd party MACsec devices). The profile of customer traffic will determine the loss in throughput (i.e., smaller packets equates to higher overhead).
Also note that for MACsec protocol to work the ISP must forward MACsec PDUs (MKDPUs). These protocol packets have a destination address of 01-80-c2-00-00-03 (PAE Group Address) and are of Ethertype 0x888E (EAPOL).
Userlevel 6
One additional very important note:

Currently EXOS MAC Sec (V30.2) and VOSS (8.0) MACSec is NOT compatible.
This will be coming with a later VOSS Release (Dynamic Key Refresh).

EXOS MACSec is compatible with EXOS / EOS / Linux (CentOS/RedHat v7.0 w/wpa_supplicant).

Reply