Upload
vankhue
View
315
Download
11
Embed Size (px)
Citation preview
Cisco MACsec Solution Design and Deployment for a Secure
EnterpriseKural Arangasamy
Technical Marketing Engineer
BRKCRS-2892
• MACsec Overview
• Need for a Layer 2 Encryption Technology
• Part 1: MACsec Encryption in the Campus & Data Center
• Deployment Use Cases
• Config Examples
• Part 2: MACsec Encryption over the Metro-E WAN
• WAN Deployment Use Cases
• Config Examples
• Best Practices
Agenda
Encryption
• What is Encryption?
Encryption is defined as:
”Cryptographically modifying “plaintext” and generating “ciphertext” using an encryption
algorithm that can only be read if decrypted.”
• Why do I need Encryption?
Privacy & Data Confidentiality
Regulatory / Compliance Requirements
Regulatory / Compliance Requirements
Refer to PCI DSS v3.0 sections 4.1 & 8.2.1
Refer to HIPAA section 4
Authentication vs Encryption
What happens if I have Authentication but not Encryption?
802.1x only ensures user authentication
Without Encryption, Data confidentiality is compromised
I can see
everything
802.1X Servers
Rogue AP can extend
the attack outside
physical perimeter.
Rogue users with
physical access can
monitor and spoof.
WAN
Kural Arangasamy
Authenticated User
Sample Packet Capture (without Encryption)
Network Security Today for LAN
Encrypt
Decrypt
• End-to-end encryption technologies, e.g. IPsec• Network devices have no visibility• Cannot enforce policies, qos etc.• Typically done by software – not scalable• Goal is to encrypt data on the wire
Encrypted Data
Switches have no visibility
&^*RTW#(*J^*&*J^*&*sd#J &^*RTW#(*J^*&*J^*&*J^*J^*&&*sd# RTW#(*J^*&&^*RTW#(*J^*&*J^*&*sd#J159u%
Kural Arangasamy
Network Security Today for WAN
Encrypt
Decrypt
• Encrypted Virtual Private Network (VPN) technologies over public cloud, e.g. DMVPN
• Higher scalability – 1000s of branches• Typically done by Software / Crypto Engine – lower performance / throughput• Goal is to encrypt data on the public cloud
Encrypted Data
WAN
&^*RTW#(*J^*&*J^*&*J^*J(*J^*&*J^*&*sd#J159u%^*&J159u%^&*sd#
VPN
What is MACsec?
• Layer 2 Encryption Technology
• IEEE 802.1AE Standard
• Connectionless data confidentiality and integrity for media access independent protocols
Benefits of MACsec
• IEEE 802.1AE Standards based
• Line Rate Layer 2 Encryption
• Hardware PHY encryption
• Deployment Flexibility (Hop-by-Hop Encryption)
Where do I Need MACsec?
12
Data Center
Campus
Cat3Kx
Cat4K
(Sup7E/8E
,4500X)
Cat6K
Servers
ASR1
K
WLC
2500/550
0
Metro
Ethernet
Network
*WLC
5760
Cat3850/
Cat3650
ISR
SM-X Eth
Branch
Data Center
SiSi
Cat3850/3650
UCS
Cisco AnyConnect
Kural Arangasamy
End to End MACsec
1. Host-to-Switch
2. Wireless AP to Switch
3. Switch-to-Switch
4. Wireless Controller-to-Switch
5. Router-to-Switch
6. Router-to-Router over WAN
7. Router-to-switch in a Branch
8. Router-to-Router in a DCI
9. Server-to-Switch in Data Center
12
3
4
5 6
7
8
9
1
2
3
4
5
6
7
8
9
3
3
*
* Roadmap
MACsec – Campus Use Cases Summary
Building 3
LAN
Main Building 1
Building 2Building 4
#2- Between Sites or
Buildings
#3- Between Floors in a
Multi-tenancy
Enterprise
Network
#1- Host-to-Switch
Floor 2
Floor 1
Floor 3
LAN
DC1
DC2
#1- Data Center
Interconnect
Metro
E-LINE
MACsec – Data Center Use Cases Summary
DC
#2- Server-to-Switch
Building 3
Metro
E-LAN\
E-Line
Main Building 1
Building 2 Building 4
#2- Campus
Interconnect
Branch 2
Head- Office
Branch 1 Branch 3
#3- Hub-Spoke
Metro
E-LINE /
E-LAN
DC1
DC2
#1- Data Center
Interconnect
Metro
E-LINE
MACsec – WAN Use Cases Summary
* Roadmap
LAN MACsec
What is LAN MAC Security (MACsec)?
Downlink Downlink
MACsec MACsec MACsec
Uplink
Encrypt
• Encryption mitigates packet eavesdropping, tampering, and injection• Supports 802.1AE-based strong encryption technology
• 128-bit AES-GCM, NIST-approved, 10Gb line-rate encryption
• Hop-by-hop encryption supports data and packet inspection• Works in shared media environments (IP Phones, Desktops)
&^*RT&*J%^*&*sd#J &^*RT&*J%^*%#&*sd#J &^*RT&*J%^*&*sd#J
Switches have visibility
Encrypted Data Encrypted Data Encrypted Data
Kural Arangasamy
When do I absolutely need LAN MACsec?Host to Switch MACsec
Physical security and end user
awareness can also mitigate threats.
Customer Conference
rooms, or remote
offices/branches
Customer, Partner or
Industry events
Kural Arangasamy
When do I absolutely need LAN MACsec?Switch-to-Switch MACsec
Between BuildingsFinancial Institutions
Location A Location B
Dark Fiber
Between Two Sites
Multi Tenants Building
Kural Arangasamy
How does LAN MACsec Work?
MACsec Tag Format
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
MACsec EtherType TCI/AN SL Packet Number SCI (optional)
Encrypted
Authenticated
0x88e5
Frames are encrypted and protected with an integrity check value (ICV)
MACsec Ethertype is 0x88e5
No impact to IP MTU/Fragmentation
L2 Frame MTU Impact*: ~ 40 bytes = less than baby giant frame (~1600
bytes with 1552 bytes MTU)
Kural Arangasamy
MACsec Jargon
Acronym Definition
MKA
SAP
MSK
CAK
SAK
MACsec Key Agreement – defined in IEEE 802.1XREV-2010 is a key
agreement protocol for discovering MACsec peers and negotiating
keysSecurity Association Protocol is a pre-standard key agreement protocol
similar to MKA
Master Session Key, generated during EAP exchange. Supplicant and
authentication server use the MSK to generate the CAK.
Connectivity Association Key is derived from MSK. CAK is a long-lived
master key used to generate all other keys used for MACsec.
Secure Association Key is derived from the CAK and is the key used
by supplicant and switch to encrypt traffic for a given session.
