Configuración de MACsec
Podemos configurar MACsec para proteger los vínculos Ethernet punto a punto que conectan su dispositivo con MIC compatibles con MACsec. Cada vínculo Ethernet punto a punto que desee proteger mediante MACsec debe configurarse de forma independiente. Podemos habilitar MACsec en vínculos de dispositivo a dispositivo mediante el modo de seguridad de clave de asociación de conectividad estática (CAK).
Tiempo de personalización
Para personalizar la hora, deshabilite NTP y establezca la fecha.
Configuración de MACsec en un dispositivo que ejecuta Junos OS
Para configurar MACsec en un dispositivo que ejecuta Junos OS:
Configuración de MACsec estático con tráfico ICMP
Para configurar MACsec estático mediante el tráfico ICMP entre los dispositivos R0 y R1:
En R0:
En R1:
Cree la clave previamente compartida configurando el nombre de clave de asociación de conectividad (CKN) y la clave de asociación de conectividad (CAK)
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key ckn 2345678922334455667788992223334445556667778889992222333344445555 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key cak 23456789223344556677889922233344 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 30
Establezca los valores de la opción de seguimiento.
[edit] crypto-officer@hostname:fips# set security macsec traceoptions file MACsec.log crypto-officer@hostname:fips# set security macsec traceoptions file size 4000000000 crypto-officer@hostname:fips# set security macsec traceoptions flag all
Asigne el seguimiento a una interfaz.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag all
Configure el modo de seguridad MACsec como static-cak para la asociación de conectividad.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
Establezca el intervalo de transmisión MKA.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmit-interval 3000
Habilite el MKA seguro.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka should-secure crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
Asigne la asociación de conectividad a una interfaz.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name connectivity-association CA1 crypto-officer@hostname:fips# set interfaces interface-name unit 0 family inet address 10.1.1.2/24
Configuración de MACsec con llavero mediante ICMP Traffic
Para configurar MACsec con llavero mediante tráfico ICMP entre los dispositivos R0 y R1:
En R0:
Para configurar MACsec con llavero para el tráfico ICMP:
En R1:
Asigne un valor de tolerancia al llavero de autenticación.
[edit] crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 tolerance 20
Cree la contraseña secreta que desea usar. Es una cadena de dígitos hexadecimales de hasta 64 caracteres. La contraseña puede incluir espacios si la cadena de caracteres está entre comillas. Los datos secretos del llavero se utilizan como un CAK.
[edit] crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 0 key-name 2345678922334455667788992223334445556667778889992222333344445551 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 0 start-time 2018-03-20.20:35 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 1 key-name 2345678922334455667788992223334445556667778889992222333344445552 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 1 start-time 2018-03-20.20:37 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 2 key-name 2345678922334455667788992223334445556667778889992222333344445553 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 2 start-time 2018-03-20.20:39 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 3 key-name 2345678922334455667788992223334445556667778889992222333344445554 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 3 start-time 2018-03-20.20:41 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 4 key-name 2345678922334455667788992223334445556667778889992222333344445555 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 4 start-time 2018-03-20.20:43 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 5 key-name 2345678922334455667788992223334445556667778889992222333344445556 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 5 start-time 2018-03-20.20:45 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 6 key-name 2345678922334455667788992223334445556667778889992222333344445557 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 6 start-time 2018-03-20.20:47 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 7 key-name 2345678922334455667788992223334445556667778889992222333344445558 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 7 start-time 2018-03-20.20:49
Utilice el
prompt
comando para introducir un valor de clave secreta. Por ejemplo, el valor de la clave secreta es 2345678922334455667788992223334123456789223344556677889922233341.[edit] crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 0 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 1 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 2 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 3 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 4 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 5 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 6 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 7 secret New cak (secret): Retype new cak (secret):
Asocie el nombre del llavero previamente compartido con la asociación de conectividad.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key-chain macsec-kc1 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 50 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
Establezca los valores de la opción de seguimiento.
[edit] crypto-officer@hostname:fips# set security macsec traceoptions file MACsec.log crypto-officer@hostname:fips# set security macsec traceoptions file size 4000000000 crypto-officer@hostname:fips# set security macsec traceoptions flag all
Asigne el seguimiento a una interfaz.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag all
Configure el modo de seguridad MACsec como static-cak para la asociación de conectividad.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
Establezca la prioridad del servidor de claves MKA.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka key-server-priority 1
Establezca el intervalo de transmisión MKA.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmit-interval 3000
Habilite el MKA seguro.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
Asigne la asociación de conectividad a una interfaz.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name connectivity-association CA1 crypto-officer@hostname:fips# set interfaces interface-name unit 0 family inet address 10.1.1.2/24
Configuración de MACsec estático para tráfico de capa 2
Para configurar MACsec estático para el tráfico de capa 2 entre los dispositivos R0 y R1:
En R0:
En R1:
Cree la contraseña secreta que desea usar. Es una cadena de dígitos hexadecimales de hasta 64 caracteres. La contraseña puede incluir espacios si la cadena de caracteres está entre comillas. Los datos secretos del llavero se utilizan como un CAK.
[edit] crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 0 secret New cak (secret): Retype new cak (secret):
Por ejemplo, el valor de la clave secreta es 2345678922334455667788992223334123456789223344556677889922233341.
Asocie el nombre del llavero previamente compartido con la asociación de conectividad.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key-chain macsec-kc1 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 50 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
Establezca los valores de la opción de seguimiento.
