Configuring MACsec
SUMMARY
Configure MACsec
We can configure MACsec to secure point-to-point Ethernet links connecting ACX5448-M with MACsec-capable MICs. Each point-to-point Ethernet link that you want to secure using MACsec must be configured independently. We can enable MACsec on device-to-device links using static connectivity association key (CAK) security mode.
On ACX5448-M, MACsec is supported only on the forty-four 10-Gigabit or 1-Gigabit Ethernet ports. In this section, these ports are used for configuring MACSec.
- Customizing Time
- Configuring MACsec on a Device Running Junos OS
- Configuring Static MACsec with ICMP Traffic
- Configuring MACsec with keychain using ICMP Traffic
- Configuring Static MACsec for Layer 2 Traffic
- Configuring MACsec with keychain for Layer 2 Traffic
Customizing Time
To customize time, disable NTP and set the date.
Configuring MACsec on a Device Running Junos OS
To configure MACsec on a device running Junos OS:
Configuring Static MACsec with ICMP Traffic
To configure Static MACsec using ICMP traffic between device R0 and device R1:
In R0:
In R1:
-
Create the preshared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK)
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key ckn 2345678922334455667788992223334445556667778889992222333344445555 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key cak 23456789223344556677889922233344 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 30
-
Set the trace option values.
[edit] crypto-officer@hostname:fips# set security macsec traceoptions file MACsec.log crypto-officer@hostname:fips# set security macsec traceoptions file size 4000000000 crypto-officer@hostname:fips# set security macsec traceoptions flag all
-
Assign the trace to an interface.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag all
-
Configure the MACsec security mode as static-cak for the connectivity association.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
-
Set the MKA transmit interval.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmit-interval 3000
-
Enable the MKA secure.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka should-secure crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
-
Assign the connectivity association to an interface.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name connectivity-association CA1 crypto-officer@hostname:fips# set interfaces interface-name unit 0 family inet address 10.1.1.2/24
Configuring MACsec with keychain using ICMP Traffic
To configure MACsec with keychain using ICMP traffic between device R0 and device R1:
In R0:
To configure MACsec with keychain for ICMP traffic:
In R1:
-
Assign a tolerance value to the authentication key chain.
[edit] crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 tolerance 20
-
Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.
[edit] crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 0 key-name 2345678922334455667788992223334445556667778889992222333344445551 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 0 start-time 2018-03-20.20:35 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 1 key-name 2345678922334455667788992223334445556667778889992222333344445552 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 1 start-time 2018-03-20.20:37 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 2 key-name 2345678922334455667788992223334445556667778889992222333344445553 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 2 start-time 2018-03-20.20:39 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 3 key-name 2345678922334455667788992223334445556667778889992222333344445554 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 3 start-time 2018-03-20.20:41 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 4 key-name 2345678922334455667788992223334445556667778889992222333344445555 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 4 start-time 2018-03-20.20:43 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 5 key-name 2345678922334455667788992223334445556667778889992222333344445556 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 5 start-time 2018-03-20.20:45 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 6 key-name 2345678922334455667788992223334445556667778889992222333344445557 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 6 start-time 2018-03-20.20:47 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 7 key-name 2345678922334455667788992223334445556667778889992222333344445558 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 7 start-time 2018-03-20.20:49
Use the
prompt
command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.[edit] crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 0 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 1 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 2 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 3 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 4 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 5 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 6 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 7 secret New cak (secret): Retype new cak (secret):
-
Associate the preshared keychain name with the connectivity association.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key-chain macsec-kc1 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 50 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
-
Set the trace option values.
[edit] crypto-officer@hostname:fips# set security macsec traceoptions file MACsec.log crypto-officer@hostname:fips# set security macsec traceoptions file size 4000000000 crypto-officer@hostname:fips# set security macsec traceoptions flag all
-
Assign the trace to an interface.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag all
-
Configure the MACsec security mode as static-cak for the connectivity association.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
-
Set the MKA key server priority.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka key-server-priority 1
-
Set the MKA transmit interval.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmit-interval 3000
-
Enable the MKA secure.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
-
Assign the connectivity association to an interface.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name connectivity-association CA1 crypto-officer@hostname:fips# set interfaces interface-name unit 0 family inet address 10.1.1.2/24
Configuring Static MACsec for Layer 2 Traffic
To configure static MACsec for Layer 2 traffic between device R0 and device R1:
In R0:
In R1:
-
Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.
[edit] crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 0 secret New cak (secret): Retype new cak (secret):
For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.
-
Associate the preshared keychain name with the connectivity association.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key-chain macsec-kc1 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 50 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
-
Set the trace option values.
[edit] crypto-officer@hostname:fips# set security macsec traceoptions file MACsec.log crypto-officer@hostname:fips# set security macsec traceoptions file size 4000000000 crypto-officer@hostname:fips# set security macsec traceoptions flag all
-
Assign the trace to an interface.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag all
-
Configure the MACsec security mode as static-cak for the connectivity association.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
-
Set the MKA key server priority.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka key-server-priority 1
-
Set the MKA transmit interval.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmit-interval 3000
-
Enable the MKA secure.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
-
Assign the connectivity association to an interface.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name connectivity-association CA1
-
Configure VLAN tagging.
