Cisco IOS-XE does not support Macsec encryption across a L3 backbone. I mean, that is what IPSec is for. Right ? Macsec is L2 encryption, plain and simple.
OTV and VxLAN are both L2 backbone extension protocols across a L3 backbone, which means connecting a direct cable between your data center in LA and data centre in Bangalore, but using the internet. :-)
1RU_H router :
otv site bridge-domain 501
otv site-identifier 0000.0000.0501
!
key chain k1 macsec
key 01
cryptographic-algorithm aes-128-cmac
key-string 12345678901234567890123456789012
!
class-map match-all costest
match qos-group 1
class-map match-all cos
match cos 5
!
policy-map cos
class cos
set qos-group 1
policy-map costest
class costest
set cos 5
!
!
interface Overlay400
no ip address
otv join-interface TenGigabitEthernet0/0/1.10
otv use-adjacency-server 10.3.1.2 unicast-only
no otv isis hello padding always
service instance 400 ethernet
encapsulation dot1q 400
bridge-domain 400
!
interface TenGigabitEthernet0/0/0
description " CONNECTED TO LOCAL LAN "
no ip address
cdp enable
service instance 400 ethernet
encapsulation dot1q 400
bridge-domain 400
!
service instance 501 ethernet
encapsulation dot1q 501
bridge-domain 501
!
interface TenGigabitEthernet0/0/0.1
encapsulation dot1Q 1 native
ip address 108.0.1.1 255.255.255.0
ip pim dense-mode
!
interface TenGigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 10.3.1.1 255.255.255.0
ip mtu 1468
ip pim sparse-dense-mode
ip ospf 501 area 400
eapol destination-address broadcast-address
mka pre-shared-key key-chain k1
macsec
service-policy input costest
!
ip route 107.0.0.0 255.255.255.0 TenGigabitEthernet0/0/1.10
PE RTR CONFIG (Both the routers will have the similar VxLAN config and IGP / BGP reachability should be configured)
bridge-domain 1
member vni 5010
member TenGigabitEthernet0/2/0 service-instance 1
!
interface Loopback1
ip address 11.11.11.1 255.255.255.255
!
interface nve1
no ip address
member vni 5010
ingress-replication 22.22.22.1 ! Loopback 1 address of other PE router
!
source-interface Loopback1
!
interface TenGigabitEthernet0/2/0
no ip address
service instance 1 ethernet
encapsulation dot1q 10
rewrite ingress tag pop 1 symmetric ! Remove this cmd if L2 COS QoS is there on CE rtrs
!
1RU_D CONFIG :
otv site bridge-domain 500
!
otv site-identifier 0000.0000.0500
!
key chain k1 macsec
key 01
cryptographic-algorithm aes-128-cmac
key-string 12345678901234567890123456789012
!
class-map match-all costest
match qos-group 1
class-map match-all cos
match cos 5
!
policy-map cos
class cos
set qos-group 1
policy-map costest
class costest
set cos 5
!
interface Overlay400
no ip address
otv join-interface TenGigabitEthernet0/0/1.10
otv adjacency-server unicast-only
no otv isis hello padding always
service instance 400 ethernet
encapsulation dot1q 400
bridge-domain 400
!
!
interface TenGigabitEthernet0/0/0
description " CONNECTED TO SPIRENT CARD 3 PORT DOWN "
no ip address
cdp enable
service instance 400 ethernet
encapsulation dot1q 400
bridge-domain 400
!
service instance 500 ethernet
encapsulation dot1q 500
bridge-domain 500
!
interface TenGigabitEthernet0/0/0.1
encapsulation dot1Q 1 native
ip address 107.0.1.1 255.255.255.0
ip pim sparse-dense-mode
ip igmp join-group 239.0.0.1
!
interface TenGigabitEthernet0/0/1
no ip address
macsec dot1q-in-clear 1
!
interface TenGigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 10.3.1.2 255.255.255.0
ip mtu 1468
ip pim sparse-dense-mode
ip ospf 500 area 400
eapol destination-address broadcast-address
mka pre-shared-key key-chain k1
macsec
service-policy output costest
!