Kural Arangasamy
LAN MACsec(Host-to-Switch)
Kural Arangasamy
Host-to-Switch MACsec
Downlink Downlink
MACsec MACsec MACsec
Uplink
Encrypt Encrypt Encrypt
DecryptDecrypt Decrypt
• Encryption between end station and switch
• Frame is tagged at egress & untagged at ingress
Kural Arangasamy
What is Host-to-Switch MACsec?
Encryption between end station and switch
Frame is tagged at egress & untagged at ingress
&^*RTW#(*J^*&*sd#J$%UJ&(
802.1X
Supplicant
with
MACsec
MACsec
Capable Device
Data sent in clear
Authenticated
User
MACsec Link
Supplicant
without
MACsec
Kural Arangasamy
a.k.a Downlink MACsec
What do I Need to Enable Host-to-Switch MACsec?
• Supplicant: a client that runs on the endpoint & manages MACsec key negotiation and encrypt packets. Encryption may be done in software or hardware (if NIC supports it)
• Authenticator: the switch that relays the Supplicant’s credentials to the Authentication Server and enforces the network access policy. Must be capable of MACsec key negotiation and packet encryption. Requires special hardware to support MACsec at line rate.
• Authenticating Server: a RADIUS server that validates the Supplicant’s credentials and determines what network access the Supplicant should receive. Distributes master keying material to the supplicant and switch. Optionally defines the MACsec policy to be applied to a particular endpoint.
AnyConnect
3.0
Supplicant Authenticator Authenticating
Server
Authentication Key Exchange Encryption
Access Control Key Exchange Encryption
Authentication Master Key DistributionPolicy Management
Kural Arangasamy
How do I Enable Host-to-Switch MACsec?Switch Configuration Example
Global Configuration Commands:
aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
aaa session-id common
!
dot1x system-auth-control
!
radius-server host 172.28.103.178 key cisco123
radius-server vsa send authentication
802.1x global config
Kural Arangasamy
Interface Configuration Commands:
interface GigabitEthernet4/1
description AnyConnect Interface to MACsec XP 1
switchport access vlan 903
switchport mode access
authentication priority dot1x
authentication port-control auto
MACsec
dot1x pae authenticator
mka default-policy
spanning-tree portfast
authentication linksec policy should-secure
Default is “should-secure”,
other options are “must-not-
secure” and “must-secure”
Kural Arangasamy
How do I Enable Host-to-Switch MACsec?Switch Configuration Example
How do I Enable Host-to-Switch MACsec?AnyConnect 3.0 Client Configuration Example
For “Should-Secure”• Set Key Management to MKA
• Set Encryption to MACsec
• Set Port Authentication
Exception Policy to Prior to
Authentication Initiation
Kural Arangasamy
Note: Intel NIC Hardware based MACsec is available
AnyConnect is a software based MACsec client for PCs
How do I Enable Host-to-Switch MACsec?ISE Server Configuration Example
Policy > Policy Elements > Results
Kural Arangasamy
How do I Verify MACsec is Enabled?Before – “Just Dot1X”
RAFALE#show authentication session interface gigabitEthernet 4/1
Interface: GigabitEthernet4/1
MAC Address: 0050.569c.0008
IP Address: 10.3.1.200
User-Name: cisco
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0301010000000B0ADAA4C0
Acct Session ID: 0x0000000D
Handle: 0xC800000C
Runnable methods list:
Method State
dot1x Authc Success
MACsec status:
Port is
unsecured.
Kural Arangasamy
How do I Verify MACsec is Enabled?After the Fact
RAFALE#show authentication session interface gigabitEthernet 4/1
Interface: GigabitEthernet4/1
MAC Address: 0050.569c.0008
IP Address: 10.3.1.200
User-Name: blackbird
Status: Authz Success
Domain: DATA
Security Policy: Must Secure
Security Status: Secured
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A030101000000080551CE18
Acct Session ID: 0x00000009
Handle: 0x02000009
Runnable methods list:
Method State
dot1x Authc Success
MACsec status:
Port is secured.
Kural Arangasamy
Troubleshooting slide
Problem 1:
Session is unsecured
Typical Cause:
End points do not support MACsec
Problem 2:
Unable to establish a session
Typical Cause:
Endpoint with invalid credentials
MACsec policy is “Must-Secure”
LAN MACsecUnder the covers
Kural Arangasamy
Downlink MACsec: Under the Covers
AnyConnect
3.0
EAPoL: EAP Request-Identity
EAPoL: EAP-Response: blackbirdRADIUS Access-Request
[AVP: EAP-Response: blackbird]
EAP Success
RADIUS Access-Accept
[AVP: EAP Success]
[AVP: EAP Key Name]
[AVP: CAK]
RADIUS Access-Challenge
[AVP: EAP-Request: PEAP]
EAPoL-MKA: Key Server
EAPoL-MKA: MACsec Capable
EAPoL-MKA: Key Name, SAK
EAPoL-MKA: SAK Installed
Encrypted Data
Encrypted Data
AES-GCM-128
IEE
E 8
02
.1X
MK
A
MA
Cse
c
Authentication and
Master Key Distribution
Session
Key
Agreement
Session
Secure
12
3
4
5
6
ISE
Authenticator
EAP startEAP negotiation
EAP success
MKA negotiation
SAKey ExchangeData Encrypted
Kural Arangasamy
Downlink MACsec: Under the Covers
AnyConnect
3.0
RADIUS Access-Accept
[AVP: EAP Key Name]
[AVP: ]
Supplicant and ACS
derive CAK from EAP
EAP
MSK
CAK
EAP
MSK
CAKCAK
SAK
ACS sends CAK to
Switch
Switch generates SAK
from CAK
1 1
2
3
Derive CAK
from MSK
Derive SAK
from CAK
Kural Arangasamy
Downlink MACsec: Under the Covers
AnyConnect
3.0
EAPoL MKA
Encrypted SAK
SAK
SAK
Encrypted SAKSAK is encrypted with
CAK and sent to
Supplicant
Supplicant decrypts and
derives the SAK SAK is used to encrypt traffic on the
wire. The intent is to derive the same
SAK on switch port and supplicant
4
5
3
Kural Arangasamy
Policy Recommendations
Switch and supplicant have three possible policies
Must-Not-Secure: Only unencrypted traffic will be sent and received. MKA
frames will be ignored.
Should-Secure: If MKA succeeds, only encrypted traffic will be sent and
received. If MKA times out or fails, unencrypted traffic will be permitted.
