HPE Community
Aruba & ProVision-based
1752806 Members
5968 Online
108789 Solutions
New Discussion

Re: MacSec Point-to-Multipoint Wired

 
SOLVED
Go to solution
Dennis_Aruba
Occasional Contributor

‎06-16-2021 10:26 AM

‎06-16-2021 10:26 AM

MacSec Point-to-Multipoint Wired

Team,

I have a posted this in previous discussion which was tagged as closed already. I'm still new to this and I'm not sure if my queries will be answered.

Originally what we wanted is MACSec over wireless Bridge, and at the same time a point-to-multipoint setup. Now the Wireleess part has been discarded as it came clear to us that macsec will not work over it. 

Now for the macsec point-to-multipoint,  are there ways for aruba switches (particulary 2930) to support this requirement ? We have 5400 series at the site, but the 2930 is what we have at the area where MacSec will be terminated.

We were reviewing the HP Macsec config guide but it provides solution between two switch ports which is only good for point-to-point setup.

0 Kudos
2 REPLIES 2
Ivan_B
HPE Pro

‎06-16-2021 10:37 AM

‎06-16-2021 10:37 AM

Solution

Re: MacSec Point-to-Multipoint Wired

I will post it here as well:

Typically infrastructure MACsec is used in P2P links where you have only two participants since we speak about switches here, not hubs. Unfortunately you are right and documentation for these switches doesn't state clearly if group CAKs are supported and can you use 3 and more switches with one shared CAK on one link. I think it may have issues with replay protection... For example ArubaOS-CX guides clearly says "Provides Layer 2 hop-by-hop encryption on point-to-point Ethernet links.", and I doubt 2930 to have more extended feature than those. And also typically when a vendor supports group CAK there is a configuration abstraction for multiple key storage, like a keychain. There is no such in 2930...

But as with WDS - only a test can reveal the truth as this is really a corner case.

I am an HPE employee

Accept or Kudo

0 Kudos
Dennis_Aruba
Occasional Contributor

‎06-17-2021 05:41 AM

‎06-17-2021 05:41 AM

Re: MacSec Point-to-Multipoint Wired

Thank you for the response.

You are right testing this setup is the best way to know what is working and what is not. It's a long shot for us but it might be worthied to give it a try.  Will post some updates here if anything helpful comes out.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.