Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring MACsec over an MPLS CCC on MX Series Routers

This example shows how to enable MACsec to secure sensitive traffic traveling from a user at one site to a user at another site over a basic MPLS CCC.

Requirements

This example uses the following hardware and software components:

  • Three MX Series routers used as the PE and provider routers in the MPLS network

  • One MX Series router used as the CE router connecting site A to the MPLS network

  • One MX240, MX480, or MX960 router with the enhanced 20-port Gigabit Ethernet MIC (model number MIC-3D-20GE-SFP-E) used as the CE router connecting site B to the MPLS network

  • Junos OS Release 15.1R1 or later running on all MX Series routers in the MPLS network (PE1, PE2, or the provider router)

  • Junos OS Release 15.1R1 or later running on the CE router at site A and the CE router at site B

Overview and Topology

In this example, financially-sensitive company data is often sent between a user at site A and a user at site B. The company wants to ensure that all network traffic traveling from the user at site A to the user at site B is highly secure and cannot be viewed or corrupted by an attacker. The company is using the industry-standard Layer 2 security provided by MACsec, which provides encryption to ensure data cannot be viewed by attackers and integrity checks to ensure transmitted data is not corrupted, to secure all traffic traveling on the CCC through the MPLS cloud connecting the sites. VLANs are configured at both sites to ensure traffic traveling between the two users traverses the sites over the MACsec-secured CCC.

The MPLS network in this example includes two provider edge (PE) routers—PE1 and PE2—and one provider (transit) router. PE1 connects the customer edge (CE) router at site A to the MPLS network and PE2 connects the CE router at site B to the MPLS network. MACsec is enabled on the CCC connecting the CE routers at site A and site B to secure traffic traveling between the sites over the CCC. A VLAN that includes the interfaces that connect the users to the CE routers, interface ge-0/0/0 on the CE router at site A and interface ge-0/0/2 on the CE router at site B, and the interfaces that connect the CE routers to the MPLS cloud (ge-0/0/0 on the site A CE router and xe-0/1/0 on the site B CE router), is used to direct all traffic between the users onto the MACsec-secured CCC.

Table 1 provides a summary of the MPLS network components in this topology.

Table 2 provides a summary of the MACsec connectivity association used in this topology. MACsec is enabled by creating a connectivity association on the interfaces at each end of a link. MACsec is enabled when the interfaces at each end of the link exchange pre-shared keys—the pre-shared keys are defined in the connectivity association—to secure the link for MACsec.

Table 3 provides a summary of the bridge domain and VLAN IDs used in this topology. The VLAN is used in this topology to direct all communication from the user at site A to the user at site B onto the MACsec-secured CCC.

Table 1: Components of the MPLS Topology
Component Description

PE1

PE router.

lo0:

  • IP address: 130.1.1.1/32

  • Participates in OSPF and RSVP.

ge-0/0/0:

  • Customer edge interface connecting site A to the MPLS network.

  • CCC connecting to xe-0/1/1 on PE2.

ge-0/0/1:

  • Core interface connecting PE1 to the provider router.

  • IP address: 10.1.5.2/24

  • Participates in OSPF, RSVP, and MPLS.

Provider

Provider router.

lo0:

  • IP address: 130.1.1.2/32

  • Participates in OSPF and RSVP.

ge-0/0/10:

  • Core interface connecting the provider router to PE1.

  • IP address: 10.1.5.1/24

  • Participates in OSPF, RSVP, and MPLS.

xe-0/0/0:

  • Core interface connecting the provider router to PE2.

  • IP address: 10.1.9.1/24

  • Participates in OSPF, RSVP, and MPLS.

PE2

PE router.

lo0:

  • IP address: 130.1.1.3/32

  • Participates in OSPF and RSVP.

xe-0/1/0

  • Core interface connecting PE2 to the provider router.

  • IP address: 10.1.9.2/24

  • Participates in OSPF, RSVP, and MPLS.

xe-0/1/1

  • Customer edge interface connecting site B to the MPLS network.

  • CCC connecting to ge-0/0/0 on PE1.

lsp_to_pe2_xe1 label-switched path

Label-switched path from PE1 to PE2.

lsp_to_pe1_ge0 label-switched path

Label-switched path from PE2 to PE1.

Table 2: MACsec Connectivity Association Summary
Connectivity Association Description

ccc-macsec

Connectivity association enabling MACsec on CCC connecting site A to site B.

The connectivity association is enabled on the following interfaces:

  • Site A CE router: ge-0/0/0

  • Site B CE router: xe-0/1/0

Table 3: Bridge Domains Summary
Bridge Domain Description

macsec

VLAN directing traffic between the user at site A and the user at site B onto the MACsec-secured CCC.

The bridge domain includes the following interfaces:

  • Site A CE router: ge-0/0/0

  • Site A CE router: ge-0/0/1

  • Site B CE router: xe-0/1/0

  • Site B CE router: ge-0/0/2

Configuring MPLS

This section explains how to configure MPLS on each router in the MPLS network.