Must-Secure: If MKA succeeds, only encrypted traffic will be sent and
received. If MKA times out or fails, no traffic will be permitted. Mismatched polices on switch and supplicant can cause problems
Best practice recommendation: Use “should-secure” everywhere
• “should-secure” is the default setting on switch
• Use ACS/ISE to assign policy exceptions to switch using RADIUS attribute
Cisco-av-pair=subscriber:linksec-policy
• AnyConnect 3.0 implements “should-secure” via Port Authentication
Exception Policy configuration of “Prior to Authentication Initiation”
Kural Arangasamy
MACsec Policy Combinations
Supplicant Policy Switch Policy Resultant Connection
Not MACsec-capable or Must-Not-Secure
Should-Secure
Must-Secure
Not MACsec-Capable or Must-Not-Secure
Should-Secure
Must-Secure
Not MACsec-Capable or Must-Not-Secure
Should-Secure
Must-Secure
Not MACsec-Capable or Must-
Not-SecureNot MACsec-Capable or Must-
Not-Secure
Not MACsec-Capable or Must-
Not-Secure
Should-Secure
Should-Secure
Should-Secure
Must-Secure
Must-Secure
Must-Secure
Not Secure
Not Secure
Not Secure
Secure
Secure
Blocked if no MACsec Fallback Policy is
configured
Secure
Secure
Blocked
Kural Arangasamy
Multiple Endpoints Support Per Port
Host-Mode MACsec Details
Single-Host Y
Multi-Domain Auth
(MDA)Y
Multi-auth N
Multi-Host Y
Data traffic is encrypted. Cisco phones doing CDP bypass
can send/receive unencrypted traffic.
Either or both data and voice can be independently
encrypted
If “should-secure”, endpoints can Tx/Rx unencrypted traffic.
If “must-secure” authentication fails
Multiple MACs are allowed to piggyback after first
authentication, but only one encrypted session is allowed.
Intended for uplink encryption
Kural Arangasamy
LAN MACsec(Switch-to-Switch)
Kural Arangasamy
Switch-to-Switch MACsec
Downlink Downlink
MACsec MACsec MACsec
Uplink
Encrypt Encrypt Encrypt
DecryptDecrypt Decrypt
Kural Arangasamy
• Encryption between two switches
• Frame is tagged at egress & untagged at ingress
What is Switch-to-Switch MACsec?
Switch to switch encryption
MACsec is point-to-point (PHY to PHY) encryption
802.1AEDMAC SMAC 802.1Q ETYPE PAYLOAD CRCICV
MACsec Tag field= Uplink MACsec
Individual Link/Etherchannel
Kural Arangasamy
a.k.a Uplink MACsec
Switch-to-Switch MACsec Configuration Modes
• Manual Mode• Manual configuration of interfaces on each end
• IEEE 802.1x Mode
»802.1x mode MACsec requires NDAC for device authentication
Benefits Considerations
Easy to deploy Not scalable
dot1x infrastructure not required No centralized policy management
Best suited for pilot deployments No authentication of switch
Benefits Considerations
Centralized policy management ACS/ISE required
Rogue switches eliminated Requires 802.1x configuration
Master key maintained centrally Best suited for large scale deployment
Kural Arangasamy
Switch-to-Switch MACsecManual Mode
Kural Arangasamy
How do I Enable Switch-to-Switch MACsec in Manual Mode?
Step 1: Configure interfaces on each end
When the interface status is up, SAP exchanges required keys and
starts encrypting
MACsec is point-to-point (PHY to PHY) encryption. Configuration is
needed on individual ports
= Uplink MACsec
Individual Link/Etherchannel
Kural Arangasamy
How do I Enable Switch-to-Switch MACsec in Manual Mode?Configuration Example
Configuration Commands:
Interface t5/1
switchport mode trunk
cts manual
sap pmk 033445AABBCCDDEEFF mode-
list gcm-encrypt gmac null no-encap
no propagate sgt
&^*RTW#(*J^*&*sd#J$%UJ&(
802.1X
MACsec
Capable Device
MACsec Link
MACsec
Capable Device
Kural Arangasamy
Switch-to-Switch MACsec SAP Negotiation Modes
gcm-encrypt• Authenticate the originator & encrypt the data
• Use when: Confidentiality is required
gmac• Authenticate the originator & no encryption
• Use when: Integrity only is needed
no-encap• No encapsulation. Only mode available when hardware is not MACsec capable
null• Encap only. No authentication or encryption. Used for Security Group Access tagging only.
Kural Arangasamy
sho cts int t5/1
Global Dot1x feature is Enabled
Interface TenGigabitEthernet5/1:
CTS is enabled, mode: MANUAL
IFC state: OPEN
Authentication Status: NOT APPLICABLE
Peer identity: "unknown"
Peer's advertised capabilities: "sap"
Authorization Status: NOT APPLICABLE
SAP Status: SUCCEEDED
Version: 2
Configured pairwise ciphers:
gcm-encrypt
gmac
null
no-encap
Replay protection: enabled
Replay protection mode: STRICT
Selected cipher: gcm-encrypt
How do I Verify MACsec is Enabled?After the Fact
Config mode &
Status
Encryption Modes:gcm-encrypt – authenticate & encrypt
gmac – authentication only
No-encap* – no encapsulation
Null – encap present but no authententication
or encryption
* If the interface is not capable of data link encryption, no-encap is the default and the only available SAP operating mode.
Kural Arangasamy
Troubleshooting slide
Problem 1:
Session is unsecured
Typical Cause:
One of the switch interface do not support MACsec
Problem 2:
Unable to establish a session
Typical Cause:
Config mismatch or SAP Key mismatch
Only “gcm-encrypt” mode is configured and one end is not MACsec capable
Uplink MACsecManual Mode
Under the covers
Kural Arangasamy
MACsec (SAP) Jargon
Acronym Definition
SAP
PMK
PTK
TK
KCK
KEK
Security Association Protocol is a pre-standard key agreement
protocol similar to MKA
Pairwise Master Key. PMK is a long-lived master key used to generate
all other keys used for MACsec.
Pairwise Transient Key. Contains three keys (TK, KCK, KEK) inside as
an octet stream.
Temporal Key. TK is the session key used by the cipher suite for
encryption of data traffic.
EAPOL-Key Confirmation Key. Provides data origin authenticity.
EAPOL-Key Encryption Key. Provides data origin confidentiality.
Kural Arangasamy
SAP Key Exchange: Under the Covers
SAP Exchange
PMKID
PMK
PMK
PMKIDAuthenticator generates
PMKID from PMK and
sent to Supplicant
Supplicant derives PMK
from PMKID and
compares
3
4
1Supplicant and AT
derive PMK from EAP
1
Supplicant
2PMK
PMK – Pairwise Master Key
PMKID – PMK Identifier
Authenticator
Kural Arangasamy
SAP Key Exchange: Under the Covers
SAP Exchange
PMK
Supplicant and AT derives
TK from PTK
Supplicant and AT
exchange Nonces
5
Supplicant Authenticator
PMK
PTKPTK
Exchange Nonces
SNonce
ANonce6 6SNonce
ANonce
77
TK is used to encrypt traffic on the
wire. The intent is to derive the same
TK on AT and supplicant
Supplicant and
Authenticator derives
PTK from PMK
PMK – Pairwise Master Key
PTK – Pairwise Transient Key
TK* – Temporal Key
KCK* – Key Confirmation Key
KEK* – Key Encryption Key
* 16 Octets
TKKCKKEK
KCK – Used for Data Origin Authenticity
KEK – Used for Data Confidentiality
TK – Used for Encryption of Data Traffic
TKKCKKEK
Kural Arangasamy
Switch-to-Switch MACsecIEEE 802.1X Mode
Kural Arangasamy
What do I need to Enable Switch-to-Switch MACsecin dot1x Mode?
• NDAC Supplicant: a switch that acts as a supplicant and authenticates before becomes an authenticator.
• Authenticating Server: a RADIUS server that validates the Supplicant’s credentials as part of NDAC and determines what network access the Supplicant should receive. Distributes master keying material to the supplicant.
Authenticating
Server
Access Control Key Exchange Encryption
Authentication Master Key DistributionPolicy Management
NDAC Supplicant
NDAC – Network Device Admission Control
Kural Arangasamy
How do I Enable Switch-to-Switch MACsec in dot1x Mode?
• Step 1: Enable NDAC (Authentication & Master Key exchange)
• NDAC (Network Device Admission Control) for device authentication
• Can be used as a standalone feature when:• Only device authentication is required
• MACsec capable hardware is not available
• Step 2: Enable MACsec (SAP negotiation for keys exchange)
• After authentication, SAP exchanges session keys & encryption keys
• SAP negotiates cipher suite
Kural Arangasamy
What is Network Device Admission Control (NDAC)
• NDAC is authenticating the authenticator
• NDAC uses 802.1x with EAP-FAST
• EAP-FAST enhancements
• Authenticate the authenticator
• Notify each device of its peer identity (using RADIUS TLV messages)
• Seed Device Authenticates first and authenticates non-seed devicesEAP-FAST: Extensible Authentication Protocol Flexible Authentication via Secure Tunnel
ISE
Switch 1
Switch 2
NDAC
Switch 1
Authentication Succeeded
Authentication Failed
Benefits:
Centralized policy management
Rogue switches eliminated
Seed Device
Non-seed Device
Non-seed Device
Kural Arangasamy
How do I Enable NDAC?Seed Switch Configuration Example
Configuration Commands:
aaa new-model
radius server ise
address ipv4 <ip address> auth-port 1812 acct-port 1813
pac key <password>
aaa authentication dot1x default group radius
aaa authorization network cts group radius
aaa session-id common
cts authorization list cts
dot1x system-auth-control
!
Interface t5/1
switchport mode trunk
cts dot1x
!<exec mode> cts credentials id <userid> password <password>
Seed device includes RADIUS info
Kural Arangasamy
Configuration Commands:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
dot1x system-auth-control
!
Interface t5/1
switchport mode trunk
cts dot1x
!<exec mode> cts credentials id <userid> password <password>
Kural Arangasamy
How do I Enable NDAC?Non-Seed Switch Configuration Example
How do I Enable NDAC?ISE Configuration Example
Administration > Network
Resources > Network Devices
Kural Arangasamy
NDAC: Under the Covers
EAP-FAST: Tunnel Establishment
EAP-FAST in 802.1x
IEE
E 8
02.1
X
Authentication
and Master Key
Distribution
ISE
AuthenticatorSupplicant
EAP-FAST in RADIUS
One time provisioning
Device authentication
User authentication
EAP-FAST: Tunnel tear down
Policy acquisition (RADIUS)Policy acquisition
Kural Arangasamy
How do I Enable MACsec?Seed Switch Configuration Example
Configuration Commands:
aaa new-model
radius server ise
address ipv4 <ip address> auth-port 1812 acct-port 1813
pac key <password>
aaa authentication dot1x default group radius
aaa authorization network cts group radius
aaa session-id common
cts authorization list cts
dot1x system-auth-control
!
Interface t5/1
switchport mode trunk
cts dot1x
sap mode-list gcm-encrypt gmac null no-encap
!
<exec mode> cts credentials id <userid> password <password>
Seed device includes RADIUS info
Kural Arangasamy
How do I Enable MACsec?Non-Seed Switch Configuration Example
Configuration Commands:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
dot1x system-auth-control
!
Interface t5/1
switchport mode trunk
cts dot1x
sap mode-list gcm-encrypt gmac null no-encap
!
<exec mode> cts credentials id <userid> password <password>
Kural Arangasamy
sho cts int t5/1
Global Dot1x feature is Enabled
Interface TenGigabitEthernet5/1:
CTS is enabled, mode: DOT1X
IFC state: OPEN
Authentication Status: SUCCEEDED
Peer identity: ”dist-4k"
Peer's advertised capabilities: "sap"
Authorization Status: ALL-POLICY
SUCCEEDED
SAP Status: SUCCEEDED
Version: 2
Configured pairwise ciphers:
gcm-encrypt
gmac
null
no-encap
Replay protection: enabled
Replay protection mode: STRICT
Selected cipher: gcm-encrypt
How do I Verify MACsec is Enabled?After the Fact
Config mode &
Status
Encryption Modes:gcm-encrypt – authenticate & encrypt
gmac – authentication only
No-encap* – no encapsulation
Null – encap present but no authententication
or encryption
* If the interface is not capable of data link encryption, no-encap is the default and the only available SAP operating mode.
