I would caution anyone running MACsec on a link leveraging a provider circuit between them to quadruple check that the provider link supports customer use of MACsec. In theory MACsec will operate just fine over a Layer 2 link but carriers tend to not like unanticipated bits get appended or inserted into frame headers. In my carrier days, $dayjob's L2 products tended to be highly interoperable relative to the industry norm, and we still forced customers into a L1 service if they need MACsec. My understanding is that said carrier did start supporting it on its L2 services off of certain devices a couple of years ago, but I don't believe this is common for most providers.
On Tue, Oct 22, 2024 at 2:27 PM Mark Tinka <mark@tinka.africa> wrote:
On 10/22/24 16:56, Tarko Tikan wrote:
> What we are seeing now is MACsec getting integrated into latest NPUs
> directly. So far it has been mostly implemented by separate chips or
> in PHYs (or combination). This has, in some cases, limited you to what
> ports you can use MACsec on. It also had challenges with sync/PTP,
> per-vlan MACsec etc.
>
> So while it is proven technology and works well we are still seeing
> innovation/improvements.
It is also now shipping in coherent pluggables as a native feature.
Mark.
--