Cisco MACsec Solution Design and Deployment for a Secure...

Cisco MACsec Solution Design and Deployment for a Secure

EnterpriseKural Arangasamy

Technical Marketing Engineer

BRKCRS-2892

[email protected]

• MACsec Overview

• Need for a Layer 2 Encryption Technology

• Part 1: MACsec Encryption in the Campus & Data Center

• Deployment Use Cases

• Config Examples

• Part 2: MACsec Encryption over the Metro-E WAN

• WAN Deployment Use Cases

• Config Examples

• Best Practices

Agenda

Encryption

• What is Encryption?

Encryption is defined as:

”Cryptographically modifying “plaintext” and generating “ciphertext” using an encryption

algorithm that can only be read if decrypted.”

• Why do I need Encryption?

Privacy & Data Confidentiality

Regulatory / Compliance Requirements

Regulatory / Compliance Requirements

Refer to PCI DSS v3.0 sections 4.1 & 8.2.1

Refer to HIPAA section 4

Authentication vs Encryption

What happens if I have Authentication but not Encryption?

802.1x only ensures user authentication

Without Encryption, Data confidentiality is compromised

I can see

everything

802.1X Servers

Rogue AP can extend

the attack outside

physical perimeter.

Rogue users with

physical access can

monitor and spoof.

WAN

Kural Arangasamy

Authenticated User

Sample Packet Capture (without Encryption)

Network Security Today for LAN

Encrypt

Decrypt

• End-to-end encryption technologies, e.g. IPsec• Network devices have no visibility• Cannot enforce policies, qos etc.• Typically done by software – not scalable• Goal is to encrypt data on the wire

Encrypted Data

Switches have no visibility

&^*RTW#(*J^*&*J^*&*sd#J &^*RTW#(*J^*&*J^*&*J^*J^*&&*sd# RTW#(*J^*&&^*RTW#(*J^*&*J^*&*sd#J159u%

Kural Arangasamy

Network Security Today for WAN

Encrypt

Decrypt

• Encrypted Virtual Private Network (VPN) technologies over public cloud, e.g. DMVPN

• Higher scalability – 1000s of branches• Typically done by Software / Crypto Engine – lower performance / throughput• Goal is to encrypt data on the public cloud

Encrypted Data

WAN

&^*RTW#(*J^*&*J^*&*J^*J(*J^*&*J^*&*sd#J159u%^*&J159u%^&*sd#

VPN

What is MACsec?

• Layer 2 Encryption Technology

• IEEE 802.1AE Standard

• Connectionless data confidentiality and integrity for media access independent protocols

Benefits of MACsec

• IEEE 802.1AE Standards based

• Line Rate Layer 2 Encryption

• Hardware PHY encryption

• Deployment Flexibility (Hop-by-Hop Encryption)

Where do I Need MACsec?

12

Data Center

Campus

Cat3Kx

Cat4K

(Sup7E/8E

,4500X)

Cat6K

Servers

ASR1

K

WLC

2500/550

0

Metro

Ethernet

Network

*WLC

5760

Cat3850/

Cat3650

ISR

SM-X Eth

Branch

Data Center

SiSi

Cat3850/3650

UCS

Cisco AnyConnect

Kural Arangasamy

End to End MACsec

1. Host-to-Switch

2. Wireless AP to Switch

3. Switch-to-Switch

4. Wireless Controller-to-Switch

5. Router-to-Switch

6. Router-to-Router over WAN

7. Router-to-switch in a Branch

8. Router-to-Router in a DCI

9. Server-to-Switch in Data Center

12

3

4

5 6

7

8

9

1

2

3

4

5

6

7

8

9

3

3

*

* Roadmap

MACsec – Campus Use Cases Summary

Building 3

LAN

Main Building 1

Building 2Building 4

#2- Between Sites or

Buildings

#3- Between Floors in a

Multi-tenancy

Enterprise

Network

#1- Host-to-Switch

Floor 2

Floor 1

Floor 3

LAN

DC1

DC2

#1- Data Center

Interconnect

Metro

E-LINE

MACsec – Data Center Use Cases Summary

DC

#2- Server-to-Switch

Building 3

Metro

E-LAN\

E-Line

Main Building 1

Building 2 Building 4

#2- Campus

Interconnect

Branch 2

Head- Office

Branch 1 Branch 3

#3- Hub-Spoke

Metro

E-LINE /

E-LAN

DC1

DC2

#1- Data Center

Interconnect

Metro

E-LINE

MACsec – WAN Use Cases Summary

* Roadmap

LAN MACsec

What is LAN MAC Security (MACsec)?

Downlink Downlink

MACsec MACsec MACsec

Uplink

Encrypt

• Encryption mitigates packet eavesdropping, tampering, and injection• Supports 802.1AE-based strong encryption technology

• 128-bit AES-GCM, NIST-approved, 10Gb line-rate encryption

• Hop-by-hop encryption supports data and packet inspection• Works in shared media environments (IP Phones, Desktops)

&^*RT&*J%^*&*sd#J &^*RT&*J%^*%#&*sd#J &^*RT&*J%^*&*sd#J

Switches have visibility

Encrypted Data Encrypted Data Encrypted Data

Kural Arangasamy

When do I absolutely need LAN MACsec?Host to Switch MACsec

Physical security and end user

awareness can also mitigate threats.

Customer Conference

rooms, or remote

offices/branches

Customer, Partner or

Industry events

Kural Arangasamy

When do I absolutely need LAN MACsec?Switch-to-Switch MACsec

Between BuildingsFinancial Institutions

Location A Location B

Dark Fiber

Between Two Sites

Multi Tenants Building

Kural Arangasamy

How does LAN MACsec Work?

MACsec Tag Format

DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC

MACsec EtherType TCI/AN SL Packet Number SCI (optional)

Encrypted

Authenticated

0x88e5

Frames are encrypted and protected with an integrity check value (ICV)

MACsec Ethertype is 0x88e5

No impact to IP MTU/Fragmentation

L2 Frame MTU Impact*: ~ 40 bytes = less than baby giant frame (~1600

bytes with 1552 bytes MTU)

Kural Arangasamy

MACsec Jargon

Acronym Definition

MKA

SAP

MSK

CAK

SAK

MACsec Key Agreement – defined in IEEE 802.1XREV-2010 is a key

agreement protocol for discovering MACsec peers and negotiating

keysSecurity Association Protocol is a pre-standard key agreement protocol

similar to MKA

Master Session Key, generated during EAP exchange. Supplicant and

authentication server use the MSK to generate the CAK.