It includes the following sections:

Configuring MPLS on PE1

CLI Quick Configuration

To quickly configure the MPLS configuration on the PE1 router, use the following commands:

Step-by-Step Procedure

To configure MPLS on router PE1:

  1. Configure OSPF with traffic engineering enabled:

  2. Configure OSPF on the loopback address and the core interfaces:

  3. Configure MPLS on this router, PE1, with an LSP to the PE2 router:

  4. Configure MPLS on the core interfaces:

  5. Configure RSVP on the loopback interface and the core interfaces:

  6. Configure IP addresses for the loopback interface and the core interfaces:

  7. Configure family mpls on the logical unit of the core interface addresses:

  8. Configure the logical unit of the customer edge interface as a CCC:

  9. Configure the interface-based CCC from PE1 to PE2:

Results

Display the results of the configuration:

Configuring MPLS on the Provider Router

CLI Quick Configuration

To quickly configure the MPLS configuration on the provider router, use the following commands:

Step-by-Step Procedure

To configure the provider router:

  1. Configure OSPF with traffic engineering enabled:

  2. Configure OSPF on the loopback interface and the core interfaces:

  3. Configure MPLS on the core interfaces on the router:

  4. Configure RSVP on the loopback interface and the core interfaces:

  5. Configure IP addresses for the loopback interface and the core interfaces:

  6. Configure family mpls on the logical unit of the core interface addresses:

  7. Configure the LSP to the PE2 router:

Results

Display the results of the configuration:

Configuring MPLS on PE2

CLI Quick Configuration

To quickly configure the MPLS configuration on router PE2, use the following commands:

Step-by-Step Procedure

To configure router PE2:

  1. Configure OSPF with traffic engineering enabled:

  2. Configure OSPF on the loopback interface and the core interface:

  3. Configure MPLS on this router (PE2) with a label-switched path (LSP) to the other PE router (PE1):

  4. Configure MPLS on the core interface:

  5. Configure RSVP on the loopback interface and the core interface:

  6. Configure IP addresses for the loopback interface and the core interface:

  7. Configure family mpls on the logical unit of the core interface:

  8. Configure the logical unit of the customer edge interface as a CCC:

  9. Configure the interface-based CCC between the primary edge routers:

Results

Display the results of the configuration:

Configuring MACsec

This section explains how to configure MACsec on each router in the topology.

It includes the following sections:

Configuring MACsec on the Site A CE Router to Secure Traffic to Site B

CLI Quick Configuration

Step-by-Step Procedure

In this example, the traffic between the users that often exchange financially-sensitive data is sent between the sites on a CCC through the MPLS cloud. MACsec is enabled on the CCC by configuring a MACsec connectivity association on the interfaces on the site A and site B CE routers that connect to the MPLS PE routers. The connectivity associations must have matching connectivity-association names (in this example, ccc-macsec), matching CKNs (in this example, 37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311), and CAKs (in this example, 228ef255aa23ff6729ee664acb66e91f) in order to establish a MACsec-secure connection.

To enable MACsec on the CCC connecting site A to site B, perform the following procedure on the site A CE router:

  1. Create the connectivity association named ccc-macsec, and configure the MACsec security mode as static-cak:

  2. Create the pre-shared key by configuring the CKN and CAK:

  3. Assign the connectivity association to the interface connecting to the PE1 router:

    This completes the steps for configuring the connectivity association on one end of the CCC. MACsec is not enabled until a connectivity association with matching pre-shared keys is enabled on the opposite end of a link, which in this case is the interface on the site B CE router, of the CCC. The process for configuring the connectivity association on the site B CE router is described in the following section.

Results

Display the results of the configuration:

Configuring MACsec on the Site B CE Router to Secure Traffic to Site A

CLI Quick Configuration

Step-by-Step Procedure

Traffic travels from site B to site A over the MPLS network using a CCC. MACsec is enabled on the CCC by configuring a MACsec connectivity association on the interfaces on the site A and site B CE routers that connect to the MPLS PE routers. The connectivity associations must have matching connectivity-association names (in this example, ccc-macsec), matching CKNs (37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311), and matching CAKs (228ef255aa23ff6729ee664acb66e91f) in order to establish a MACsec-secure connection.

To enable MACsec on the CCC connecting site B to site A, perform the following procedure on the site B CE router:

  1. Create the connectivity association named ccc-macsec, and configure the MACsec security mode as static-cak:

  2. Create the pre-shared key by configuring the CKN and CAK:

  3. Assign the connectivity association to the interface connecting to router PE2:

    MACsec is enabled for the CCC after the pre-shared keys are exchanged, which is shortly after this procedure is completed.

Results

Display the results of the configuration:

Configuring VLANs to Direct Traffic onto the MACsec-Secured CCC

This section explains how to configure VLANs on the site A and site B CE routers. The purpose of the VLANs is to direct traffic that you want to be MACsec-secured onto the MACsec-secured CCC.