Kural Arangasamy
Troubleshooting slide
Problem 1:
Session is unsecured
Typical Cause:
One of the switch interface do not support MACsec
Problem 2:
Unable to establish a session
Typical Cause:
Authentication Failure
Only “gcm-encrypt” mode is configured and one end is not MACsec capable
NDAC & SAP: Under the Covers
EAP-FAST: Tunnel Establishment
EAP-FAST in 802.1x
Key establishment (SAP)
Encrypted Data
Encrypted Data
AES-GCM-128
IEE
E 8
02.1
X
MA
Csec
Authentication
and Master Key
Distribution
Session
Secure
ISE
AuthenticatorSupplicant
EAP-FAST in RADIUS
One time provisioning
Device authentication
User authentication
EAP-FAST: Tunnel tear down
Policy acquisition (RADIUS)
Policy acquisition
Ongoing key refresh (SAP)
Kural Arangasamy
LAN MACsec Considerations
MACsec Header Overhead
No impact to IP MTU/Fragmentation
L2 Frame MTU Impact*: ~ 40 bytes = less than baby giant frame (~1600
bytes with 1552 bytes MTU)
* Line rate performance impact:
With 64 bytes packets: ~60%
With 256 bytes packets: ~15%
With 1500 bytes packets: ~2.5%
With 9198 bytes packets: ~0.5%
Kural Arangasamy
Key Management vs Certificates
In 802.1x Mode:
Keys are managed centrally by ISE
Cluster of servers – Automatically sync the keys between servers
In Manual Mode:
Keys are managed by individual switches
Admin overhead
Keys vs Certificates
Certificates are used to confirm identify of a device
Separate CA server needed to maintain certificates – ISE supports certificates
Keys are needed for encryption
Kural Arangasamy
WAN MACsec
Network Security Today for WAN
Encrypt
Decrypt
• Encrypted Virtual Private Network (VPN) technologies over public cloud, e.g. DMVPN
• Higher scalability – 1000s of branches
• Typically done by Software / Crypto Engine – lower performance / throughput
• Goal is to encrypt data on the public cloud
Encrypted Data
WAN
&^*RTW#(*J^*&*J^*&*J^*J(*J^*&*J^*&*sd#J159u%^*&J159u%^&*sd#
VPN
Kural Arangasamy
Ethernet ‘WAN transition’ for career services
Metro Ethernet Forum (MEF) standardization of career Ethernet services
WAN/Metro SP offerings are replacing existing T1, ATM/FR, and SONET options for their customers in favor of
lower cost Ethernet transport
Highly flexible, granular and scalable bandwidth
Simple troubleshooting
Enterprise maintains networking and routing decisions
Easily add new locations to L2 VPN
Ubiquitous use for router ports with Ethernet support
MetroEthernet
Network for career
ethernet services
Encrypt
Decrypt
• Encryption mitigates packet eavesdropping, tampering, and injection• Supports 802.1AE-based strong encryption technology
• 128/256-bit AES-GCM, NIST-approved, 10Gb line-rate encryption• VLAN tag in clear option• Supports point-to-point and point-to-multipoint configurations
• Typically done by hardware (ASIC/PHY) – line rate throughput
Encrypted Data
EVCs
&^*RTW#(*J^*&*J^*&*J^*J(*J^*&*J^*&*sd#J159u%^*&J159u%^&*sd#
What is WAN MAC Security (MACsec)?
MACsec
L2 Service Provider Network
Kural Arangasamy
How is WAN MACsec different from LAN MACsec?
WAN
Central
Campus / DC
Branch 2
Enterprise
Network
Enterprise
Network
Enterprise
Network
Branch 1
Branch 3
RouterSwitch
Point to
Multipoint
Point to
Point
LAN MACsec WAN MACsec
VLAN Tag Encrypted
VLAN Tag in Clear
How is WAN MACsec different from LAN MACsec?VLAN Tag in Clear
MACsec ClearTag (VLAN)
Authenticated
Encrypted
Eth 802.1AE802.1Q ETYPE PAYLOAD ICV CRC
Authenticated
AuthenticatedEncrypted
Eth 802.1AE 802.1Q ETYPE PAYLOAD ICV CRC
14 8-16 4 2 8-16 4
Original MACsec
New in
XE 3.14
CoS VLAN IDCFITPID
0x8100
2B 3b 1b 12b
When do I Need WAN MACsec?
WAN
Enterprise
Network
Central
Campus / DC
Regional
Hub1
Regional
Hub2
Enterprise
Network
IPsec Sites
Enterprise
NetworkEnterprise
Network
Internet
Enterprise
NetworkEnterprise
Network
Enterprise
Network
Internet
MACsec IPsec
MACsec Targeted Customers – High Throughput, Limited by Hardware Scale
IPsec Targeted Customers – High Scale, Limited by Aggregate Throughput
IPsec
Branch/DC
Enterprise
Network
MACsec
IPsec
Strengths High Throughput due to Hardware Encryption More Services Enablement Simple Configuration
High Throughput + Line Rate Encryption
WAN MACsec Considerations
Limited Scale
Requires MetroE Circuit (EVCs)
Kural Arangasamy
Building 3
Metro
E-LAN\
E-Line
Main Building 1
Building 4 Building 2
#2- Campus
Interconnect
Branch 2
Head- Office
Branch 1 Branch 3
#3- Hub-Spoke
Metro
E-LINE /
E-LAN
DC1
DC2
#1- Data Center
Interconnect
Metro
E-LINE
MACsec – WAN Use Cases Summary
* Roadmap
Category WAN MACsec IPsec
Market Positioning 1. Aggregate Deployments such as Regional Hubs
2. Large Branches that require high throughput
3. Data Center Interconnects
1. Small Branches
2. High Scale deployments
3. Low throughput Branches
4. Beyond MetroE (International) Reach
Link Requirement Requires dedicated MetroE EVC circuits for L2 connectivity
between sites
Easily Routable over many commonly available public
network
Encryption
Performance
Per PHY Link Speed (1G, 10G, 40G, 100G) Constrained by IPsec Crypto engine performance
Services Enablement No impact to encryption throughput Impacts encryption throughput
Peers Scale Limited by hardware resources Highly Scalable
Throughput Up to Line Rate on each port (limited only by the forwarding
capability)
Aggregate throughput (limited by the encryption
throughput)
Configurability Simple configuration More complex configuration and policy choices
Layer 3 Visibility for
Monitoring
No. Except Layer 2 headers (and optionally VLAN/MPLS Labels)
everything else is encrypted
Visible. L3 info can be used for monitoring & policy
enforcement purposes
NAT environment L3 header is not accessible Works with NAT environment
Kural Arangasamy
WAN MACsec and IPsec Comparison
WAN MACsec and GETVPN Comparison
Group Key
Server
GETVPN
Ethernet hand-off, minimal peering
Easy Multi-Homing Designs
Provider Blackhole Protection
BGP and Static Routing With Provider
Provider Routes Traffic Between Sites
Less Control Plane Overhead Traffic
Native Routing
Data Plane
Encryption
Overlay
Routing
Data Plane
Encryption
Hub
MACsec
PTP or E-LINE
PTMP or E-LAN