Connectivity Association Key is derived from MSK. CAK is a long-lived

master key used to generate all other keys used for MACsec.

Secure Association Key is derived from the CAK and is the key used

by supplicant and switch to encrypt traffic for a given session.

Kural Arangasamy

LAN MACsec(Host-to-Switch)

Kural Arangasamy

Host-to-Switch MACsec

Downlink Downlink


Uplink

Encrypt Encrypt Encrypt

DecryptDecrypt Decrypt

• Encryption between end station and switch

• Frame is tagged at egress & untagged at ingress

Kural Arangasamy

What is Host-to-Switch MACsec?

Encryption between end station and switch

Frame is tagged at egress & untagged at ingress

&^*RTW#(*J^*&*sd#J$%UJ&(

802.1X

Supplicant

with

MACsec

MACsec

Capable Device

Data sent in clear

Authenticated

User

MACsec Link

Supplicant

without

MACsec

Kural Arangasamy

a.k.a Downlink MACsec

What do I Need to Enable Host-to-Switch MACsec?

• Supplicant: a client that runs on the endpoint & manages MACsec key negotiation and encrypt packets. Encryption may be done in software or hardware (if NIC supports it)

• Authenticator: the switch that relays the Supplicant’s credentials to the Authentication Server and enforces the network access policy. Must be capable of MACsec key negotiation and packet encryption. Requires special hardware to support MACsec at line rate.

• Authenticating Server: a RADIUS server that validates the Supplicant’s credentials and determines what network access the Supplicant should receive. Distributes master keying material to the supplicant and switch. Optionally defines the MACsec policy to be applied to a particular endpoint.

AnyConnect

3.0

Supplicant Authenticator Authenticating

Server

Authentication Key Exchange Encryption

Access Control Key Exchange Encryption

Authentication Master Key DistributionPolicy Management

Kural Arangasamy

How do I Enable Host-to-Switch MACsec?Switch Configuration Example

Global Configuration Commands:

aaa new-model

!

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

!

aaa session-id common

!

dot1x system-auth-control

!

radius-server host 172.28.103.178 key cisco123

radius-server vsa send authentication

802.1x global config

Kural Arangasamy

Interface Configuration Commands:

interface GigabitEthernet4/1

description AnyConnect Interface to MACsec XP 1

switchport access vlan 903

switchport mode access

authentication priority dot1x

authentication port-control auto

MACsec

dot1x pae authenticator

mka default-policy

spanning-tree portfast

authentication linksec policy should-secure

Default is “should-secure”,

other options are “must-not-

secure” and “must-secure”

Kural Arangasamy

How do I Enable Host-to-Switch MACsec?Switch Configuration Example

How do I Enable Host-to-Switch MACsec?AnyConnect 3.0 Client Configuration Example

For “Should-Secure”• Set Key Management to MKA

• Set Encryption to MACsec

• Set Port Authentication

Exception Policy to Prior to

Authentication Initiation

Kural Arangasamy

Note: Intel NIC Hardware based MACsec is available

AnyConnect is a software based MACsec client for PCs

How do I Enable Host-to-Switch MACsec?ISE Server Configuration Example

Policy > Policy Elements > Results

Kural Arangasamy

How do I Verify MACsec is Enabled?Before – “Just Dot1X”

RAFALE#show authentication session interface gigabitEthernet 4/1

Interface: GigabitEthernet4/1

MAC Address: 0050.569c.0008

IP Address: 10.3.1.200

User-Name: cisco

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: single-host

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A0301010000000B0ADAA4C0

Acct Session ID: 0x0000000D

Handle: 0xC800000C

Runnable methods list:

Method State

dot1x Authc Success

MACsec status:

Port is

unsecured.

Kural Arangasamy

How do I Verify MACsec is Enabled?After the Fact

RAFALE#show authentication session interface gigabitEthernet 4/1

Interface: GigabitEthernet4/1

MAC Address: 0050.569c.0008

IP Address: 10.3.1.200

User-Name: blackbird

Status: Authz Success

Domain: DATA

Security Policy: Must Secure

Security Status: Secured

Oper host mode: single-host

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A030101000000080551CE18

Acct Session ID: 0x00000009

Handle: 0x02000009

Runnable methods list:

Method State

dot1x Authc Success

MACsec status:

Port is secured.

Kural Arangasamy

Troubleshooting slide

Problem 1:

Session is unsecured

Typical Cause:

End points do not support MACsec

Problem 2:

Unable to establish a session

Typical Cause:

Endpoint with invalid credentials

MACsec policy is “Must-Secure”

LAN MACsecUnder the covers

Kural Arangasamy

Downlink MACsec: Under the Covers

AnyConnect

3.0

EAPoL: EAP Request-Identity

EAPoL: EAP-Response: blackbirdRADIUS Access-Request

[AVP: EAP-Response: blackbird]

EAP Success

RADIUS Access-Accept

[AVP: EAP Success]

[AVP: EAP Key Name]

[AVP: CAK]

RADIUS Access-Challenge

[AVP: EAP-Request: PEAP]

EAPoL-MKA: Key Server

EAPoL-MKA: MACsec Capable

EAPoL-MKA: Key Name, SAK

EAPoL-MKA: SAK Installed

Encrypted Data

Encrypted Data

AES-GCM-128

IEE

E 8

02

.1X

MK

A

MA

Cse

c

Authentication and

Master Key Distribution

Session

Key

Agreement

Session

Secure

12

3

4

5

6

ISE

Authenticator

EAP startEAP negotiation

EAP success

MKA negotiation

SAKey ExchangeData Encrypted

Kural Arangasamy


AnyConnect

3.0

RADIUS Access-Accept

[AVP: EAP Key Name]

[AVP: ]

Supplicant and ACS

derive CAK from EAP

EAP

MSK

CAK

EAP

MSK

CAKCAK

SAK

ACS sends CAK to

Switch

Switch generates SAK

from CAK

1 1

2

3

Derive CAK

from MSK

Derive SAK

from CAK

Kural Arangasamy


AnyConnect

3.0

EAPoL MKA

Encrypted SAK

SAK

SAK

Encrypted SAKSAK is encrypted with

CAK and sent to

Supplicant

Supplicant decrypts and

derives the SAK SAK is used to encrypt traffic on the

wire. The intent is to derive the same

SAK on switch port and supplicant

4

5

3

Kural Arangasamy

Policy Recommendations

Switch and supplicant have three possible policies

Must-Not-Secure: Only unencrypted traffic will be sent and received. MKA

frames will be ignored.