Configuring the Bridge Domain to Direct Traffic to the MACsec CCC on the Site A CE Router

CLI Quick Configuration

Step-by-Step Procedure

To create a bridge domain (VLAN ID 50) that directs traffic from the user at site A onto the MACsec-secured CCC:

  1. Configure the ge-0/0/0 interface with VLAN encapsulation and the bridge family.

  2. Configure the ge-0/0/2 interface with VLAN encapsulation and the bridge family.

  3. Define the macsec bridge domain and associate the interfaces, ge-0/0/0 and ge-0/0/2, with the bridge domain.

  4. Create the IP address for the macsec bridge domain:

Results

Display the results of the configuration:

Configuring the Bridge Domain to Direct Traffic to the MACsec CCC on the Site B CE Router

CLI Quick Configuration

Step-by-Step Procedure

To create a bridge domain (VLAN ID 50) to direct traffic for the user at site B onto the MACsec-secured CCC:

  1. Configure the xe-0/1/0 interface with VLAN encapsulation and the bridge family.

  2. Configure the ge-0/0/2 interface with VLAN encapsulation and the bridge family.

  3. Define the macsec bridge domain and associate the interfaces, xe-0/1/0 and ge-0/0/2, with the bridge domain.

  4. Create the IP address for the macsec bridge domain:

Results

Display the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the MACsec Connection

Purpose

Verify that MACsec is operational on the CCC.

Action

Enter the show security macsec connections command on one or both of the customer edge (CE) switches.

Meaning

The Interface name: and CA name: outputs shows that the ccc-macsec connectivity association is operational on interface ge-0/0/0. The output does not appear when the connectivity association is not operational on the interface.

For additional verification that MACsec is operational on the CCC, you can also enter the show security macsec connections command on the other CE switch.

Verifying That MACsec-Secured Traffic Is Traversing the CCCs

Purpose

Verify that traffic traversing the CCC is MACsec-secured.

Action

Enter the show security macsec statistics command on one or both of the CE switches.

Meaning

The Encrypted packets line under the Secure Channel transmitted output is incremented each time a packet is sent from the interface that is secured and encrypted by MACsec. The Encrypted packets output shows that 9784 encrypted and secured packets have been transmitted from interface ge-0/0/0. MACsec-secured traffic is, therefore, being sent on interface ge-0/0/0.

The Accepted packets line under the Secure Association received output is incremented each time a packet that has passed the MACsec integrity check is received on the interface. The Decrypted bytes line under the Secure Association received output is incremented each time an encrypted packet is received and decrypted. The output shows that 9791 MACsec-secured packets have been received on interface ge-0/0/0, and that 2823555 bytes from those packets have been successfully decrypted. MACsec-secured traffic is, therefore, being received on interface ge-0/0/0.

For additional verification, you can also enter the show security macsec statistics command on the other CE switch.

Verifying That the MPLS and CCC Protocols Are Enabled on the Provider Edge and Provider Switch Interfaces

Purpose

Verify that MPLS is enabled on the correct interfaces for the PE and provider switches.

Action

Enter the show interfaces terse command on both of the PE routers and the provider switch:

Meaning

The output confirms that the MPLS protocol is up for the provider switch interfaces passing MPLS traffic—xe-0/0/0 and ge-0/0/10—and on the PE router interfaces passing MPLS traffic, which is interface ge-0/0/1 on the PE1 switch and interface xe-0/1/0 on the PE2 router.

The output also confirms that CCC is enabled on the PE router interfaces facing the CE switches, which are interface ge-0/0/0 on the PE1 switch and interface xe-0/1/1 on the PE2 router.

Verifying MPLS Label Operations

Purpose

Verify which interface is being used as the beginning of the CCC and which interface is being used to push the MPLS packet to the next hop.

Action

Enter the show route forwarding-table family mpls on one or both of the PE routers.

Meaning

This output confirms that the CCC is configured on interface ge-0/0/0.0. The switch receives ingress traffic on ge-0/0/1.0 and pushes label 299952 onto the packet, which exits the switch through interface ge-0/0/1.0. The output also shows that when the switch receives an MPLS packet with label 299856, it pops the label and sends the packet out through interface ge-0/0/0.0

For further verification of MPLS label operations, enter the show route forwarding-table family mpls on the other PE router.

Verifying the Status of the MPLS CCCs

Purpose

Verify that the MPLS CCCs are operating.

Action

Enter the show connections command on the PE routers.

The show connections command displays the status of the CCC connections. This output verifies that the CCC interfaces and their associated transmit and receive LSPs are Up on both PE routers.

Verifying OSPF Operation

Purpose

Verify that OSPF is running.

Action

Enter the show ospf neighbor command the provider or the PE routers, and check the State output.

Meaning

The State output is Full on all interfaces using OSPF, so OSPF is operating.

For further verification on OSPF, enter the show ospf neighbor command on the PE routers in addition to the provider switch.

Verifying the Status of the RSVP Sessions

Purpose

Verify the status of the RSVP sessions.

Action

Enter the show rsvp session command, and verify that the state is up for each RSVP session.

Meaning

The State is Up for all connections, so RSVP is operating normally.

For further verification, enter the show rsvp session on the PE routers in addition to the provider router.