Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
952
Views
0
Helpful
1
Replies

MACSEC with MPLS on shared L2 segment

XelNaha
Level 1
Level 1

‎01-02-2019 07:19 AM - edited ‎02-20-2020 09:45 PM

Hello,

 

we are rolling out a new MPLS network which we are building on top of a 3rd party EVPN.

We will be running the MPLS protocol stack ourselves, however we have a need to encrypt all traffic as we're using a 3rd party.

I was thinking of using MACsec instead of GETVPN as it supports higher throughput, however the documentation I am reading so far is somewhat counter intuitive:

 

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/white-paper-c11-737544.html

 

here it states that MACsec is transparant to MPLS Labels, which I understand as the whole frame is encrypted including MPLS header, however it says later down the line that MACsec is not supported with MPLS.

 

In our case, the PE router would connect to a shared backbone vlan, in which all routers connect (only 12 at the moment, we don't expect massive growth). The way I understand MACsec is that the egress interface encrypts the whole frame, however as MP-BGP/OSPF/MPLS will have already picked a destination mac address this isn't a problem as the receiving router will decrypt the ingress frame prior to sending it up the processing stack.

 

aka, wouldn't macsec just work in this scenario?

 

 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Sheraz.Salim
VIP
VIP

‎01-03-2019 01:40 AM

@XelNahathanks for the link. curious if you find out. i am kind of similar situation you having.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents