1. Hi Orhan,

    MACsec is becoming more popular for enterprise DCI via service provider L2VPN. As you mentioned here there are quite a few different types of L2VPNs. I am confused which one would support MACsec. If CCDE had a question regarding this, I would have to put in my best guess, which is whatever L2VPN that supports Q-in-Q would support MACsec. I am sure it’s incorrect. May I have your advice please?


    • Cedar that entirely depends on the L2VPN offering and whether you’re talking 802.1AE standards based MACsec or CTS etc. For example if there were two locations connected via a psuedowire with no intermediary switching on the SP side you could bring up MACsec without issue however if you wanted to run in a P2MP setup over say VPLS you would need what Cisco calls WAN MACSec (ISR4K/ASRs). There’s a great session on WAN MACSec that goes into the details around topologies on the Cisco Live on demand website which is worth a watch.

    • @Cedar, Macsec, especially with the lower header size compare to IPSEC, and other intermal mechanisms of it make it very attractive solution.

  2. Hi Jason,
    Thanks for the comment. I am talking about 802.1AE MACsec. Maybe the CiscoLive session you mentioned here is BRKCRS-2892. It’s indeed a very good presentation. From the comment you made above, sounds like LAN MACsec with Switch-to-Switch option can only work on E-LINE DCI and WAN MACsec with routers can work on both E-LINE and E-LAN DCI. Did I get you right?


  3. @Orhan, yes, it is attractive. MACsec has lower MTU overhead and less encryption impact to CPU. I have LAN MACsec running as DCI for a couple years and now might use WAN MACsec in the near future. It’s the benefit to have NGN MPLS carrier. However, one thing I am not sure and waiting for response from Cisco is that if MACsec can support EVPN.

Leave a Reply

Your email address will not be published.