No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Point-to-Point MACsec

Example for Configuring Point-to-Point MACsec

Networking Requirements

In Figure 12-4, SwitchA and SwitchB are directly connected. The two switches exchange sensitive data, which needs to be protected.

Figure 12-4 Point-to-point MACsec

Configuration Roadmap

To ensure successful MKA session negotiation between two switches, configure the same MACsec parameters on both ends. The configuration roadmap is as follows:

  1. Configure priorities for switches. In this example, a higher priority is configured for SwitchA.
  2. Set the CKN and CAK to f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced and ab2145369adcadef69512347adceb210 respectively.
  3. Set the MACsec mode to normal, indicating that both encryption and integrity check are enabled.


If SwitchC, SwitchD, and SwitchE are deployed between SwitchA and SwitchB, Layer 2 protocol transparent transmission needs to be enabled on SwitchC and SwitchD, so that SwitchA and SwitchB can perform MACsec session negotiation through EAP packets. Using Huawei switches as an example, you need to configure transparent transmission of EAP packets on the intermediate switches connected to SwitchA and SwitchB.
  1. On SwitchC and SwitchD, run the l2protocol-tunnel user-defined-protocol test1 protocol-mac 0180-c200-0003 group-mac 0100-0008-0008 command in the system view to define Layer 2 transparent transmission of EAP packets. In this command, 0180-c200-0003 is the destination MAC address of EAP packets. This configuration is not required on SwitchE.
  2. On SwitchC's interface connected to SwitchA and SwitchD's interface connected to SwitchB, run the l2protocol-tunnel user-defined-protocol test1 enable command to enable Layer 2 protocol transparent transmission.

Procedure

  1. Configure SwitchA.

    # Enable MACsec.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] commit
    [~SwitchA] interface 100ge 1/0/1
    [~SwitchA-100GE1/0/1] mka enable
    [*SwitchA-100GE1/0/1] commit

    # Set the priority of SwitchA to 1, CKN to f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced, and CAK to ab2145369adcadef69512347adceb210.

    [~SwitchA-100GE1/0/1] mka keyserver priority 1
    [*SwitchA-100GE1/0/1] mka cak-mode static ckn f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced cak ab2145369adcadef69512347adceb210
    [*SwitchA-100GE1/0/1] macsec cipher-suite gcm-aes-xpn-128
    [*SwitchA-100GE1/0/1] quit
    [*SwitchA] commit

  2. # Configure SwitchB.

    # Enable MACsec.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchB
    [*HUAWEI] commit
    [~SwitchB] interface 100ge 1/0/1
    [~SwitchB-100GE1/0/1] mka enable
    [*SwitchB-100GE1/0/1] commit

    # Set the priority of SwitchB to 2, CKN to f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced, and CAK to ab2145369adcadef69512347adceb210.

    [~SwitchB-100GE1/0/1] mka keyserver priority 2
    [*SwitchB-100GE1/0/1] mka cak-mode static ckn f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced cak ab2145369adcadef69512347adceb210
    [*SwitchB-100GE1/0/1] macsec cipher-suite gcm-aes-xpn-128
    [*SwitchB-100GE1/0/1] quit
    [*SwitchB] commit

  3. Set the MACsec mode to normal.

    # Set the MACsec mode on SwitchA to normal.

    [~SwitchA] interface 100ge 1/0/1
    [~SwitchA-100GE1/0/1] macsec mode normal
    [*SwitchA-100GE1/0/1] quit
    [*SwitchA] commit

    # Set the MACsec mode on SwitchB to normal.

    [~SwitchB] interface 100ge 1/0/1
    [~SwitchB-100GE1/0/1] macsec mode normal
    [*SwitchB-100GE1/0/1] quit
    [*SwitchB] commit

  4. Verify the configuration.

    # Run the display mka command on SwitchA.

    [~SwitchA] display mka interface 100ge 1/0/1
    Interface 100GE1/0/1:
      MKA transmit interval time(s)          : 2
      MKA life time(s)                       : 6
      SAK life time(s)                       : 3600
      MACsec capability                      : 3
      MACsec mode                            : Normal  //MACsec mode is normal.
      MACsec frame validation                : Strict
      MACsec replay protection               : YES
      MACsec replay-window(frame(s))         : 0
      MACsec confidentiality-offset(byte(s)) : 0
      MACsec include SCI                     : YES
      MKA cipher suite                       : AES-CMAC-128
      MACsec cipher suite                    : GCM-AES-XPN-128
      Key server priority                    : 1
      Transmit SCI                           : 3400A7DDB28110A2
        CKN: F1C3B2A4D6D9A7C5B4E1AB56DC21ED79AC97BE533671DCAB2678AC55CF71ACED
          MKA status            : SUCCEEDED  //MKA negotiation is successful.
          MI                    : 90F4F9A6F5E6DA852E96587F
          MN                    : 20775
          Key server            : YES
          Principal actor       : YES
          Live peers            : 1
          Potential peers       : 0
          Latest SAK status     : Rx & Tx
          Latest SAK AN         : 3
          Latest SAK KI         : E1E9DDE6DC520ED64BCE3F8B
          Latest SAK KN         : 12
          Old SAK status        : N/A
          Old SAK AN            : N/A
          Old SAK KI            : N/A
          Old SAK KN            : N/A
          Transmit SSCI         : 1
          Live peers list :
          MI                            MN        Priority       Capability     Rx-SCI               SSCI
          E1E9DDE6DC520ED64BCE3F8B      20760     2              3              2017091251504931     2
          Potential peers list :
          MI                            MN        Priority       Capability     Rx-SCI               SSCI
          --                            --        --             --             --                   --
        MKA statistics:
          Rx MKA packets       : 21046
          Tx MKA packets       : 21578
          Drop MKA packets     : 6
          Wrong CKN num        : 0
          Wrong ICV num        : 0
          SAK install times    : 18
          SAK delete times     : 17
          SAK swap times       : 12
          Latest SAK reason    : Configure MACsec mode 
    

    The MKA status is SUCCEEDED and the MACsec mode (MACsec mode) is normal.

Configuration Files

  • SwitchA configuration file

    #
    sysname SwitchA
    #        
    interface 100GE1/0/1                                                  
     mka enable                                                                     
     mka cak-mode static ckn f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced cak %^%#&gqJ1f*uV0vqB$ZT5hr#qwL/;Cd/`OmO<m2+hh1A1&w{)jh1"'poiXB\UAn9%^%#            
     macsec mode normal                         
     mka keyserver priority 1                                                       
    #
    return
  • SwitchB configuration file

    #
    sysname SwitchB
    #                                                                               
    interface 100GE1/0/1                                                  
     mka enable                                                                     
     mka cak-mode static ckn f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced cak %^%#W5_!'~9]i>47d&X^Vro#S!z<4s+/N5\Ek*#27i_Wz-U3/"3tJM1.6++,nP+Z%^%#            
     macsec mode normal
     mka keyserver priority 2                                                       
    #
    return
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 27599

Downloads: 96

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next