I would caution anyone running MACsec on a link leveraging a provider circuit between them to quadruple check that the provider link supports customer use of MACsec. In theory MACsec will operate just fine over a Layer 2 link but carriers tend to not like unanticipated bits get appended or inserted into frame headers. In my carrier days, $dayjob's L2 products tended to be highly interoperable relative to the industry norm, and we still forced customers into a L1 service if they need MACsec. My understanding is that said carrier did start supporting it on its L2 services off of certain devices a couple of years ago, but I don't believe this is common for most providers. On Tue, Oct 22, 2024 at 2:27 PM Mark Tinka <mark@tinka.africa> wrote:
On 10/22/24 16:56, Tarko Tikan wrote:
What we are seeing now is MACsec getting integrated into latest NPUs directly. So far it has been mostly implemented by separate chips or in PHYs (or combination). This has, in some cases, limited you to what ports you can use MACsec on. It also had challenges with sync/PTP, per-vlan MACsec etc.
So while it is proven technology and works well we are still seeing innovation/improvements.
It is also now shipping in coherent pluggables as a native feature.
Mark.
-- - Dave Cohen craetdave@gmail.com @dCoSays www.venicesunlight.com