ip route 108.0.0.0 255.255.255.0 TenGigabitEthernet0/0/1.10
OTV and VxLAN are both L2 backbone extension protocols across a L3 backbone, which means connecting a direct cable between your data center in LA and data centre in Bangalore, but using the internet. :-)
1RU_H router :
otv site bridge-domain 501
otv site-identifier 0000.0000.0501
!
key chain k1 macsec
key 01
cryptographic-algorithm aes-128-cmac
key-string 12345678901234567890123456789012
!
class-map match-all costest
match qos-group 1
class-map match-all cos
match cos 5
!
policy-map cos
class cos
set qos-group 1
policy-map costest
class costest
set cos 5
!
!
interface Overlay400
no ip address
otv join-interface TenGigabitEthernet0/0/1.10
otv use-adjacency-server 10.3.1.2 unicast-only
no otv isis hello padding always
service instance 400 ethernet
encapsulation dot1q 400
bridge-domain 400
!
interface TenGigabitEthernet0/0/0
description " CONNECTED TO LOCAL LAN "
no ip address
cdp enable
service instance 400 ethernet
encapsulation dot1q 400
bridge-domain 400
!
service instance 501 ethernet
encapsulation dot1q 501
bridge-domain 501
!
interface TenGigabitEthernet0/0/0.1
encapsulation dot1Q 1 native
ip address 108.0.1.1 255.255.255.0
ip pim dense-mode
!
interface TenGigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 10.3.1.1 255.255.255.0
ip mtu 1468
ip pim sparse-dense-mode
ip ospf 501 area 400
eapol destination-address broadcast-address
mka pre-shared-key key-chain k1
macsec
service-policy input costest
!
ip route 107.0.0.0 255.255.255.0 TenGigabitEthernet0/0/1.10
PE RTR CONFIG (Both the routers will have the similar VxLAN config and IGP / BGP reachability should be configured)
bridge-domain 1
member vni 5010
member TenGigabitEthernet0/2/0 service-instance 1
!
interface Loopback1
ip address 11.11.11.1 255.255.255.255
!
interface nve1
no ip address
member vni 5010
ingress-replication 22.22.22.1 ! Loopback 1 address of other PE router
!
source-interface Loopback1
!
interface TenGigabitEthernet0/2/0
no ip address
service instance 1 ethernet
encapsulation dot1q 10
rewrite ingress tag pop 1 symmetric ! Remove this cmd if L2 COS QoS is there on CE rtrs
!
1RU_D CONFIG :
otv site bridge-domain 500
!
otv site-identifier 0000.0000.0500
!
key chain k1 macsec
key 01
cryptographic-algorithm aes-128-cmac
key-string 12345678901234567890123456789012
!
class-map match-all costest
match qos-group 1
class-map match-all cos
match cos 5
!
policy-map cos
class cos
set qos-group 1
policy-map costest
class costest
set cos 5
!
interface Overlay400
no ip address
otv join-interface TenGigabitEthernet0/0/1.10
otv adjacency-server unicast-only
no otv isis hello padding always
service instance 400 ethernet
encapsulation dot1q 400
bridge-domain 400
!
!
interface TenGigabitEthernet0/0/0
description " CONNECTED TO SPIRENT CARD 3 PORT DOWN "
no ip address
cdp enable
service instance 400 ethernet
encapsulation dot1q 400
bridge-domain 400
!
service instance 500 ethernet
encapsulation dot1q 500
bridge-domain 500
!
interface TenGigabitEthernet0/0/0.1
encapsulation dot1Q 1 native
ip address 107.0.1.1 255.255.255.0
ip pim sparse-dense-mode
ip igmp join-group 239.0.0.1
!
interface TenGigabitEthernet0/0/1
no ip address
macsec dot1q-in-clear 1
!
interface TenGigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 10.3.1.2 255.255.255.0
ip mtu 1468
ip pim sparse-dense-mode
ip ospf 500 area 400
eapol destination-address broadcast-address
mka pre-shared-key key-chain k1
macsec
service-policy output costest
!
ip route 108.0.0.0 255.255.255.0 TenGigabitEthernet0/0/1.10