The equipment was: 2 Cisco Switches (3750X), Cisco 2821 Router, Juniper J4350 Router.
Objective: establish MacSec between the Switches.
First of all MacSec will not work on layer 3, to make it work we need to emulate layer 1 between the switches, I did this VIA MPLS (Ethernet over MPLS).
OSPF configuration :
Router-1 (Juniper)
MPLS configuration :
Router-1
In case the VC is not up try to change the circuit number..
Finally the MacSec itself..
From Both Switches
For more info:
Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR
# Set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.1/30Router-2 (Cisco)
# Set interfaces lo0 unit 0 family inet address 1.1.1.1/32
# Set protocols ospf area 0.0.0.0 interface ge-0/0/1
# Set protocols ospf area 0.0.0.0 interface lo0
interface FastEthernet0/0At this point we should see the OSPF neighboring is up and the loopbacks are known to both routers
ip address 10.10.10.2 255.255.255.252
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
router ospf 10
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 10.10.10.0 0.0.0.3 area 0
MPLS configuration :
Router-1
# set interfaces ge-0/0/1 unit 0 family mplsRouter-2
# set interfaces ge-0/0/2 encapsulation ethernet-ccc;
# set interfaces ge-0/0/2 unit 0 family ccc;
# set protocols mpls interface all
# set protocols ldp interface ge-0/0/1
# set protocols ldp interface lo0
# set protocols l2circuit neighbor 2.2.2.2 interface ge-0/0/2.0 virtual-circuit-id 10
mpls ldp router-id Loopback1 forceNow we should see the MPLS is also up, both the LDP and the virtual circuit
interface FastEthernet0/0
mpls ip
interface FastEthernet0/1
xconnect 1.1.1.1 10 encapsulation mpls
In case the VC is not up try to change the circuit number..
Finally the MacSec itself..
From Both Switches
interface GigabitEthernet2/0/1Let's test..!
switchport trunk encapsulation dot1q
switchport mode trunk
cts manual
no propagate sgt
sap pmk [MacSec Key] mode-list gcm-encrypt null no-encap
Switch-1#show macsec summary
Interface Transmit SC Receive SC
GigabitEthernet2/0/1 1 1
For more info:
Switch-2#show macsec interface gigabitEthernet 1/0/1
MACsec is enabled
Replay protect : enabled
Replay window : 0
Include SCI : yes
Cipher : GCM-AES-128
Confidentiality Offset : 0
Capabilities
Max. Rx SA : 16
Max. Tx SA : 16
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128
Transmit Secure Channels
SCI : 503DE58713810000
Elapsed time : 03:58:49
Current AN: 1 Previous AN: -
SC Statistics
Auth-only (0 / 0)
Encrypt (30755 / 0)
Receive Secure Channels
SCI : C89C1D66EF010000
Elapsed time : 03:58:49
Current AN: 1 Previous AN: -
SC Statistics
Notvalid pkts 0 Invalid pkts 0
Valid pkts 3044 Late pkts 0
Uncheck pkts 0 Delay pkts 0
Port Statistics
Ingress untag pkts 0 Ingress notag pkts 1852
Ingress badtag pkts 0 Ingress unknownSCI pkts 0
Ingress noSCI pkts 0 Unused pkts 0
Notusing pkts 0 Decrypt bytes 6953955
Ingress miss pkts 1852
Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR
Did you need a scpecial module on the switches?
ReplyDeleteNope. Regular switches with no special module / IOS / License ... :)
DeleteHello, and when is that you need a special module? meybe for fiber?
ReplyDeleteYou didnt need one because was a 1G copper uplink, right?
Thank you
Thank you for asking, Cisco switch needs to support the MacSec most switches support it as is but some do need a module.
Deletefor instance C3750-X needs a network module, For this switch I used the C3KX-10G-NM this module provides 10G SFP ports to the switch and enables the use of MacSec.
Valentine, i'm trying to set this up and not working for us. we have 3750x with c3kx-sm-10g.
ReplyDeleteour config is simple and going through a layer2 private link.
this is what i have on my G1/1/2
ts manual
no propagate sgt
sap pmk [mykey....] mode-list gcm-encrypt null no-encap