Static Known IP
AddressesDynamic Unknown IP
Addresses
Any WAN Transport: IP or MPLS
E-LINE requires all traffic to go through hub
E-LAN spokes can communicate directly
Flexible QoS policy selected by customer
E-Line requires Per Peer Keys
E-LAN uses one key per system
Client IP Addressing Hidden From Provider
Private WANs Only: MPLS
No Tunnels for Site-to-Site Connectivity
Multicast Replication in Provider Network
Single Group Key for All Sites
Client IP Addressing Exposed to Provider
Kural Arangasamy
What Service do I Need to Enable WAN MACsec?Metro Ethernet Forum (MEF) Ethernet Service Types
WAN MACsec Deployment Scenarios
• Point to Point – E-LINE Service
CE to CE
Hub and Spoke
• Multi-Point - E-LAN Service
Hub and Spoke
Multipoint to Multipoint
Kural Arangasamy
Point to Point – E-LINE Service
- CE to CE- Hub and Spoke
Kural Arangasamy
MKA Keying(802.1X-2010)
Use Case 1: Point to Point E-LINE ServicePoint to Point SA Configuration
• Ethernet Service• Point to point PW service (no MAC address lookup)• Port-mode, or 802.1Q offering
Branch Site CEEnterprise
Network
Central
Campus / DCCE
Enterprise
Network
Carrier Ethernet
Service
E-LINE (P2P)
• MACsec enabled Interface
• Physical
• Sub-interface (802.1Q)
Customer Use Cases
• Secure: CE – CE link, DC Interconnect
MKA Session MACsec Flow MKA KeyMACsec Interface
Kural Arangasamy
MKA Keying(802.1X-2010)
Use Case 2: Point to Point E-LINE ServicePoint to Point SA Configuration – Hub and Spoke
• Ethernet Service• Point to point PW service (no MAC address lookup)• Port-mode, or 802.1Q offering
Branch Site CEEnterprise
Network
Central
Campus / DCCEEnterprise
Network
Carrier Ethernet
Service
E-LINE (P2P)
• MACsec enabled Interface
• Physical
• Sub-interface (802.1Q)
Customer Use Cases
• Secure: CE – CE link, DC Interconnect
Branch SiteCE
Enterprise
Network
Kural Arangasamy
MKA Keying(802.1X-2010)
Use Case 3: Point to Point E-LINE ServicePoint to Point SA Configuration – Mix of MACsec & Non-MACsec Spokes
• Ethernet Service• Point to point PW service (no MAC address lookup)• Port-mode, or 802.1Q offering
Branch Site CE2Enterprise
Network
Central
Campus / DCCE1Enterprise
Network
Carrier Ethernet
Service
E-LINE (P2P)
• MACsec enabled Interface
• Physical
• Sub-interface (802.1Q)
Customer Use Cases• Secure: CE – CE link, DC Interconnect, Migration
Branch SiteCE3
Enterprise
Network
CE4Enterprise
Network
Kural Arangasamy
CECE
CECE
P2P Ethernet
Pseudo-wire
Service
P2P Router Peering Model When Using E-LINE Service
• More of a Edge/Core network deployment option
• Connection model is full/partial mesh via 802.1Q sub-int service
• Analogous to ATM VC’s and Channelized SONET
CECE
CECE Ethernet Sub-interface with
802.1q support
Routers peer
per VLAN sub-
interface per
PW
Physical View Logical View
Ethernet Sub-interface with
802.1q support
Carrier Ethernet
Service
E-LINE (P2P)
Kural Arangasamy
Multi-Point - E-LAN Service
- Hub and Spoke- Multipoint to Multipoint
Kural Arangasamy
MKA Keying(802.1X-2010)
Use Case 4: E-LAN Service (VPLS Service)Point to Point SA Configuration – Hub and Spoke
Branch Site CEEnterprise
Network
Central
Campus / DCCE
Enterprise
Network
Carrier Ethernet
Service
E-LAN (multi-pt)
• MACsec enabled Interface
• Physical
• Sub-interface (802.1Q)
Customer Use Cases
• Secure: CE – CE link, DC Interconnect
Branch SiteCE
Enterprise
Network
Ethernet Service
• Multi-Point service (typically VPLS)
• Port-mode, or 802.1Q offering
Kural Arangasamy
MKA Keying(802.1X-2010)
Use Case 5: E-LAN Service (VPLS Service)Point to Point SA Configuration – Hub and Spoke, Spoke to Spoke
Branch Site CEEnterprise
Network
Central
Campus / DCCE
Enterprise
Network
Carrier Ethernet
Service
E-LAN (multi-pt)
• MACsec enabled Interface
• Physical
• Sub-interface (802.1Q)
Customer Use Cases
• Secure: CE – CE link, DC Interconnect
Branch SiteCE
Enterprise
Network
Ethernet Service
• Multi-Point service (typically VPLS)
• Port-mode, or 802.1Q offering
Kural Arangasamy
CECE
CECE
Flat Ethernet
Bridge domain
P2MP Router Peering Model When Using E-LAN Service
• Targets more Branch network deployment option
• Routers appear as part of a single “flat” Ethernet domain
• Caution required as IP Peering is N – 1 (N = router nodes)
• SP will dictate either port-mode (no .1Q tag) or router sending .1Q tag
• Less complex configuration
CECE
CECE
Router
peering is
N – 1
Physical View Logical View
Carrier Ethernet
Service
E-LAN (multi-pt)
Kural Arangasamy
Use Cases & Config CLIs
Kural Arangasamy
Metro Ethernet
Network
P2P EVC
Port Based E-LINE (Point-to-Point)
(a.k.a Ethernet Private Line (EPL)
CE1 CE2
MKA Keying(802.1X-2010)
Use Case 1: Point to Point E-LINE ServicePoint to Point SA Configuration
Branch SiteCE2
Enterprise
Network
Central
Campus / DC
CE1Enterprise
Network
Carrier Ethernet
Service
E-LINE (P2P)
• MACsec enabled Interface
• Physical
• Sub-interface (802.1Q)
MKA Session MACsec Flow MKA KeyMACsec Interface
Defaults
MKA default policy:• Cipher suite: AES-128-CMAC
• Key server priority: 0
• Confidentiality offset: 0
MACsec default parameters:• Dot1q-in-clear 0
• Access-control must-secure
• Replay-protection-window-size 64
• Cipher suite: GCM-AES-128
Default Keychain parameters:• Lifetime: Unlimited
CE1/CE2 Config
key chain k1 macsec*key 01key-string 12345678901234567890123456789012
interface GigabitEthernet0/0/4ip address 10.3.1.1 255.255.255.0mka pre-shared-key key-chain k1*macsec*
Note: * is mandatory CLI
MACsec configuration BLUE
Kural Arangasamy
Port-based E-LINE Service (P2P)
VLAN Based E-LINE (Point-to-Point)
(a.k.a Ethernet Virtual Private Line (EVPL)
MKA Keying(802.1X-2010)
Use Case 2: Point to Point E-LINE ServicePoint to Point SA Configuration – Hub and Spoke
Branch SiteCE2
Enterprise
Network
Central
Campus / DCCE1Enterprise
Network
Carrier Ethernet
Service
E-LINE (P2P)
• MACsec enabled
Interface
• Physical
• Sub-interface (802.1Q)
Branch SiteCE3
Enterprise
Network
Metro Ethernet
Network
P2P EVC
CE1CE2
CE3
CE1 Config
CE2 Config
key chain k1 macsec*key 01key-string 12345678901234567890123456789012
interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*macsec replay-protection-window-size 100interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.1 255.255.255.0mka pre-shared-key key-chain k1*macsec*
key chain k1 macsec*key 01key-string 12345678901234567890123456789012
interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*macsec replay-protection-window-size 100interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.1 255.255.255.0mka pre-shared-key key-chain k1*macsec*iterface GigabitEthernet0/0/4.2encapsulation dot1Q 20ip address 10.3.2.1 255.255.255.0mka pre-shared-key key-chain k1*macsec*
Note: * is mandatory CLI
MACsec configuration BLUE
Kural Arangasamy
VLAN-based E-LINE Service (P2P)Only MACsec Sub-Interfaces
VLAN Based E-LINE (Point-to-Point)
(a.k.a Ethernet Virtual Private Line (EVPL)
MKA Keying(802.1X-2010)
Use Case 2: Point to Point E-LINE ServicePoint to Point SA Configuration – Hub and Spoke
Branch SiteCE2
Enterprise
Network
Central
Campus / DCCE1Enterprise
Network
Carrier Ethernet
Service
E-LINE (P2P)
• MACsec enabled
Interface
• Physical
• Sub-interface (802.1Q)
Branch SiteCE3
Enterprise
Network
CE1 Config
CE2 Configkey chain k1 macsec*key 01key-string 12345678901234567890123456789012
interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*macsec access-control should-secure*macsec replay-protection-window-size 100
interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.2 255.255.255.0mka pre-shared-key key-chain k1*macsec*
CE4
Enterprise
Network
Metro Ethernet
Network
P2P EVC
CE1
CE2
CE3
CE4
key chain k1 macsec*key 01key-string 12345678901234567890123456789012
interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*macsec access-control should-secure*macsec replay-protection-window-size 100
interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.1 255.255.255.0mka pre-shared-key key-chain k1*macsec*
interface GigabitEthernet0/0/4.2encapsulation dot1Q 20ip address 10.3.2.1 255.255.255.0
mka pre-shared-key key-chain k1*macsec*interface GigabitEthernet0/0/4.3encapsulation dot1Q 30ip address 10.3.3.1 255.255.255.0
Note: * is mandatory CLI
MACsec configuration BLUE
Kural Arangasamy
VLAN-based E-LINE Service (P2P)Mix of MACsec and Non-MACsec Sub-Interfaces
Metro Ethernet
Network
P2MP EVCs
Use Case 3: Port Based E-LAN (Point-to-MultiPoint)
(a.k.a Ethernet Private LAN (EP-LAN)
CE1CE3
CE2
CE1/CE2/CE3 Config
Defaults
MKA default parameters:• Key server priority: 0
• Confidentiality offset: 0
MACsec default parameters:• Dot1q-in-clear 0
• Access-control must-secure
• Replay-protection-window-size 64
Default Keychain parameters:• Lifetime: Unlimited
key chain k1 macsec*key 01key-string 12345678901234567890123456789012cryptographic-algorithm aes-256-cmac
mka policy p1macsec-cipher-suite gcm-aes-256
interface GigabitEthernet0/0/4ip address 10.3.1.1 255.255.255.0mka pre-shared-key key-chain k1*mka policy p1macsec*
Note: * is mandatory CLI
MACsec configuration BLUE
Kural Arangasamy
Port-based E-LAN Service (P2MP)
CE1CE2
CE3CE4
FlatEthernetBridgedomain
• TargetsmoreBranchnetworkdeploymentop on
• Routersappearaspartofasingle“flat”Ethernetdomain
• Cau onrequiredasIPPeeringisN–1(N=routernodes)
• Mul castreplica onisdoneinthe“Core”ofthenetwork
• SPwilldictateeitherport-mode(no.1Qtag)orroutersending.1Qtag
• Lesscomplexconfigura on
CE1CE2
CE3CE4
RouterpeeringisN–1
RouterPeeringModelforE-LANServices(VPLSService)
PhysicalView LogicalView
CarrierEthernetService
E-LAN(mul -pt)
Metro Ethernet Network
P2MP EVCs
Example 1
VLAN/Subinterface
CE1
CE2
CE3
VLAN 10
key chain k1 macsec*key 01key-string 12345678901234567890123456789012
interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.2 255.255.255.0
mka pre-shared-key key-chain k1*macsec*Eapol destination-address broadcast
key chain k1 macsec*key 01key-string 12345678901234567890123456789012
interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*Eapol destination-address broadcastinterface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.1 255.255.255.0
mka pre-shared-key key-chain k1*macsec*
CE1 Config
CE2/CE3 ConfigUse Case 4: VLAN Based E-LAN (Point-to-MultiPoint)
(a.k.a Ethernet Virtual Private LAN (EVP-LAN)
Note: * is mandatory CLI
MACsec configuration BLUE
Kural Arangasamy
VLAN-based E-LAN Service (P2MP)
Metro Ethernet Network
P2MP EVCs
Example 2
VLAN/Subinterfaces
CE3
CE2
CE5CE4
CE1
VLAN 10
VLAN 20
CE1 Config
CE2/CE3 Config
key chain k1 macsec*key 01key-string 12345678901234567890123456789012
interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.2 255.255.255.0
mka pre-shared-key key-chain k1*macsec*
key chain k1 macsec*key 01key-string 12345678901234567890123456789012
interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.1 255.255.255.0
mka pre-shared-key key-chain k1*macsec*interface GigabitEthernet0/0/4.2encapsulation dot1Q 20ip address 10.3.2.1 255.255.255.0
mka pre-shared-key key-chain k1*macsec*
CE4/CE5 Config
key chain k1 macsec*key 01key-string 12345678901234567890123456789012
interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*interface GigabitEthernet0/0/4.2encapsulation dot1Q 20ip address 10.3.2.2 255.255.255.0
mka pre-shared-key key-chain k1*macsec*
Note: * is mandatory CLI
MACsec configuration BLUE
Kural Arangasamy
Multiple VLAN-based E-LAN Services (P2MP)
Metro Ethernet Network
P2MP EVCs
Example 3P2P EVC
VLAN/Subinterfaces
CE3 CE4
CE2CE1
CE1 Config
CE2 Config
key chain k1 macsec*key 01key-string 12345678901234567890123456789012
interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.2 255.255.255.0
mka pre-shared-key key-chain k1*macsec*
key chain k1 macsec*key 01key-string 12345678901234567890123456789012key chain k2 macsec*key 01key-string 12345678901234567890123456789012cryptographic-algorithm aes-256-cmac
mka policy p1macsec-cipher-suite gcm-aes-256
interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.1 255.255.255.0
mka pre-shared-key key-chain k1*macsec*iterface GigabitEthernet0/0/4.2encapsulation dot1Q 20ip address 10.3.2.1 255.255.255.0
mka pre-shared-key key-chain k2*mka policy p1macsec*
CE3/CE4 Config