[edit] crypto-officer@hostname:fips# set interfaces interface-name1 flexible-vlan-tagging crypto-officer@hostname:fips# set interfaces interface-name1 encapsulation flexible-ethernet-services crypto-officer@hostname:fips# set interfaces interface-name1 unit 100 encapsulation vlan-bridge crypto-officer@hostname:fips# set interfaces interface-name1 unit 100 vlan-id 100 crypto-officer@hostname:fips# set interfaces interface-name2 flexible-vlan-tagging crypto-officer@hostname:fips# set interfaces interface-name2 encapsulation flexible-ethernet-services crypto-officer@hostname:fips# set interfaces interface-name2 unit 100 encapsulation vlan-bridge crypto-officer@hostname:fips# set interfaces interface-name2 unit 100 vlan-id 100
-
Configure bridge domain.
[edit] crypto-officer@hostname:fips# set bridge-domains BD-110 domain-type bridge crypto-officer@hostname:fips# set bridge-domains BD-110 vlan-id 100 crypto-officer@hostname:fips# set bridge-domains BD-110 interface interface-name1 100 crypto-officer@hostname:fips# set bridge-domains BD-110 interface interface-name2 100
Configuring MACsec with keychain for Layer 2 Traffic
To configure MACsec with keychain for ICMP traffic between device R0 and device R1:
In R0:
In R1:
-
Assign a tolerance value to the authentication key chain.
[edit] crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 tolerance 20
-
Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.
[edit] crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 0 key-name 2345678922334455667788992223334445556667778889992222333344445551 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 0 start-time 2018-03-20.20:35 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 1 key-name 2345678922334455667788992223334445556667778889992222333344445552 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 1 start-time 2018-03-20.20:37 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 2 key-name 2345678922334455667788992223334445556667778889992222333344445553 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 2 start-time 2018-03-20.20:39 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 3 key-name 2345678922334455667788992223334445556667778889992222333344445554 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 3 start-time 2018-03-20.20:41 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 4 key-name 2345678922334455667788992223334445556667778889992222333344445555 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 4 start-time 2018-03-20.20:43 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 5 key-name 2345678922334455667788992223334445556667778889992222333344445556 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 5 start-time 2018-03-20.20:45 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 6 key-name 2345678922334455667788992223334445556667778889992222333344445557 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 6 start-time 2018-03-20.20:47 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 7 key-name 2345678922334455667788992223334445556667778889992222333344445558 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 7 start-time 2018-03-20.20:49
Use the
prompt
command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.[edit] crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 0 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 1 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 2 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 3 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 4 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 5 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 6 secret New cak (secret): Retype new cak (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 7 secret New cak (secret): Retype new cak (secret):
-
Associate the preshared keychain name with the connectivity association.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key-chain macsec-kc1 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
-
Set the trace option values.
[edit] crypto-officer@hostname:fips# set security macsec traceoptions file MACsec.log crypto-officer@hostname:fips# set security macsec traceoptions file size 4000000000 crypto-officer@hostname:fips# set security macsec traceoptions flag all
-
Assign the trace to an interface.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag all
-
Configure the MACsec security mode as static-cak for the connectivity association.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
-
Set the MKA key server priority.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka key-server-priority 1
-
Set the MKA transmit interval.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmit-interval 3000
-
Enable the MKA secure.
[edit] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
-
Assign the connectivity association to an interface.
[edit] crypto-officer@hostname:fips# set security macsec interfaces interface-name connectivity-association CA1
-
Configure VLAN tagging.
[edit] crypto-officer@hostname:fips# set interfaces interface-name1 flexible-vlan-tagging crypto-officer@hostname:fips# set interfaces interface-name1 encapsulation flexible-ethernet-services crypto-officer@hostname:fips# set interfaces interface-name1 unit 100 encapsulation vlan-bridge crypto-officer@hostname:fips# set interfaces interface-name1 unit 100 vlan-id 100 crypto-officer@hostname:fips# set interfaces interface-name2 flexible-vlan-tagging crypto-officer@hostname:fips# set interfaces interface-name2 encapsulation flexible-ethernet-services crypto-officer@hostname:fips# set interfaces interface-name2 unit 100 encapsulation vlan-bridge crypto-officer@hostname:fips# set interfaces interface-name2 unit 100 vlan-id 100
-
Configure bridge domain.
[edit] crypto-officer@hostname:fips# set bridge-domains BD-110 domain-type bridge crypto-officer@hostname:fips# set bridge-domains BD-110 vlan-id 100 crypto-officer@hostname:fips# set bridge-domains BD-110 interface interface-name1 100 crypto-officer@hostname:fips# set bridge-domains BD-110 interface interface-name2 100