簡介
本檔案介紹在Cisco Catalyst 8500平台上使用子介面設定WAN媒體存取控制安全(MACsec)的流程。
必要條件
需求
思科建議您瞭解以下主題:
- 高級網路概念,包括WAN、VLAN和加密
- 瞭解MACsec(IEEE 802.1AE)和金鑰管理(IEEE 802.1X-2010)
- 熟悉Cisco IOS® XE命令行介面(CLI)
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- Cisco Catalyst 8500系列邊緣平台
- Cisco IOS XE版本17.14.01a
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
WAN MACsec是一種安全解決方案,旨在利用MACsec的功能保護WAN網路上的網路流量。當使用服務提供商網路交換資料時,對傳輸中的資料加密以防止篡改非常重要。WAN MACsec易於部署和管理,非常適合需要保護其網路流量免受資料操縱(如竊聽和中間人攻擊)的組織。它提供無縫的線速加密,確保資料在穿越各種網路基礎設施(包括服務提供商網路、雲環境和企業網路)時保持安全且不受影響。
WAN MACsec解決方案
為了共用一些歷史記錄,由IEEE 802.1AE標準定義的MACsec通過確保乙太網幀的資料機密性、完整性和源真實性來提供乙太網路上的安全通訊。MACsec運行在開放系統互聯(OSI)模型的資料鏈路層(第2層),對乙太網幀進行加密和身份驗證,以確保節點之間的通訊安全。MACsec最初是為LAN設計的,現在也發展為支援WAN部署。它提供線速加密,確保最小延遲和開銷,這對於高速網路至關重要。
IEEE 802.1X-2010是對原始IEEE 802.1X標準的修訂,其中定義了基於埠的網路訪問控制。2010年修訂版引入了MACsec金鑰協定(MKA)協定,該協定對於管理MACsec實施中的加密金鑰至關重要。MKA處理MACsec用來加密和解密資料的加密金鑰的分發和管理。MKA是一項標準,有助於實現MACsec部署的多供應商互操作性,支援安全金鑰交換和金鑰重新生成機制,這對於在動態廣域網環境中保持持續的安全至關重要。
在WAN MACsec部署中,IEEE 802.1AE(MACsec)在資料鏈路層提供基本的加密和安全機制,確保所有乙太網幀在網路中傳輸時都受到保護。採用MKA協定的IEEE 802.1X-2010負責分發和管理MACsec正常運行所需的加密金鑰。這些標準共同確保WAN MACsec能夠在廣域網中提供穩健的高速加密,為傳輸中的資料提供全面保護,同時保持互操作性和易管理性。
為了解決WAN環境的獨特挑戰,對傳統MACsec部署進行了一些增強:
- 清除中的802.1Q標籤:此功能允許將802.1Q VLAN標籤暴露在加密的MACsec報頭之外,從而方便了更靈活的網路設計,尤其是在公共乙太網傳輸環境中。此功能對於將MACsec與運營商級乙太網服務整合至關重要,因為它允許加密流量和非加密流量在同一網路上共存,從而簡化網路架構並降低成本。
- 在公共運營商乙太網上的適應性:現代的WAN MACsec實施可以適應公共運營商的乙太網服務。這種適應性包括修改LAN乙太網路驗證通訊協定(EAPoL)目的地位址和EtherType,從而允許MACsec在電信級乙太網路上無縫運作,否則這些訊框可能會耗用或封鎖。
WAN MACsec代表了乙太網加密的巨大進步,可滿足對高速、安全的WAN連線日益增長的需求。它能夠提供線速加密、支援靈活的網路設計,以及對公共運營商服務的適應性,使其成為現代網路安全架構的關鍵元件。通過利用WAN MACsec,組織可以為其高速WAN鏈路實現強大的安全性,同時簡化網路架構並降低運營複雜性。
設定
網路圖表
WAN MACsec拓撲
組態
步驟 1:基本裝置配置
要啟動配置,首先需要定義將用於流量分段和連線到服務提供商的子介面。在此場景中,為與子網172.16.1.0/24關聯的VLAN 100和與子網172.16.2.0/24關聯的VLAN 200定義了兩個子介面(以後只有一個子介面將配置為MACsec)。
| CE 8500-1 |
CE 8500-2 |
interface FortyGigabitEthernet0/2/4.100
encapsulation dot1Q 100
ip address 172.16.1.1 255.255.255.0
!
