Got it

MACsec cannot be established between two S5720 when there are L2 switches between them

Latest reply: Dec 24, 2018 01:26:48 1378 1 0 0 0
             Issue Description:

           Version Information:S5720SI-V200R010C00SPC600

           Fault symptom : In order to better explain the issue I will provide a topology that can show this scenario :


            Let’s suppose that between our two S5720 switches there are only L2 switches which allows all the packets. Even so, the                MACsec cannot be established. When the two-end Switches are directly connected the MACsec connection it’s succesful. 

         Root Cause:

MACsec (Media Access Control Security) is based on 802.1AE and 802.1X protocol on the LAN security communication method.

The EAP protocol packet in the MACsec session negotiation process is a BPDU packet.

IEEE Std 802.1X-2010 Clause 11 describes the MAC format of the EAP protocol packets, as shown in the following figure:


From the packet captures the stp bpdu packet destination MAC was different from the 0180-c200-0003 which is required for the negotiation of MACsec.


From the capture we only can see the packets sent by switch1 . The dumb switch didn’t forward them . The packet  was lost in the dumb switch . 
Our switch sends by default the packet at each 2s. If the dumb switch would forward the packet there should be another packet between 1-4 .


transparent.gif  Solution

MACsec negotiation needs the BPDU packets in this process and we suspected that the dumb switch droped the BPDU packets as a default behavior when there is no configuration.
That’s why, it’s required to configure the l2protocol-tunnel  to transport the packets.

For BPDUs, the destination MAC is  0180-c200-0003


First solution and recommended one:


In system-view apply this command on both switches :

l2protocol-tunnel user-defined-protocol test1 protocol-mac 0180-c200-0003  group-mac 0100-0008-0008

on interface view apply those commands

interface GigabitEthernet0/0/34
port link-type access
port default vlan 10
l2protocol-tunnel user-defined-protocol test1 enable


Second solution if l2protocol-tunnel cannot be configured on the directly connected to end-switches : 

After connecting the G0/0/3 to the dumb switch and applied l2tp configuration on G0/0/2 which is connected to G0/0/1( L3 interface) then the MACsec connection could be established but this scenario is not recommended and needs to be tested with precautions.


  • x
  • convention:

Created Dec 24, 2018 01:26:48

Very helpful
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.