I would caution anyone running MACsec on a link leveraging a provider circuit between them to quadruple check that the provider link supports customer use of MACsec. In theory MACsec will operate just fine over a Layer 2 link but carriers tend to not like unanticipated bits get appended or inserted into frame headers. In my carrier days, $dayjob's L2 products tended to be highly interoperable relative to the industry norm, and we still forced customers into a L1 service if they need MACsec. My understanding is that said carrier did start supporting it on its L2 services off of certain devices a couple of years ago, but I don't believe this is common for most providers.
On Tue, Oct 22, 2024 at 2:27 PM Mark Tinka <mark@tinka.africa> wrote: > > > > On 10/22/24 16:56, Tarko Tikan wrote: > > > What we are seeing now is MACsec getting integrated into latest NPUs > > directly. So far it has been mostly implemented by separate chips or > > in PHYs (or combination). This has, in some cases, limited you to what > > ports you can use MACsec on. It also had challenges with sync/PTP, > > per-vlan MACsec etc. > > > > So while it is proven technology and works well we are still seeing > > innovation/improvements. > > It is also now shipping in coherent pluggables as a native feature. > > Mark. > > -- - Dave Cohen craetd...@gmail.com @dCoSays www.venicesunlight.com