interface FortyGigabitEthernet0/2/4.200
encapsulation dot1Q 200
ip address 172.16.2.1 255.255.255.0
|
interface FortyGigabitEthernet0/2/0.100
encapsulation dot1Q 100
ip address 172.16.1.2 255.255.255.0
!
interface FortyGigabitEthernet0/2/0.200
encapsulation dot1Q 200
ip address 172.16.2.2 255.255.255.0
|
步驟 2:配置MACsec金鑰鏈
請記住,IEEE 802.1X-2010標準指定MACsec加密金鑰可以衍生自預共用金鑰(PSK)、由802.1X可擴展身份驗證協定(EAP),或者由MKA金鑰伺服器選擇和分發。在本例中,PSK是通過MACsec金鑰鏈使用和手動配置的,這些金鑰等於連線關聯金鑰(CAK),該金鑰是用於派生MACsec中使用的所有其他加密金鑰的主金鑰。
| CE 8500-1 |
CE 8500-2 |
8500-1#configure terminal
8500-1(config)#key chain keychain_vlan100 macsec
8500-1(config-keychain-macsec)#key 01
8500-1(config-keychain-macsec-key)#cryptographic-algorithm aes-256-cmac
8500-1(config-keychain-macsec-key)#key-string a5b2df4657bd8c02fcdaaf1212fe27ccc54626ad12d7c3b64c7a93e0113011e1
8500-1(config-keychain-macsec-key)#lifetime 00:00:00 Jun 1 2024 duration 864000
8500-1(config-keychain-macsec-key)#key 02
8500-1(config-keychain-macsec-key)#cryptographic-algorithm aes-256-cmac
8500-1(config-keychain-macsec-key)#key-string b5b2df4657bd8c02fcdaaf1212fe27ccc54626ad12d7c3b64c7a93e0113011e2
8500-1(config-keychain-macsec-key)#lifetime 23:00:00 Jun 1 2024 infinite
8500-1(config-keychain-macsec-key)#exit
8500-1(config-keychain-macsec)#exit
|
8500-2#configure terminal
8500-2(config)#key chain keychain_vlan100 macsec
8500-2(config-keychain-macsec)#key 01
8500-2(config-keychain-macsec-key)#cryptographic-algorithm aes-256-cmac
8500-2(config-keychain-macsec-key)#key-string a5b2df4657bd8c02fcdaaf1212fe27ccc54626ad12d7c3b64c7a93e0113011e1
8500-2(config-keychain-macsec-key)#lifetime 00:00:00 Jun 1 2024 duration 864000
8500-2(config-keychain-macsec-key)#key 02
8500-2(config-keychain-macsec-key)#cryptographic-algorithm aes-256-cmac
8500-2(config-keychain-macsec-key)#key-string b5b2df4657bd8c02fcdaaf1212fe27ccc54626ad12d7c3b64c7a93e0113011e2
8500-2(config-keychain-macsec-key)#lifetime 23:00:00 Jun 1 2024 infinite
8500-2(config-keychain-macsec-key)#exit
8500-2(config-keychain-macsec)#exit
|
附註:配置MACsec金鑰鏈時,請記住key-string必須僅由十六進位制數字組成,aes-128-cmac加密演算法需要32個十六進位制數字的金鑰,而aes-256-cmac加密演算法需要64個十六進位制數字的金鑰。
附註:請記住,當使用多個金鑰時,在指定的金鑰有效期到期後,需要它們之間的重疊時間段來實現無中斷金鑰滾動更新。
警告:必須確保兩台路由器的時鐘同步;因此,強烈建議使用網路時間協定(NTP)。如果不這樣做,則可能阻止建立MKA會話或導致其將來失敗。
步驟 3:配置MKA策略
雖然預設MKA策略對於初始設定和簡單網路非常有用,但通常建議為WAN MACsec配置自定義MKA策略,以滿足特定的安全性、合規性和效能要求。自定義策略提供更大的靈活性和控制力,確保您的網路安全功能強大且可以根據您的需求進行定製。
