MACsec configuration

introduction introduction macsec (media access control security) is a security technology based on the link layer (l2) and defined in the ieee 802 1ae standard it achieves data confidentiality and tamper resistance at the physical link layer by encrypting and protecting the integrity of data frames on ethernet links macsec encrypts the payload of ethernet frames using symmetric key encryption algorithms (such as aes gcm) and appends an integrity check value (icv) to each frame to prevent man in the middle attacks and replay attacks key negotiation is performed by the mka (macsec key agreement) protocol, which supports static pre shared keys and dynamic key distribution (such as via 802 1x) macsec is suitable for point to point links, is easy to deploy, transparent to the ip layer, and is widely used in scenarios such as data center interconnection and enterprise lan link protection configuration example configuration example switch a and switch b are connected via a physical link two subnets, group 1 and group 2, of a private network running the ip protocol are interconnected by establishing a tunnel between the two switches using macsec switch a and switch b are interconnected procedure procedure switch a configuration \# configure macsec profile sonic(config)# macsec enable sonic(config)# macsec profile test sonic(config macsec test)# mka cipher suite gcm aes 128 sonic(config macsec test)# mka policy security sonic(config macsec test)# mka priority 10 sonic(config macsec test)# mka psk ckn 01234567890123456789012345678900 cak 01234567890123456789012345678900 sonic(config macsec test)# mka rekey period 30 sonic(config macsec test)# mka send sci enable sonic(config macsec test)# exit \# configure the interface ip address and bind the macsec profile sonic(config)# interface ethernet 10 sonic(config if 10)# ip address 10 0 10 1/24 sonic(config if 10)# macsec bind test sonic(config if 10)# exit sonic(config)# interface ethernet 15 sonic(config if 15)# ip address 10 0 100 1/24 sonic(config if 15)# exit switch b configuration \# configure macsec profile sonic(config)# macsec enable sonic(config)# macsec profile test sonic(config macsec test)# mka cipher suite gcm aes 128 sonic(config macsec test)# mka policy security sonic(config macsec test)# mka priority 30 sonic(config macsec test)# mka psk ckn 01234567890123456789012345678900 cak 01234567890123456789012345678900 sonic(config macsec test)# mka rekey period 30 sonic(config macsec test)# mka send sci enable sonic(config macsec test)# exit \# configure the interface ip address and bind the macsec profile sonic(config)# interface ethernet 10 sonic(config if 10)# ip address 10 0 10 2/24 sonic(config if 10)# macsec bind test sonic(config if 10)# exit sonic(config)# interface ethernet 15 sonic(config if 15)# ip address 10 0 200 1/24 sonic(config if 15)# exit routing configuration for switch a and switch b \# configure static routes on switch a sonic(config)# ip route 100 0 200 0/24 10 0 10 2 \# configure static routes on switch b sonic(config)# ip route 100 0 100 0/24 10 0 10 1 verify configuration verify configuration view device macsec configuration sonic# show macsec profile macsec profile test priority 30 cipher suite gcm aes xpn 128 primary cak 01234567890123456789012345678900 primary ckn 01234567890123456789012345678900 policy security replay protect false replay window 100 rekey period 1s send sci true ping each other on switch a and switch b you can ping normally through the macsec tunnel sonic# ping 10 0 10 2 ping 10 0 10 2 (10 0 10 2) 56(84) bytes of data 64 bytes from 10 0 10 2 icmp seq=1 ttl=64 time=1 58 ms 64 bytes from 10 0 10 2 icmp seq=2 ttl=64 time=0 638 ms 64 bytes from 10 0 10 2 icmp seq=3 ttl=64 time=0 670 ms 64 bytes from 10 0 10 2 icmp seq=4 ttl=64 time=0 685 ms 64 bytes from 10 0 10 2 icmp seq=5 ttl=64 time=0 653 ms \ 10 0 10 2 ping statistics 5 packets transmitted, 5 received, 0% packet loss, time 4076ms rtt min/avg/max/mdev = 0 638/0 846/1 587/0 371 ms sonic# ping 10 0 10 1 ping 10 0 10 1 (10 0 10 1) 56(84) bytes of data 64 bytes from 10 0 10 1 icmp seq=1 ttl=64 time=0 694 ms 64 bytes from 10 0 10 1 icmp seq=2 ttl=64 time=0 642 ms 64 bytes from 10 0 10 1 icmp seq=3 ttl=64 time=0 665 ms 64 bytes from 10 0 10 1 icmp seq=4 ttl=64 time=0 657 ms 64 bytes from 10 0 10 1 icmp seq=5 ttl=64 time=0 629 ms \ 10 0 10 1 ping statistics 5 packets transmitted, 5 received, 0% packet loss, time 4087ms rtt min/avg/max/mdev = 0 629/0 657/0 694/0 031 ms use the terminal pcs under group 1 and group 2 to ping each other, and you can successfully ping through sonic# ping 10 0 100 2 ping 10 0 100 2 (10 0 100 2) 56(84) bytes of data 64 bytes from 10 0 100 2 icmp seq=1 ttl=62 time=1 18 ms 64 bytes from 10 0 100 2 icmp seq=2 ttl=62 time=1 13 ms 64 bytes from 10 0 100 2 icmp seq=3 ttl=62 time=1 70 ms 64 bytes from 10 0 100 2 icmp seq=4 ttl=62 time=1 05 ms 64 bytes from 10 0 100 2 icmp seq=5 ttl=62 time=1 71 ms \ 10 0 100 2 ping statistics 5 packets transmitted, 5 received, 0% packet loss, time 4003ms rtt min/avg/max/mdev = 1 057/1 360/1 713/0 292 ms sonic# ping 10 0 200 2 ping 10 0 200 2 (10 0 200 2) 56(84) bytes of data 64 bytes from 10 0 200 2 icmp seq=1 ttl=62 time=1 05 ms 64 bytes from 10 0 200 2 icmp seq=2 ttl=62 time=0 917 ms 64 bytes from 10 0 200 2 icmp seq=3 ttl=62 time=1 07 ms 64 bytes from 10 0 200 2 icmp seq=4 ttl=62 time=0 977 ms 64 bytes from 10 0 200 2 icmp seq=5 ttl=62 time=0 862 ms \ 10 0 200 2 ping statistics 5 packets transmitted, 5 received, 0% packet loss, time 4004ms rtt min/avg/max/mdev = 0 862/0 978/1 079/0 084 ms