Should-Secure: If MKA succeeds, only encrypted traffic will be sent and

received. If MKA times out or fails, unencrypted traffic will be permitted.

Must-Secure: If MKA succeeds, only encrypted traffic will be sent and

received. If MKA times out or fails, no traffic will be permitted. Mismatched polices on switch and supplicant can cause problems

Best practice recommendation: Use “should-secure” everywhere

• “should-secure” is the default setting on switch

• Use ACS/ISE to assign policy exceptions to switch using RADIUS attribute

Cisco-av-pair=subscriber:linksec-policy

• AnyConnect 3.0 implements “should-secure” via Port Authentication

Exception Policy configuration of “Prior to Authentication Initiation”

Kural Arangasamy

MACsec Policy Combinations

Supplicant Policy Switch Policy Resultant Connection

Not MACsec-capable or Must-Not-Secure

Should-Secure

Must-Secure

Not MACsec-Capable or Must-Not-Secure

Should-Secure

Must-Secure

Not MACsec-Capable or Must-Not-Secure

Should-Secure

Must-Secure

Not MACsec-Capable or Must-

Not-SecureNot MACsec-Capable or Must-

Not-Secure

Not MACsec-Capable or Must-

Not-Secure

Should-Secure

Should-Secure

Should-Secure

Must-Secure

Must-Secure

Must-Secure

Not Secure

Not Secure

Not Secure

Secure

Secure

Blocked if no MACsec Fallback Policy is

configured

Secure

Secure

Blocked

Kural Arangasamy

Multiple Endpoints Support Per Port

Host-Mode MACsec Details

Single-Host Y

Multi-Domain Auth

(MDA)Y

Multi-auth N

Multi-Host Y

Data traffic is encrypted. Cisco phones doing CDP bypass

can send/receive unencrypted traffic.

Either or both data and voice can be independently

encrypted

If “should-secure”, endpoints can Tx/Rx unencrypted traffic.

If “must-secure” authentication fails

Multiple MACs are allowed to piggyback after first

authentication, but only one encrypted session is allowed.

Intended for uplink encryption

Kural Arangasamy

LAN MACsec(Switch-to-Switch)

Kural Arangasamy

Switch-to-Switch MACsec

Downlink Downlink


Uplink

Encrypt Encrypt Encrypt

DecryptDecrypt Decrypt

Kural Arangasamy

• Encryption between two switches

• Frame is tagged at egress & untagged at ingress

What is Switch-to-Switch MACsec?

Switch to switch encryption

MACsec is point-to-point (PHY to PHY) encryption

802.1AEDMAC SMAC 802.1Q ETYPE PAYLOAD CRCICV

MACsec Tag field= Uplink MACsec

Individual Link/Etherchannel

Kural Arangasamy

a.k.a Uplink MACsec

Switch-to-Switch MACsec Configuration Modes

• Manual Mode• Manual configuration of interfaces on each end

• IEEE 802.1x Mode

»802.1x mode MACsec requires NDAC for device authentication

Benefits Considerations

Easy to deploy Not scalable

dot1x infrastructure not required No centralized policy management

Best suited for pilot deployments No authentication of switch

Benefits Considerations

Centralized policy management ACS/ISE required

Rogue switches eliminated Requires 802.1x configuration

Master key maintained centrally Best suited for large scale deployment

Kural Arangasamy

Switch-to-Switch MACsecManual Mode

Kural Arangasamy

How do I Enable Switch-to-Switch MACsec in Manual Mode?

Step 1: Configure interfaces on each end

When the interface status is up, SAP exchanges required keys and

starts encrypting

MACsec is point-to-point (PHY to PHY) encryption. Configuration is

needed on individual ports

= Uplink MACsec

Individual Link/Etherchannel

Kural Arangasamy

How do I Enable Switch-to-Switch MACsec in Manual Mode?Configuration Example

Configuration Commands:

Interface t5/1

switchport mode trunk

cts manual

sap pmk 033445AABBCCDDEEFF mode-

list gcm-encrypt gmac null no-encap

no propagate sgt

&^*RTW#(*J^*&*sd#J$%UJ&(

802.1X

MACsec

Capable Device

MACsec Link

MACsec

Capable Device

Kural Arangasamy

Switch-to-Switch MACsec SAP Negotiation Modes

gcm-encrypt• Authenticate the originator & encrypt the data

• Use when: Confidentiality is required

gmac• Authenticate the originator & no encryption

• Use when: Integrity only is needed

no-encap• No encapsulation. Only mode available when hardware is not MACsec capable

null• Encap only. No authentication or encryption. Used for Security Group Access tagging only.

Kural Arangasamy

sho cts int t5/1

Global Dot1x feature is Enabled

Interface TenGigabitEthernet5/1:

CTS is enabled, mode: MANUAL

IFC state: OPEN

Authentication Status: NOT APPLICABLE

Peer identity: "unknown"

Peer's advertised capabilities: "sap"

Authorization Status: NOT APPLICABLE

SAP Status: SUCCEEDED

Version: 2

Configured pairwise ciphers:

gcm-encrypt

gmac

null

no-encap

Replay protection: enabled

Replay protection mode: STRICT

Selected cipher: gcm-encrypt


Config mode &

Status

Encryption Modes:gcm-encrypt – authenticate & encrypt

gmac – authentication only

No-encap* – no encapsulation

Null – encap present but no authententication

or encryption

* If the interface is not capable of data link encryption, no-encap is the default and the only available SAP operating mode.

Kural Arangasamy


Problem 1:


Typical Cause:

One of the switch interface do not support MACsec

Problem 2:


Typical Cause:

Config mismatch or SAP Key mismatch

Only “gcm-encrypt” mode is configured and one end is not MACsec capable

Uplink MACsecManual Mode

Under the covers

Kural Arangasamy

MACsec (SAP) Jargon

Acronym Definition

SAP

PMK

PTK

TK

KCK

KEK

Security Association Protocol is a pre-standard key agreement

protocol similar to MKA

Pairwise Master Key. PMK is a long-lived master key used to generate

all other keys used for MACsec.