配置MKA策略時,可以選擇不同的元素,例如金鑰伺服器優先順序、MACsec金鑰協定資料包資料單元(MKPDU)的延遲保護、密碼套件等。在此平台和軟體版本中,可以使用下一個密碼:
| MACsec密碼 |
說明 |
| gcm-aes-128 |
使用128位金鑰的進階加密標準(AES)的伽羅瓦/計數器模式(GCM) |
| gcm-aes-256 |
使用256位金鑰的AES的伽羅瓦/計數器模式(GCM)(更高的加密強度) |
| gcm-aes-xpn-128 |
使用128位金鑰和擴充封包編號(XPN)的AES的伽羅華/計數器模式(GCM) |
| gcm-aes-xpn-256 |
使用256位金鑰和XPN(更高加密強度)的AES的伽羅瓦/計數器模式(GCM) |
附註:XPN通過支援更長的資料包編號來增強GCM-AES密碼,這提高了長時間會話或高吞吐量環境的安全性。使用高速鏈路(例如40 Gb/s或100 Gb/s)可能導致非常短的金鑰滾動時間,因為MACsec幀內的資料包編號(PN)(通常基於傳送的資料包數量)可能在這些速度下很快耗盡。XPN可擴充封包編號順序,並消除在高容量連結中經常發生的安全關聯金鑰(SAK)重新金鑰的需要。
在本示例中,為MKA策略選擇的密碼是gcm-aes-xpn-256,其他元素將具有預設值:
| CE 8500-1 |
CE 8500-2 |
8500-1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
8500-1(config)#mka policy subint100
8500-1(config-mka-policy)#macsec-cipher-suite gcm-aes-xpn-256
8500-1(config-mka-policy)#end
|
8500-2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
8500-2(config)#mka policy subint100
8500-2(config-mka-policy)#macsec-cipher-suite gcm-aes-xpn-256
8500-2(config-mka-policy)#end
|
步驟 4:在介面和子介面級別配置MACsec
在此案例中,即使沒有使用IP地址配置物理介面,也必須在此級別應用一些macsec命令才能使解決方案正常工作。MACsec策略和金鑰鏈在子介面級別應用(請參閱配置示例):
| CE 8500-1 |
CE 8500-2 |
8500-1#configure terminal
8500-1(config)#interface FortyGigabitEthernet0/2/4
8500-1(config-if)#mtu 9216
8500-1(config-if)#cdp enable
8500-1(config-if)#macsec dot1q-in-clear 1
8500-1(config-if)#macsec access-control should-secure
8500-1(config-if)#exit
8500-1(config)#interface FortyGigabitEthernet0/2/4.100
8500-1(config-if)#eapol destination-address broadcast-address
8500-1(config-if)#eapol eth-type 876F
8500-1(config-if)#mka policy subint100
8500-1(config-if)#mka pre-shared-key key-chain keychain_vlan100
8500-1(config-if)#macsec
8500-2(config-if)#end
|
8500-2#configure terminal
8500-2(config)#interface FortyGigabitEthernet0/2/0
8500-2(config-if)#mtu 9216
8500-2(config-if)#cdp enable
8500-2(config-if)#macsec dot1q-in-clear 1
8500-2(config-if)#macsec access-control should-secure
8500-2(config-if)#exit
8500-1(config)#interface FortyGigabitEthernet0/2/0.100
8500-2(config-if)#eapol destination-address broadcast-address
8500-2(config-if)#eapol eth-type 876F
8500-2(config-if)#mka policy subint100
8500-2(config-if)#mka pre-shared-key key-chain keychain_vlan100
8500-2(config-if)#macsec
8500-2(config-if)#end
|
在物理介面級別應用的命令
a.MTU設定為9216,因為拓撲中使用的服務提供商允許巨型幀,但這不是要求
b.macsec dot1q-in-clear命令允許選項將VLAN(dot1q)標籤設定為clear(未加密)
