Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Point-to-Point MACsec
Networking Requirements
In Figure 12-4, SwitchA and SwitchB are directly connected. The two switches exchange sensitive data, which needs to be protected.
Configuration Roadmap
To ensure successful MKA session negotiation between two switches, configure the same MACsec parameters on both ends. The configuration roadmap is as follows:
- Configure priorities for switches. In this example, a higher priority is configured for SwitchA.
- Set the CKN and CAK to f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced and ab2145369adcadef69512347adceb210 respectively.
- Set the MACsec mode to normal, indicating that both encryption and integrity check are enabled.
If SwitchC, SwitchD, and SwitchE are deployed between SwitchA and SwitchB, Layer 2 protocol transparent transmission needs to be enabled on SwitchC and SwitchD, so that SwitchA and SwitchB can perform MACsec session negotiation through EAP packets. Using Huawei switches as an example, you need to configure transparent transmission of EAP packets on the intermediate switches connected to SwitchA and SwitchB.
- On SwitchC and SwitchD, run the l2protocol-tunnel user-defined-protocol test1 protocol-mac 0180-c200-0003 group-mac 0100-0008-0008 command in the system view to define Layer 2 transparent transmission of EAP packets. In this command, 0180-c200-0003 is the destination MAC address of EAP packets. This configuration is not required on SwitchE.
- On SwitchC's interface connected to SwitchA and SwitchD's interface connected to SwitchB, run the l2protocol-tunnel user-defined-protocol test1 enable command to enable Layer 2 protocol transparent transmission.
Procedure
- Configure SwitchA.
# Enable MACsec.
<HUAWEI> system-view [~HUAWEI] sysname SwitchA [*HUAWEI] commit [~SwitchA] interface 100ge 1/0/1 [~SwitchA-100GE1/0/1] mka enable [*SwitchA-100GE1/0/1] commit
# Set the priority of SwitchA to 1, CKN to f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced, and CAK to ab2145369adcadef69512347adceb210.
[~SwitchA-100GE1/0/1] mka keyserver priority 1 [*SwitchA-100GE1/0/1] mka cak-mode static ckn f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced cak ab2145369adcadef69512347adceb210 [*SwitchA-100GE1/0/1] macsec cipher-suite gcm-aes-xpn-128 [*SwitchA-100GE1/0/1] quit [*SwitchA] commit
- # Configure SwitchB.
# Enable MACsec.
<HUAWEI> system-view [~HUAWEI] sysname SwitchB [*HUAWEI] commit [~SwitchB] interface 100ge 1/0/1 [~SwitchB-100GE1/0/1] mka enable [*SwitchB-100GE1/0/1] commit
# Set the priority of SwitchB to 2, CKN to f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced, and CAK to ab2145369adcadef69512347adceb210.
[~SwitchB-100GE1/0/1] mka keyserver priority 2 [*SwitchB-100GE1/0/1] mka cak-mode static ckn f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced cak ab2145369adcadef69512347adceb210 [*SwitchB-100GE1/0/1] macsec cipher-suite gcm-aes-xpn-128 [*SwitchB-100GE1/0/1] quit [*SwitchB] commit
- Set the MACsec mode to normal.
# Set the MACsec mode on SwitchA to normal.
[~SwitchA] interface 100ge 1/0/1 [~SwitchA-100GE1/0/1] macsec mode normal [*SwitchA-100GE1/0/1] quit [*SwitchA] commit
# Set the MACsec mode on SwitchB to normal.
[~SwitchB] interface 100ge 1/0/1 [~SwitchB-100GE1/0/1] macsec mode normal [*SwitchB-100GE1/0/1] quit [*SwitchB] commit
- Verify the configuration.
# Run the display mka command on SwitchA.
[~SwitchA] display mka interface 100ge 1/0/1 Interface 100GE1/0/1: MKA transmit interval time(s) : 2 MKA life time(s) : 6 SAK life time(s) : 3600 MACsec capability : 3 MACsec mode : Normal //MACsec mode is normal. MACsec frame validation : Strict MACsec replay protection : YES MACsec replay-window(frame(s)) : 0 MACsec confidentiality-offset(byte(s)) : 0 MACsec include SCI : YES MKA cipher suite : AES-CMAC-128 MACsec cipher suite : GCM-AES-XPN-128 Key server priority : 1 Transmit SCI : 3400A7DDB28110A2 CKN: F1C3B2A4D6D9A7C5B4E1AB56DC21ED79AC97BE533671DCAB2678AC55CF71ACED MKA status : SUCCEEDED //MKA negotiation is successful. MI : 90F4F9A6F5E6DA852E96587F MN : 20775 Key server : YES Principal actor : YES Live peers : 1 Potential peers : 0 Latest SAK status : Rx & Tx Latest SAK AN : 3 Latest SAK KI : E1E9DDE6DC520ED64BCE3F8B Latest SAK KN : 12 Old SAK status : N/A Old SAK AN : N/A Old SAK KI : N/A Old SAK KN : N/A Transmit SSCI : 1 Live peers list : MI MN Priority Capability Rx-SCI SSCI E1E9DDE6DC520ED64BCE3F8B 20760 2 3 2017091251504931 2 Potential peers list : MI MN Priority Capability Rx-SCI SSCI -- -- -- -- -- -- MKA statistics: Rx MKA packets : 21046 Tx MKA packets : 21578 Drop MKA packets : 6 Wrong CKN num : 0 Wrong ICV num : 0 SAK install times : 18 SAK delete times : 17 SAK swap times : 12 Latest SAK reason : Configure MACsec mode
The MKA status is SUCCEEDED and the MACsec mode (MACsec mode) is normal.
Configuration Files
SwitchA configuration file
# sysname SwitchA # interface 100GE1/0/1 mka enable mka cak-mode static ckn f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced cak %^%#&gqJ1f*uV0vqB$ZT5hr#qwL/;Cd/`OmO<m2+hh1A1&w{)jh1"'poiXB\UAn9%^%# macsec mode normal mka keyserver priority 1 # returnSwitchB configuration file
# sysname SwitchB # interface 100GE1/0/1 mka enable mka cak-mode static ckn f1c3b2a4d6d9a7c5b4e1ab56dc21ed79ac97be533671dcab2678ac55cf71aced cak %^%#W5_!'~9]i>47d&X^Vro#S!z<4s+/N5\Ek*#27i_Wz-U3/"3tJM1.6++,nP+Z%^%# macsec mode normal mka keyserver priority 2 # return