key chain k1 macsec*key 01key-string 12345678901234567890123456789012cryptographic-algorithm aes-256-cmac
mka policy p1macsec-cipher-suite gcm-aes-256
interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*iterface GigabitEthernet0/0/4.2encapsulation dot1Q 20ip address 10.3.2.2 255.255.255.0
mka pre-shared-key key-chain k1*mka policy p1macsec*
VLAN 10 VLAN 10
VLAN 20
Note: * is mandatory CLI
MACsec configuration BLUE
Kural Arangasamy
Mix of VLAN-based E-LINE and E-LAN Services (P2P & P2MP)
MKA Global Policy Configurable CLIs
Key-server priority 0 to 64 Default: 0
Macsec-cipher-suite macsec-cipher-suite gcm-aes-128 macsec-cipher-suite gcm-aes-256 Default: macsec-cipher-suite gcm-aes-128
Confidentiality-offset 0, 30, 50 Default: 0
MACsec Interface Configurable CLIs
macsec replay-protection-window-size 0-x Default: 64
macsec-access-control Must-secure Should-secure Default: must-secure
macsec-dot1q-in-clear 0, 1 Default: 0
macsec eapol destination-address
H.H.H (any mac address) Bridge-group-address Lldp-multicast-address Broadcast Default: (01:80:c2:00:00:03)
Keychain Global Configurable CLIs
Key Key id
cryptographic-algorithm cryptographic-algorithm aes-128-cmac cryptographic-algorithm aes-256-cmac Default: cryptographic-algorithm aes-128-cmac
Keystring Hex Characters Default: NA
Lifetime Hh:mm:ss Time Local Time in local time zone Default: unlimited
Kural Arangasamy
Configurable MKA, MACsec & Key Chain CLIs and Parameters
Monitoring and
Troubleshooting
Kural Arangasamy
Monitoring and Troubleshooting
MACsec
show macsec summary
show macsec statistics interface <int >
show macsec status interface <int >
Show CLIs
MKA
show mka sessions
show mka sessions detail
show mka sessions interface < > port < > detail
show mka policy <MKA Policy NAME>
Monitoring and Troubleshooting
R2#show macsec summaryMACsec Capable Interface Extension
---------------------------------------------
TenGigabitEthernet0/0/1 One tag-in-clear
GigabitEthernet0/0/1 One tag-in-clear
MACsec Enabled Interface Receive SC VLAN
-----------------------------------------------------
GigabitEthernet0/0/1.10 : 8 10
R2#
Show CLI Sample Output
R2#show macsec status int gi0/0/1.10Capabilities:
Validate Frames: Strict
Ciphers Supported: GCM-AES-128 GCM-AES-256
Include SCI: Yes
Cipher: GCM-AES-128
Confidentiality Offset: 0
Transmit SC:
SCI: 0022BDEF43830014
Transmitting: TRUE
Transmit SA:
Next PN: 1712
Receive SC:
Receiving: TRUE
Receive SA:
In Use: TRUE
Next PN: 1731
R2#
Monitoring and Troubleshooting
debug mka events/errors/packets
Usage: Troubleshooting mka session bring up issues
debug mka linksec-interface
Usage: Troubleshooting mka keep-alive issues
debug platform software macsec info/error
Usage: MACsec info/error debugging
Debug CLIs
Monitoring and TroubleshootingSyslog Messages
WAN MACsec Considerations
Scale & Performance
1GE interface: Max 8 Peers per interface
10GE interface: Max 32 Peers per interface
Linerate performance but maybe limited by system throughput
Linerate performance minus the overhead, ~32 bytes
Feature Interoperability
MACsec with Ether Channel (Link bundling) is not supported
MACsec with TrustSec (SGT inline transport over Ethernet) config
is not supported
Best Practices
1. Ensure basic Layer 2 connectivity is established before enabling MACsec
2. Ensure Out of Band connectivity exists to remote site to avoid locking yourself out
3. Use access control “should secure” only during migration or when mix of unsecured traffic is expected
4. Configure WAN interface MTU, adjusting for MACsec overhead, ~32 bytes
Key Takeaways
Underlying Transport determines Encryption choices
MACsec provides better protection with Less Overhead
Linerate performance 1G/10G/40G/100G etc…
LAN MACsec – Available on most products
WAN MACsec - First in the Industry
Next Gen encryption technology
Ease of Config & Use
References
LAN MACsec Supported Platforms
PlatformEAP/SAP/128,
PSK/SAP/128
Nexus 7000 M1 line-cards Yes
Nexus 7000 M2 line-cards Yes
Catalyst 6500/6800 (Sup-2T/6900 Series
line-cards)Yes
Catalyst 4500-X Yes
Catalyst 4500-E (Sup-7E & 8E) Yes
Catalyst 3560-X/3750-X Yes
Catalyst 5760/3850/3650 Yes
C3KX-SM-10G Module for Catalyst 3KX Yes
SM-X Layer 2/3 Ether Switch Module for ISR Yes
WAN MACsec Supported Platforms
PlatformPSK/MKA
128/256
ASR 1001-X Yes
2-Port Gigabit Ethernet WAN NIM
(NIM-2GE-CU-SFP) for ISR4xxx SeriesYes
References
Cisco TrustSec 3.0 How-To Guide: Introduction to MACSec and NDAC
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/how_to_intro_macsec_ndac_guide.pdf
Configuring MACsec Encryption
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf
MACSEC and MKA Configuration Guide, Cisco IOS XE Release 3S
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-3s/macsec-xe-3s-book.html
Other relevant session:
BRKRST-2309
Introduction to WAN MACSec - Aligning Encryption Technologies with WAN Transport
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @Kuralvanan
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
MACsec CLI Behavior & Restrictions
“macsec dot1q-in-clear” and “macsec access-control must-secure/should-secure” can only be configured on main interface, and the setting
is automatically inherited by the sub-interfaces. Due to hardware restriction this behavior cannot be changed.
“mka policy”, “macsec replay-protection-window” and “eapol destination-address” can be configured on main and/or sub-interface and the
value is automatically inherited by the sub-interfaces when configured on the main interface. Explicit configuration on sub-interface overrides the inherited value or policy for that sub-interface.
Note
“macsec access-control must-secure/should-secure” config controls the behavior of unencrypted packets processing:
- “should-secure” allows unencrypted packets to be transmitted and received from main interface or sub interfaces.
- “must-secure” does not allow transmit or receive of unencrypted packets from main interface or sub interfaces and drops the packet
- If mix of “macsec” and non-macsec subinterfaces co-exist, then “should-secure” config is a must
Kural Arangasamy