c.命令macsec access-control should-secure允許傳送或接收來自物理介面或子介面的未加密資料包(如果某些子介面需要加密,而另一些子介面不需要,則需要此命令,這是因為預設的MACsec行為不允許從啟用MACsec的同一物理介面傳送或接收任何未加密資料包)
在子介面級別應用的命令
a.現在,需要使用eapol destination-address broadcast-address命令將EAPoL幀(預設情況下是組播MAC地址01:80:C2:00:00:03)的目標MAC地址更改為廣播MAC地址,以確保服務提供商泛洪這些幀,並且不丟棄或使用它們。
b.還使用命令eapol eth-type 876F更改EAPoL幀的預設乙太網型別(預設值為0x888E),並將其更改為0x876F。為了防止服務提供商丟棄或使用這些幀,也需要這樣做。
c.命令mka policy <policy name>和mka pre-shared-key key-chain <key chain name>用於將自定義策略和金鑰鏈應用到子介面。
d.最後但同樣重要的是,macsec命令在子介面級別啟用MACsec。
在當前設定中,如果不更改以前的EAPoL,服務提供商端的9500交換機不會轉發EAPoL幀。
附註:子介面會繼承諸如dot1q-in-clear和should-secure之類的MACsec命令。此外,可以在物理介面級別設定EAPoL命令,在這種情況下,這些命令也會由子介面繼承。但是,子介面上的EAPoL命令的顯式配置會覆蓋該子介面的繼承值或策略。
驗證
應用配置後,下一個輸出將顯示每台客戶邊緣(CE)C8500路由器的相關運行配置(省略了某些配置):
| CE 8500-1 |
CE 8500-2 |
8500-1#show running-config
Building configuration...
Current configuration : 8792 bytes
!
!
version 17.14
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
!
hostname 8500-1
!
boot-start-marker
boot system flash bootflash:c8000aep-universalk9.17.14.01a.SPA.bin
boot-end-marker
!
!
no logging console
no aaa new-model
!
!
key chain keychain_vlan100 macsec
key 01
cryptographic-algorithm aes-256-cmac
key-string a5b2df4657bd8c02fcdaaf1212fe27ccc54626ad12d7c3b64c7a93e0113011e1
lifetime 00:00:00 Jun 1 2024 duration 864000
key 02
cryptographic-algorithm aes-256-cmac
key-string b5b2df4657bd8c02fcdaaf1212fe27ccc54626ad12d7c3b64c7a93e0113011e2
lifetime 23:00:00 Jun 1 2024 infinite
!
!
!
!
!
!
license boot level network-premier addon dna-premier
!
!
spanning-tree extend system-id
!
mka policy subint100
macsec-cipher-suite gcm-aes-xpn-256
!
!
!
!
!
!
cdp run
!
!
!
!
interface Loopback100
ip address 192.168.100.10 255.255.255.0
!
interface Loopback200
ip address 192.168.200.10 255.255.255.0
!
!
interface FortyGigabitEthernet0/2/4
mtu 9216
no ip address
no negotiation auto
cdp enable
macsec dot1q-in-clear 1
macsec access-control should-secure
!
interface FortyGigabitEthernet0/2/4.100
encapsulation dot1Q 100
ip address 172.16.1.1 255.255.255.0
ip mtu 9184
eapol destination-address broadcast-address
eapol eth-type 876F
mka policy subint100
mka pre-shared-key key-chain keychain_vlan100
macsec
!
interface FortyGigabitEthernet0/2/4.200
encapsulation dot1Q 200
ip address 172.16.2.1 255.255.255.0
!
!
router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.0.0 0.0.255.255
!
ip forward-protocol nd
!