Pairwise Transient Key. Contains three keys (TK, KCK, KEK) inside as

an octet stream.

Temporal Key. TK is the session key used by the cipher suite for

encryption of data traffic.

EAPOL-Key Confirmation Key. Provides data origin authenticity.

EAPOL-Key Encryption Key. Provides data origin confidentiality.

Kural Arangasamy

SAP Key Exchange: Under the Covers

SAP Exchange

PMKID

PMK

PMK

PMKIDAuthenticator generates

PMKID from PMK and

sent to Supplicant

Supplicant derives PMK

from PMKID and

compares

3

4

1Supplicant and AT

derive PMK from EAP

1

Supplicant

2PMK

PMK – Pairwise Master Key

PMKID – PMK Identifier

Authenticator

Kural Arangasamy

SAP Key Exchange: Under the Covers

SAP Exchange

PMK

Supplicant and AT derives

TK from PTK

Supplicant and AT

exchange Nonces

5

Supplicant Authenticator

PMK

PTKPTK

Exchange Nonces

SNonce

ANonce6 6SNonce

ANonce

77

TK is used to encrypt traffic on the

wire. The intent is to derive the same

TK on AT and supplicant

Supplicant and

Authenticator derives

PTK from PMK

PMK – Pairwise Master Key

PTK – Pairwise Transient Key

TK* – Temporal Key

KCK* – Key Confirmation Key

KEK* – Key Encryption Key

* 16 Octets

TKKCKKEK

KCK – Used for Data Origin Authenticity

KEK – Used for Data Confidentiality

TK – Used for Encryption of Data Traffic

TKKCKKEK

Kural Arangasamy

Switch-to-Switch MACsecIEEE 802.1X Mode

Kural Arangasamy

What do I need to Enable Switch-to-Switch MACsecin dot1x Mode?

• NDAC Supplicant: a switch that acts as a supplicant and authenticates before becomes an authenticator.

• Authenticating Server: a RADIUS server that validates the Supplicant’s credentials as part of NDAC and determines what network access the Supplicant should receive. Distributes master keying material to the supplicant.

Authenticating

Server

Access Control Key Exchange Encryption

Authentication Master Key DistributionPolicy Management

NDAC Supplicant

NDAC – Network Device Admission Control

Kural Arangasamy

How do I Enable Switch-to-Switch MACsec in dot1x Mode?

• Step 1: Enable NDAC (Authentication & Master Key exchange)

• NDAC (Network Device Admission Control) for device authentication

• Can be used as a standalone feature when:• Only device authentication is required

• MACsec capable hardware is not available

• Step 2: Enable MACsec (SAP negotiation for keys exchange)

• After authentication, SAP exchanges session keys & encryption keys

• SAP negotiates cipher suite

Kural Arangasamy

What is Network Device Admission Control (NDAC)

• NDAC is authenticating the authenticator

• NDAC uses 802.1x with EAP-FAST

• EAP-FAST enhancements

• Authenticate the authenticator

• Notify each device of its peer identity (using RADIUS TLV messages)

• Seed Device Authenticates first and authenticates non-seed devicesEAP-FAST: Extensible Authentication Protocol Flexible Authentication via Secure Tunnel

ISE

Switch 1

Switch 2

NDAC

Switch 1

Authentication Succeeded

Authentication Failed

Benefits:

Centralized policy management

Rogue switches eliminated

Seed Device

Non-seed Device

Non-seed Device

Kural Arangasamy

How do I Enable NDAC?Seed Switch Configuration Example


aaa new-model

radius server ise

address ipv4 <ip address> auth-port 1812 acct-port 1813

pac key <password>


aaa authorization network cts group radius


cts authorization list cts


!

Interface t5/1


cts dot1x

!<exec mode> cts credentials id <userid> password <password>

Seed device includes RADIUS info

Kural Arangasamy


aaa new-model





!

Interface t5/1


cts dot1x

!<exec mode> cts credentials id <userid> password <password>

Kural Arangasamy

How do I Enable NDAC?Non-Seed Switch Configuration Example

How do I Enable NDAC?ISE Configuration Example

Administration > Network

Resources > Network Devices

Kural Arangasamy

NDAC: Under the Covers

EAP-FAST: Tunnel Establishment

EAP-FAST in 802.1x

IEE

E 8

02.1

X

Authentication

and Master Key

Distribution

ISE

AuthenticatorSupplicant

EAP-FAST in RADIUS

One time provisioning

Device authentication

User authentication

EAP-FAST: Tunnel tear down

Policy acquisition (RADIUS)Policy acquisition

Kural Arangasamy

How do I Enable MACsec?Seed Switch Configuration Example


aaa new-model

radius server ise

address ipv4 <ip address> auth-port 1812 acct-port 1813

pac key <password>


aaa authorization network cts group radius


cts authorization list cts


!

Interface t5/1


cts dot1x

sap mode-list gcm-encrypt gmac null no-encap

!

<exec mode> cts credentials id <userid> password <password>

Seed device includes RADIUS info

Kural Arangasamy

How do I Enable MACsec?Non-Seed Switch Configuration Example


aaa new-model





!

Interface t5/1


cts dot1x

sap mode-list gcm-encrypt gmac null no-encap

!

<exec mode> cts credentials id <userid> password <password>

Kural Arangasamy

sho cts int t5/1

Global Dot1x feature is Enabled

Interface TenGigabitEthernet5/1:

CTS is enabled, mode: DOT1X

IFC state: OPEN

Authentication Status: SUCCEEDED

Peer identity: ”dist-4k"

Peer's advertised capabilities: "sap"

Authorization Status: ALL-POLICY

SUCCEEDED

SAP Status: SUCCEEDED

Version: 2

Configured pairwise ciphers:

gcm-encrypt

gmac

null

no-encap

Replay protection: enabled

Replay protection mode: STRICT

Selected cipher: gcm-encrypt


Config mode &

Status

Encryption Modes:gcm-encrypt – authenticate & encrypt

gmac – authentication only

No-encap* – no encapsulation

Null – encap present but no authententication

or encryption

* If the interface is not capable of data link encryption, no-encap is the default and the only available SAP operating mode.

