This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EXOS MAC Sec Questions

EXOS MAC Sec Questions

Go to solution
M_Nees
Contributor III

‎07-07-2019 10:47 AM

We want to use MAC Sec Adapters to secure fiber Uplinks from branch office switches to core switches. Because passive fiber closets and patch-panels are access-able also from other companies.

In core we using x690 Switches. At branch X440-G2 Switches.
For MAC Sec we using MACSec-Adapters. Latest EXOS V30.x.

Is it possible to run through one MAC Sec Adapter at core switch two different branch switches ?

Is it possible to combine feature like LACP or mLAG (multi Switch LAG) or RSTP through MAC Sec secured uplinks ?

MAC Sec generated 24 Byte of huger pakets (overhead) so i have to care about that if a link goes through an active managed connection (ISP equipment).
Any other things to keep in mind because MAC Sec packets are oversized ?

Thanks for feedback.
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Drew_C
Valued Contributor III

‎07-27-2019 10:46 PM

Here's some answers on this from one of the developers:

Is it possible to run through one MAC Sec Adapter at core switch two different branch switches ?
You cannot “straddle” the two switch-side links of a MACsec/LRM Adapter across different switches. You can send the two line-side links to different switches. Therefore, one core switch with one LRM/MACsec Adapter sending to two different branch switches (each with their own LRM/MACsec Adapter) is a valid configuration.

Is it possible to combine feature like LACP or mLAG (multi Switch LAG) or RSTP through MAC Sec secured uplinks ?
Yes. MACsec is a layer-2 protocol. All traffic (regardless of protocol) is encrypted just before leaving the switch an decrypted immediately upon arrival. Note that if a MACsec link drops (due to key mismatch, etc.) then all traffic will be blocked (as if link is down).

MAC Sec generated 24 Byte of huger pakets (overhead) so i have to care about that if a link goes through an active managed connection (ISP equipment).
Any other things to keep in mind because MAC Sec packets are oversized ?
By default MACsec adds 24-octets to each data packet; 32-octets if “macsec include-sci” is enabled (for combability with some 3rd party MACsec devices). The profile of customer traffic will determine the loss in throughput (i.e., smaller packets equates to higher overhead).
Also note that for MACsec protocol to work the ISP must forward MACsec PDUs (MKDPUs). These protocol packets have a destination address of 01-80-c2-00-00-03 (PAE Group Address) and are of Ethertype 0x888E (EAPOL).

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
M_Nees
Contributor III

‎07-16-2019 03:49 PM

No one outside who have experience with that topic?
I cannot believe!

Regards
0 Kudos
GTM-P2G8KFN