[edit] crypto-officer@hostname:fips# set security macsec traceoptions file MACsec.log crypto-officer@hostname:fips# set security macsec traceoptions file size 4000000000 crypto-officer@hostname:fips# set security macsec traceoptions flag all
Asigne el seguimiento a una interfaz.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag all
Configure el modo de seguridad MACsec como static-cak para la asociación de conectividad.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
Establezca la prioridad del servidor de claves MKA.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka key-server-priority 1
Establezca el intervalo de transmisión MKA.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmit-interval 3000
Habilite el MKA seguro.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
Asigne la asociación de conectividad a una interfaz.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name connectivity-association CA1
Configure el etiquetado de VLAN.
[edit] crypto-officer@hostname:fips# set interfaces interface-name1 flexible-vlan-tagging crypto-officer@hostname:fips# set interfaces interface-name1 encapsulation flexible-ethernet-services crypto-officer@hostname:fips# set interfaces interface-name1 unit 100 encapsulation vlan-bridge crypto-officer@hostname:fips# set interfaces interface-name1 unit 100 vlan-id 100 crypto-officer@hostname:fips# set interfaces interface-name2 flexible-vlan-tagging crypto-officer@hostname:fips# set interfaces interface-name2 encapsulation flexible-ethernet-services crypto-officer@hostname:fips# set interfaces interface-name2 unit 100 encapsulation vlan-bridge crypto-officer@hostname:fips# set interfaces interface-name2 unit 100 vlan-id 100
Configurar dominio de puente.
[edit] crypto-officer@hostname:fips# set bridge-domains BD-110 domain-type bridge crypto-officer@hostname:fips# set bridge-domains BD-110 vlan-id 100 crypto-officer@hostname:fips# set bridge-domains BD-110 interface interface-name1 100 crypto-officer@hostname:fips# set bridge-domains BD-110 interface interface-name2 100
Configuración de MACsec con llavero para tráfico de capa 2
Para configurar MACsec con llavero para el tráfico ICMP entre los dispositivos R0 y R1:
En R0:
En R1:
Asigne un valor de tolerancia al llavero de autenticación.
[edit] crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 tolerance 20
Cree la contraseña secreta que desea usar. Es una cadena de dígitos hexadecimales de hasta 64 caracteres. La contraseña puede incluir espacios si la cadena de caracteres está entre comillas. Los datos secretos del llavero se utilizan como un CAK.
[edit] crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 0 key-name 2345678922334455667788992223334445556667778889992222333344445551 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 0 start-time 2018-03-20.20:35 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 1 key-name 2345678922334455667788992223334445556667778889992222333344445552 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 1 start-time 2018-03-20.20:37 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 2 key-name 2345678922334455667788992223334445556667778889992222333344445553 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 2 start-time 2018-03-20.20:39 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 3 key-name 2345678922334455667788992223334445556667778889992222333344445554 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 3 start-time 2018-03-20.20:41 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 4 key-name 2345678922334455667788992223334445556667778889992222333344445555 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 4 start-time 2018-03-20.20:43 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 5 key-name 2345678922334455667788992223334445556667778889992222333344445556 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 5 start-time 2018-03-20.20:45 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 6 key-name 2345678922334455667788992223334445556667778889992222333344445557 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 6 start-time 2018-03-20.20:47 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 7 key-name 2345678922334455667788992223334445556667778889992222333344445558 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 7 start-time 2018-03-20.20:49
Utilice el
prompt
comando para introducir un valor de clave secreta. Por ejemplo, el valor de la clave secreta es 2345678922334455667788992223334123456789223344556677889922233341.[edit] crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 0 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 1 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 2 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 3 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 4 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 5 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 6 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 7 secret New cak (secret): Retype new cak (secret):
Asocie el nombre del llavero previamente compartido con la asociación de conectividad.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key-chain macsec-kc1 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
Establezca los valores de la opción de seguimiento.
[edit] crypto-officer@hostname:fips# set security macsec traceoptions file MACsec.log crypto-officer@hostname:fips# set security macsec traceoptions file size 4000000000 crypto-officer@hostname:fips# set security macsec traceoptions flag all
Asigne el seguimiento a una interfaz.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag all
Configure el modo de seguridad MACsec como static-cak para la asociación de conectividad.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
Establezca la prioridad del servidor de claves MKA.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka key-server-priority 1
Establezca el intervalo de transmisión MKA.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmit-interval 3000
Habilite el MKA seguro.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
Asigne la asociación de conectividad a una interfaz.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name connectivity-association CA1
Configure el etiquetado de VLAN.
[edit] crypto-officer@hostname:fips# set interfaces interface-name1 flexible-vlan-tagging crypto-officer@hostname:fips# set interfaces interface-name1 encapsulation flexible-ethernet-services crypto-officer@hostname:fips# set interfaces interface-name1 unit 100 encapsulation vlan-bridge crypto-officer@hostname:fips# set interfaces interface-name1 unit 100 vlan-id 100 crypto-officer@hostname:fips# set interfaces interface-name2 flexible-vlan-tagging crypto-officer@hostname:fips# set interfaces interface-name2 encapsulation flexible-ethernet-services crypto-officer@hostname:fips# set interfaces interface-name2 unit 100 encapsulation vlan-bridge crypto-officer@hostname:fips# set interfaces interface-name2 unit 100 vlan-id 100
Configurar dominio de puente.
[edit] crypto-officer@hostname:fips# set bridge-domains BD-110 domain-type bridge crypto-officer@hostname:fips# set bridge-domains BD-110 vlan-id 100 crypto-officer@hostname:fips# set bridge-domains BD-110 interface interface-name1 100 crypto-officer@hostname:fips# set bridge-domains BD-110 interface interface-name2 100