Kural Arangasamy


Problem 1:


Typical Cause:

One of the switch interface do not support MACsec

Problem 2:


Typical Cause:

Authentication Failure

Only “gcm-encrypt” mode is configured and one end is not MACsec capable

NDAC & SAP: Under the Covers

EAP-FAST: Tunnel Establishment

EAP-FAST in 802.1x

Key establishment (SAP)

Encrypted Data

Encrypted Data

AES-GCM-128

IEE

E 8

02.1

X

MA

Csec

Authentication

and Master Key

Distribution

Session

Secure

ISE

AuthenticatorSupplicant

EAP-FAST in RADIUS

One time provisioning

Device authentication

User authentication

EAP-FAST: Tunnel tear down

Policy acquisition (RADIUS)

Policy acquisition

Ongoing key refresh (SAP)

Kural Arangasamy

LAN MACsec Considerations

MACsec Header Overhead

No impact to IP MTU/Fragmentation

L2 Frame MTU Impact*: ~ 40 bytes = less than baby giant frame (~1600

bytes with 1552 bytes MTU)

* Line rate performance impact:

With 64 bytes packets: ~60%

With 256 bytes packets: ~15%

With 1500 bytes packets: ~2.5%

With 9198 bytes packets: ~0.5%

Kural Arangasamy

Key Management vs Certificates

In 802.1x Mode:

Keys are managed centrally by ISE

Cluster of servers – Automatically sync the keys between servers

In Manual Mode:

Keys are managed by individual switches

Admin overhead

Keys vs Certificates

Certificates are used to confirm identify of a device

Separate CA server needed to maintain certificates – ISE supports certificates

Keys are needed for encryption

Kural Arangasamy

WAN MACsec

Network Security Today for WAN

Encrypt

Decrypt

• Encrypted Virtual Private Network (VPN) technologies over public cloud, e.g. DMVPN

• Higher scalability – 1000s of branches

• Typically done by Software / Crypto Engine – lower performance / throughput

• Goal is to encrypt data on the public cloud

Encrypted Data

WAN


VPN

Kural Arangasamy

Ethernet ‘WAN transition’ for career services

Metro Ethernet Forum (MEF) standardization of career Ethernet services

WAN/Metro SP offerings are replacing existing T1, ATM/FR, and SONET options for their customers in favor of

lower cost Ethernet transport

Highly flexible, granular and scalable bandwidth

Simple troubleshooting

Enterprise maintains networking and routing decisions

Easily add new locations to L2 VPN

Ubiquitous use for router ports with Ethernet support

MetroEthernet

Network for career

ethernet services

Encrypt

Decrypt

• Encryption mitigates packet eavesdropping, tampering, and injection• Supports 802.1AE-based strong encryption technology

• 128/256-bit AES-GCM, NIST-approved, 10Gb line-rate encryption• VLAN tag in clear option• Supports point-to-point and point-to-multipoint configurations

• Typically done by hardware (ASIC/PHY) – line rate throughput

Encrypted Data

EVCs


What is WAN MAC Security (MACsec)?

MACsec

L2 Service Provider Network

Kural Arangasamy

How is WAN MACsec different from LAN MACsec?

WAN

Central

Campus / DC

Branch 2

Enterprise

Network

Enterprise

Network

Enterprise

Network

Branch 1

Branch 3

RouterSwitch

Point to

Multipoint

Point to

Point

LAN MACsec WAN MACsec

VLAN Tag Encrypted

VLAN Tag in Clear

How is WAN MACsec different from LAN MACsec?VLAN Tag in Clear

MACsec ClearTag (VLAN)

Authenticated

Encrypted

Eth 802.1AE802.1Q ETYPE PAYLOAD ICV CRC

Authenticated

AuthenticatedEncrypted

Eth 802.1AE 802.1Q ETYPE PAYLOAD ICV CRC

14 8-16 4 2 8-16 4

Original MACsec

New in

XE 3.14

CoS VLAN IDCFITPID

0x8100

2B 3b 1b 12b

When do I Need WAN MACsec?

WAN

Enterprise

Network

Central

Campus / DC

Regional

Hub1

Regional

Hub2

Enterprise

Network

IPsec Sites

Enterprise

NetworkEnterprise

Network

Internet

Enterprise

NetworkEnterprise

Network

Enterprise

Network

Internet

MACsec IPsec

MACsec Targeted Customers – High Throughput, Limited by Hardware Scale

IPsec Targeted Customers – High Scale, Limited by Aggregate Throughput

IPsec

Branch/DC

Enterprise

Network

MACsec

IPsec

Strengths High Throughput due to Hardware Encryption More Services Enablement Simple Configuration

High Throughput + Line Rate Encryption

WAN MACsec Considerations

Limited Scale

Requires MetroE Circuit (EVCs)

Kural Arangasamy

Building 3

Metro

E-LAN\

E-Line

Main Building 1

Building 4 Building 2

#2- Campus

Interconnect

Branch 2

Head- Office

Branch 1 Branch 3

#3- Hub-Spoke

Metro

E-LINE /

E-LAN

DC1

DC2

#1- Data Center

Interconnect

Metro

E-LINE

MACsec – WAN Use Cases Summary

* Roadmap

Category WAN MACsec IPsec

Market Positioning 1. Aggregate Deployments such as Regional Hubs

2. Large Branches that require high throughput

3. Data Center Interconnects

1. Small Branches

2. High Scale deployments

3. Low throughput Branches

4. Beyond MetroE (International) Reach

Link Requirement Requires dedicated MetroE EVC circuits for L2 connectivity

between sites

Easily Routable over many commonly available public

network

Encryption

Performance

Per PHY Link Speed (1G, 10G, 40G, 100G) Constrained by IPsec Crypto engine performance

Services Enablement No impact to encryption throughput Impacts encryption throughput

Peers Scale Limited by hardware resources Highly Scalable

Throughput Up to Line Rate on each port (limited only by the forwarding

capability)

Aggregate throughput (limited by the encryption

throughput)

Configurability Simple configuration More complex configuration and policy choices

