5 Replies to “MPLS Design”

  1. Hi Orhan,

    MACsec is becoming more popular for enterprise DCI via service provider L2VPN. As you mentioned here there are quite a few different types of L2VPNs. I am confused which one would support MACsec. If CCDE had a question regarding this, I would have to put in my best guess, which is whatever L2VPN that supports Q-in-Q would support MACsec. I am sure it’s incorrect. May I have your advice please?


    1. Cedar that entirely depends on the L2VPN offering and whether you’re talking 802.1AE standards based MACsec or CTS etc. For example if there were two locations connected via a psuedowire with no intermediary switching on the SP side you could bring up MACsec without issue however if you wanted to run in a P2MP setup over say VPLS you would need what Cisco calls WAN MACSec (ISR4K/ASRs). There’s a great session on WAN MACSec that goes into the details around topologies on the Cisco Live on demand website which is worth a watch.

    2. @Cedar, Macsec, especially with the lower header size compare to IPSEC, and other intermal mechanisms of it make it very attractive solution.

  2. Hi Jason,
    Thanks for the comment. I am talking about 802.1AE MACsec. Maybe the CiscoLive session you mentioned here is BRKCRS-2892. It’s indeed a very good presentation. From the comment you made above, sounds like LAN MACsec with Switch-to-Switch option can only work on E-LINE DCI and WAN MACsec with routers can work on both E-LINE and E-LAN DCI. Did I get you right?


  3. @Orhan, yes, it is attractive. MACsec has lower MTU overhead and less encryption impact to CPU. I have LAN MACsec running as DCI for a couple years and now might use WAN MACsec in the near future. It’s the benefit to have NGN MPLS carrier. However, one thing I am not sure and waiting for response from Cisco is that if MACsec can support EVPN.

Leave a Reply

Your email address will not be published.