Layer 3 Visibility for

Monitoring

No. Except Layer 2 headers (and optionally VLAN/MPLS Labels)

everything else is encrypted

Visible. L3 info can be used for monitoring & policy

enforcement purposes

NAT environment L3 header is not accessible Works with NAT environment

Kural Arangasamy

WAN MACsec and IPsec Comparison

WAN MACsec and GETVPN Comparison

Group Key

Server

GETVPN

Ethernet hand-off, minimal peering

Easy Multi-Homing Designs

Provider Blackhole Protection

BGP and Static Routing With Provider

Provider Routes Traffic Between Sites

Less Control Plane Overhead Traffic

Native Routing

Data Plane

Encryption

Overlay

Routing

Data Plane

Encryption

Hub

MACsec

PTP or E-LINE

PTMP or E-LAN

Static Known IP

AddressesDynamic Unknown IP

Addresses

Any WAN Transport: IP or MPLS

E-LINE requires all traffic to go through hub

E-LAN spokes can communicate directly

Flexible QoS policy selected by customer

E-Line requires Per Peer Keys

E-LAN uses one key per system

Client IP Addressing Hidden From Provider

Private WANs Only: MPLS

No Tunnels for Site-to-Site Connectivity

Multicast Replication in Provider Network

Single Group Key for All Sites

Client IP Addressing Exposed to Provider

Kural Arangasamy

What Service do I Need to Enable WAN MACsec?Metro Ethernet Forum (MEF) Ethernet Service Types

WAN MACsec Deployment Scenarios

• Point to Point – E-LINE Service

CE to CE

Hub and Spoke

• Multi-Point - E-LAN Service

Hub and Spoke

Multipoint to Multipoint

Kural Arangasamy

Point to Point – E-LINE Service

- CE to CE- Hub and Spoke

Kural Arangasamy

MKA Keying(802.1X-2010)

Use Case 1: Point to Point E-LINE ServicePoint to Point SA Configuration

• Ethernet Service• Point to point PW service (no MAC address lookup)• Port-mode, or 802.1Q offering

Branch Site CEEnterprise

Network

Central

Campus / DCCE

Enterprise

Network

Carrier Ethernet

Service

E-LINE (P2P)

• MACsec enabled Interface

• Physical

• Sub-interface (802.1Q)

Customer Use Cases

• Secure: CE – CE link, DC Interconnect

MKA Session MACsec Flow MKA KeyMACsec Interface

Kural Arangasamy


Use Case 2: Point to Point E-LINE ServicePoint to Point SA Configuration – Hub and Spoke



Network

Central

Campus / DCCEEnterprise

Network

Carrier Ethernet

Service

E-LINE (P2P)


• Physical


Customer Use Cases


Branch SiteCE

Enterprise

Network

Kural Arangasamy


Use Case 3: Point to Point E-LINE ServicePoint to Point SA Configuration – Mix of MACsec & Non-MACsec Spokes


Branch Site CE2Enterprise

Network

Central

Campus / DCCE1Enterprise

Network

Carrier Ethernet

Service

E-LINE (P2P)


• Physical


Customer Use Cases• Secure: CE – CE link, DC Interconnect, Migration

Branch SiteCE3

Enterprise

Network

CE4Enterprise

Network

Kural Arangasamy

CECE

CECE

P2P Ethernet

Pseudo-wire

Service

P2P Router Peering Model When Using E-LINE Service

• More of a Edge/Core network deployment option

• Connection model is full/partial mesh via 802.1Q sub-int service

• Analogous to ATM VC’s and Channelized SONET

CECE

CECE Ethernet Sub-interface with

802.1q support

Routers peer

per VLAN sub-

interface per

PW

Physical View Logical View

Ethernet Sub-interface with

802.1q support

Carrier Ethernet

Service

E-LINE (P2P)

Kural Arangasamy

Multi-Point - E-LAN Service

- Hub and Spoke- Multipoint to Multipoint

Kural Arangasamy


Use Case 4: E-LAN Service (VPLS Service)Point to Point SA Configuration – Hub and Spoke


Network

Central

Campus / DCCE

Enterprise

Network

Carrier Ethernet

Service

E-LAN (multi-pt)


• Physical


Customer Use Cases


Branch SiteCE

Enterprise

Network

Ethernet Service

• Multi-Point service (typically VPLS)

• Port-mode, or 802.1Q offering

Kural Arangasamy


Use Case 5: E-LAN Service (VPLS Service)Point to Point SA Configuration – Hub and Spoke, Spoke to Spoke


Network

Central

Campus / DCCE

Enterprise

Network

Carrier Ethernet

Service

E-LAN (multi-pt)


• Physical


Customer Use Cases


Branch SiteCE

Enterprise

Network

Ethernet Service

• Multi-Point service (typically VPLS)

• Port-mode, or 802.1Q offering

Kural Arangasamy

CECE

CECE

Flat Ethernet

Bridge domain

P2MP Router Peering Model When Using E-LAN Service

• Targets more Branch network deployment option

• Routers appear as part of a single “flat” Ethernet domain

• Caution required as IP Peering is N – 1 (N = router nodes)

• SP will dictate either port-mode (no .1Q tag) or router sending .1Q tag

• Less complex configuration

CECE

CECE

Router

peering is

N – 1

Physical View Logical View

Carrier Ethernet

Service

E-LAN (multi-pt)

Kural Arangasamy

Use Cases & Config CLIs

Kural Arangasamy

Metro Ethernet

Network

P2P EVC

Port Based E-LINE (Point-to-Point)

(a.k.a Ethernet Private Line (EPL)

CE1 CE2


Use Case 1: Point to Point E-LINE ServicePoint to Point SA Configuration

Branch SiteCE2

Enterprise

Network

Central

Campus / DC

CE1Enterprise

Network

Carrier Ethernet

Service

E-LINE (P2P)


• Physical


MKA Session MACsec Flow MKA KeyMACsec Interface

Defaults

MKA default policy:• Cipher suite: AES-128-CMAC

• Key server priority: 0

• Confidentiality offset: 0

MACsec default parameters:• Dot1q-in-clear 0

• Access-control must-secure

• Replay-protection-window-size 64

• Cipher suite: GCM-AES-128

Default Keychain parameters:• Lifetime: Unlimited

CE1/CE2 Config

key chain k1 macsec*key 01key-string 12345678901234567890123456789012

interface GigabitEthernet0/0/4ip address 10.3.1.1 255.255.255.0mka pre-shared-key key-chain k1*macsec*

Note: * is mandatory CLI

MACsec configuration BLUE

Kural Arangasamy

Port-based E-LINE Service (P2P)

VLAN Based E-LINE (Point-to-Point)

(a.k.a Ethernet Virtual Private Line (EVPL)



Branch SiteCE2

Enterprise

Network

Central


Network

Carrier Ethernet

Service

E-LINE (P2P)

• MACsec enabled

Interface

• Physical


Branch SiteCE3

Enterprise

Network

Metro Ethernet

Network

P2P EVC

CE1CE2

CE3

CE1 Config

CE2 Config


interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*macsec replay-protection-window-size 100interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.1 255.255.255.0mka pre-shared-key key-chain k1*macsec*


interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*macsec replay-protection-window-size 100interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.1 255.255.255.0mka pre-shared-key key-chain k1*macsec*iterface GigabitEthernet0/0/4.2encapsulation dot1Q 20ip address 10.3.2.1 255.255.255.0mka pre-shared-key key-chain k1*macsec*



Kural Arangasamy

VLAN-based E-LINE Service (P2P)Only MACsec Sub-Interfaces

VLAN Based E-LINE (Point-to-Point)

(a.k.a Ethernet Virtual Private Line (EVPL)



Branch SiteCE2

Enterprise

Network

Central


Network

Carrier Ethernet

Service

E-LINE (P2P)

• MACsec enabled

Interface

• Physical


Branch SiteCE3

Enterprise

Network

CE1 Config

CE2 Configkey chain k1 macsec*key 01key-string 12345678901234567890123456789012

interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*macsec access-control should-secure*macsec replay-protection-window-size 100

interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.2 255.255.255.0mka pre-shared-key key-chain k1*macsec*

CE4

Enterprise

Network

Metro Ethernet

Network

P2P EVC

CE1

CE2

CE3

CE4


interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*macsec access-control should-secure*macsec replay-protection-window-size 100

interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.1 255.255.255.0mka pre-shared-key key-chain k1*macsec*

interface GigabitEthernet0/0/4.2encapsulation dot1Q 20ip address 10.3.2.1 255.255.255.0

mka pre-shared-key key-chain k1*macsec*interface GigabitEthernet0/0/4.3encapsulation dot1Q 30ip address 10.3.3.1 255.255.255.0



Kural Arangasamy

VLAN-based E-LINE Service (P2P)Mix of MACsec and Non-MACsec Sub-Interfaces

Metro Ethernet

Network

P2MP EVCs

Use Case 3: Port Based E-LAN (Point-to-MultiPoint)

(a.k.a Ethernet Private LAN (EP-LAN)

CE1CE3

CE2

CE1/CE2/CE3 Config

Defaults

MKA default parameters:• Key server priority: 0

• Confidentiality offset: 0

MACsec default parameters:• Dot1q-in-clear 0

• Access-control must-secure

• Replay-protection-window-size 64

Default Keychain parameters:• Lifetime: Unlimited

key chain k1 macsec*key 01key-string 12345678901234567890123456789012cryptographic-algorithm aes-256-cmac

mka policy p1macsec-cipher-suite gcm-aes-256

interface GigabitEthernet0/0/4ip address 10.3.1.1 255.255.255.0mka pre-shared-key key-chain k1*mka policy p1macsec*



Kural Arangasamy

Port-based E-LAN Service (P2MP)

CE1CE2

CE3CE4

FlatEthernetBridgedomain

• TargetsmoreBranchnetworkdeploymentop on

• Routersappearaspartofasingle“flat”Ethernetdomain

• Cau onrequiredasIPPeeringisN–1(N=routernodes)

• Mul castreplica onisdoneinthe“Core”ofthenetwork

• SPwilldictateeitherport-mode(no.1Qtag)orroutersending.1Qtag

• Lesscomplexconfigura on

CE1CE2

CE3CE4

RouterpeeringisN–1

RouterPeeringModelforE-LANServices(VPLSService)

PhysicalView LogicalView

CarrierEthernetService

E-LAN(mul -pt)

Metro Ethernet Network

P2MP EVCs

Example 1

VLAN/Subinterface

CE1

CE2

CE3

VLAN 10


interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*interface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.2 255.255.255.0

mka pre-shared-key key-chain k1*macsec*Eapol destination-address broadcast


interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*Eapol destination-address broadcastinterface GigabitEthernet0/0/4.1encapsulation dot1Q 10ip address 10.3.1.1 255.255.255.0

mka pre-shared-key key-chain k1*macsec*

CE1 Config

CE2/CE3 ConfigUse Case 4: VLAN Based E-LAN (Point-to-MultiPoint)

(a.k.a Ethernet Virtual Private LAN (EVP-LAN)



Kural Arangasamy

VLAN-based E-LAN Service (P2MP)


P2MP EVCs

Example 2

VLAN/Subinterfaces

CE3

CE2

CE5CE4

CE1

VLAN 10

VLAN 20

CE1 Config

CE2/CE3 Config






mka pre-shared-key key-chain k1*macsec*interface GigabitEthernet0/0/4.2encapsulation dot1Q 20ip address 10.3.2.1 255.255.255.0


CE4/CE5 Config






Kural Arangasamy

Multiple VLAN-based E-LAN Services (P2MP)


P2MP EVCs

Example 3P2P EVC

VLAN/Subinterfaces

CE3 CE4

CE2CE1

CE1 Config

CE2 Config




key chain k1 macsec*key 01key-string 12345678901234567890123456789012key chain k2 macsec*key 01key-string 12345678901234567890123456789012cryptographic-algorithm aes-256-cmac



mka pre-shared-key key-chain k1*macsec*iterface GigabitEthernet0/0/4.2encapsulation dot1Q 20ip address 10.3.2.1 255.255.255.0

mka pre-shared-key key-chain k2*mka policy p1macsec*

CE3/CE4 Config

key chain k1 macsec*key 01key-string 12345678901234567890123456789012cryptographic-algorithm aes-256-cmac


interface GigabitEthernet0/0/4macsec dot1q-in-clear 1*iterface GigabitEthernet0/0/4.2encapsulation dot1Q 20ip address 10.3.2.2 255.255.255.0

mka pre-shared-key key-chain k1*mka policy p1macsec*

VLAN 10 VLAN 10

VLAN 20



Kural Arangasamy

Mix of VLAN-based E-LINE and E-LAN Services (P2P & P2MP)

MKA Global Policy Configurable CLIs

Key-server priority 0 to 64 Default: 0

Macsec-cipher-suite macsec-cipher-suite gcm-aes-128 macsec-cipher-suite gcm-aes-256 Default: macsec-cipher-suite gcm-aes-128

Confidentiality-offset 0, 30, 50 Default: 0

MACsec Interface Configurable CLIs

macsec replay-protection-window-size 0-x Default: 64

macsec-access-control Must-secure Should-secure Default: must-secure

macsec-dot1q-in-clear 0, 1 Default: 0

macsec eapol destination-address

H.H.H (any mac address) Bridge-group-address Lldp-multicast-address Broadcast Default: (01:80:c2:00:00:03)

Keychain Global Configurable CLIs

Key Key id

cryptographic-algorithm cryptographic-algorithm aes-128-cmac cryptographic-algorithm aes-256-cmac Default: cryptographic-algorithm aes-128-cmac

Keystring Hex Characters Default: NA

Lifetime Hh:mm:ss Time Local Time in local time zone Default: unlimited

Kural Arangasamy

Configurable MKA, MACsec & Key Chain CLIs and Parameters

Monitoring and

Troubleshooting

Kural Arangasamy

Monitoring and Troubleshooting

MACsec

show macsec summary

show macsec statistics interface <int >

show macsec status interface <int >

Show CLIs

MKA

show mka sessions

show mka sessions detail

show mka sessions interface < > port < > detail

show mka policy <MKA Policy NAME>


R2#show macsec summaryMACsec Capable Interface Extension

---------------------------------------------

TenGigabitEthernet0/0/1 One tag-in-clear

GigabitEthernet0/0/1 One tag-in-clear

MACsec Enabled Interface Receive SC VLAN

-----------------------------------------------------

GigabitEthernet0/0/1.10 : 8 10

R2#

Show CLI Sample Output

R2#show macsec status int gi0/0/1.10Capabilities:

Validate Frames: Strict

Ciphers Supported: GCM-AES-128 GCM-AES-256

Include SCI: Yes

Cipher: GCM-AES-128

Confidentiality Offset: 0

Transmit SC:

SCI: 0022BDEF43830014

Transmitting: TRUE

Transmit SA:

Next PN: 1712

Receive SC:

Receiving: TRUE

Receive SA:

In Use: TRUE

Next PN: 1731

R2#


debug mka events/errors/packets

Usage: Troubleshooting mka session bring up issues

debug mka linksec-interface

Usage: Troubleshooting mka keep-alive issues

debug platform software macsec info/error

Usage: MACsec info/error debugging

Debug CLIs

Monitoring and TroubleshootingSyslog Messages

WAN MACsec Considerations

Scale & Performance

1GE interface: Max 8 Peers per interface

10GE interface: Max 32 Peers per interface

Linerate performance but maybe limited by system throughput

Linerate performance minus the overhead, ~32 bytes

Feature Interoperability

MACsec with Ether Channel (Link bundling) is not supported

MACsec with TrustSec (SGT inline transport over Ethernet) config

is not supported

Best Practices

1. Ensure basic Layer 2 connectivity is established before enabling MACsec

2. Ensure Out of Band connectivity exists to remote site to avoid locking yourself out

3. Use access control “should secure” only during migration or when mix of unsecured traffic is expected

4. Configure WAN interface MTU, adjusting for MACsec overhead, ~32 bytes

Key Takeaways

Underlying Transport determines Encryption choices

MACsec provides better protection with Less Overhead

Linerate performance 1G/10G/40G/100G etc…

LAN MACsec – Available on most products

WAN MACsec - First in the Industry

Next Gen encryption technology

Ease of Config & Use

References

LAN MACsec Supported Platforms

PlatformEAP/SAP/128,

PSK/SAP/128

Nexus 7000 M1 line-cards Yes

Nexus 7000 M2 line-cards Yes

Catalyst 6500/6800 (Sup-2T/6900 Series

line-cards)Yes

Catalyst 4500-X Yes

Catalyst 4500-E (Sup-7E & 8E) Yes

Catalyst 3560-X/3750-X Yes

Catalyst 5760/3850/3650 Yes

C3KX-SM-10G Module for Catalyst 3KX Yes

SM-X Layer 2/3 Ether Switch Module for ISR Yes

WAN MACsec Supported Platforms

PlatformPSK/MKA

128/256

ASR 1001-X Yes

2-Port Gigabit Ethernet WAN NIM

(NIM-2GE-CU-SFP) for ISR4xxx SeriesYes

References

Cisco TrustSec 3.0 How-To Guide: Introduction to MACSec and NDAC

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/how_to_intro_macsec_ndac_guide.pdf

Configuring MACsec Encryption

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf

MACSEC and MKA Configuration Guide, Cisco IOS XE Release 3S

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-3s/macsec-xe-3s-book.html

Other relevant session:

BRKRST-2309

Introduction to WAN MACSec - Aligning Encryption Technologies with WAN Transport

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/how_to_intro_macsec_ndac_guide.pdf

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-3s/macsec-xe-3s-book.html

Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

• Your favorite speaker’s Twitter handle @Kuralvanan

• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could Be a Winner

http://bit.ly/CLUSwin

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

• Related sessions

Thank you

MACsec CLI Behavior & Restrictions

“macsec dot1q-in-clear” and “macsec access-control must-secure/should-secure” can only be configured on main interface, and the setting

is automatically inherited by the sub-interfaces. Due to hardware restriction this behavior cannot be changed.

“mka policy”, “macsec replay-protection-window” and “eapol destination-address” can be configured on main and/or sub-interface and the

value is automatically inherited by the sub-interfaces when configured on the main interface. Explicit configuration on sub-interface overrides the inherited value or policy for that sub-interface.

Note

“macsec access-control must-secure/should-secure” config controls the behavior of unencrypted packets processing:

- “should-secure” allows unencrypted packets to be transmitted and received from main interface or sub interfaces.

- “must-secure” does not allow transmit or receive of unencrypted packets from main interface or sub interfaces and drops the packet

- If mix of “macsec” and non-macsec subinterfaces co-exist, then “should-secure” config is a must

Kural Arangasamy

Cisco MACsec Solution Design and Deployment for a Secure...

Documents

Transcript of Cisco MACsec Solution Design and Deployment for a Secure...