!
!
control-plane
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
line vty 0 4
login
transport input ssh
!
!
!
!
!
!
end
8500-1#
|
8500-2#show running-config
Building configuration...
Current configuration : 8525 bytes
!
!
version 17.14
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
!
hostname 8500-2
!
boot-start-marker
boot system flash bootflash:c8000aep-universalk9.17.14.01a.SPA.bin
boot-end-marker
!
!
no logging console
no aaa new-model
!
!
key chain keychain_vlan100 macsec
key 01
cryptographic-algorithm aes-256-cmac
key-string a5b2df4657bd8c02fcdaaf1212fe27ccc54626ad12d7c3b64c7a93e0113011e1
lifetime 00:00:00 Jun 1 2024 duration 864000
key 02
cryptographic-algorithm aes-256-cmac
key-string b5b2df4657bd8c02fcdaaf1212fe27ccc54626ad12d7c3b64c7a93e0113011e2
lifetime 23:00:00 Jun 1 2024 infinite
!
!
!
!
!
!
license boot level network-premier addon dna-premier
!
!
spanning-tree extend system-id
!
mka policy subint100
macsec-cipher-suite gcm-aes-xpn-256
!
!
!
!
!
!
cdp run
!
!
!
!
interface Loopback101
ip address 192.168.101.10 255.255.255.0
!
interface Loopback201
ip address 192.168.201.10 255.255.255.0
!
!
interface FortyGigabitEthernet0/2/0
mtu 9216
no ip address
no negotiation auto
cdp enable
macsec dot1q-in-clear 1
macsec access-control should-secure
!
interface FortyGigabitEthernet0/2/0.100
encapsulation dot1Q 100
ip address 172.16.1.2 255.255.255.0
ip mtu 9184
eapol destination-address broadcast-address
eapol eth-type 876F
mka policy subint100
mka pre-shared-key key-chain keychain_vlan100
macsec
!
interface FortyGigabitEthernet0/2/0.200
encapsulation dot1Q 200
ip address 172.16.2.2 255.255.255.0
!
!
router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.0.0 0.0.255.255
!
ip forward-protocol nd
!
!
!
control-plane
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
line vty 0 4
login
transport input ssh
!
!
!
!
!
!
end
8500-2#
|
附註:請注意,啟用MACsec後,通過應用macsec命令,該介面的MTU會自動調整並減少32位元組,以解決MACsec開銷。
接下來,您可以找到一系列基本命令,可用來檢查和對等體之間的MACsec狀態。這些命令為您提供有關當前MACsec會話、金鑰鏈、策略和統計資訊的詳細資訊:
- show mka sessions - 此命令顯示當前MKA會話狀態。
- show mka sessions detail — 此命令提供每個MKA會話的詳細資訊。
- show mka keychains - 此命令顯示用於MACsec的金鑰鏈和分配的介面。
- show mka policy — 此命令顯示應用的策略、使用的介面和密碼套件。
- show mka summary — 此命令提供MKA會話和統計資訊的摘要。
- show macsec statistics interface <interface name> — 此命令顯示指定介面的MACsec統計資訊,並有助於識別是否正在傳送和接收加密流量。
| CE 8500-1 |
CE 8500-2 |
8500-1#show mka sessions
Total MKA Sessions....... 1
Secured Sessions... 1
Pending Sessions... 0
====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
Port-ID Peer-RxSCI MACsec-Peers Status CKN
====================================================================================================
Fo0/2/4.100 78bc.1aac.1521/001a subint100 NO NO
26 78bc.1aac.1420/001a 1 Secured 02
8500-1#show mka sessions detail
MKA Detailed Status for MKA Session
===================================
Status: SECURED - Secured MKA Session with MACsec
TX-SSCI.................. 2
Local Tx-SCI............. 78bc.1aac.1521/001a
Interface MAC Address.... 78bc.1aac.1521
MKA Port Identifier...... 26
Interface Name........... FortyGigabitEthernet0/2/4.100
Audit Session ID.........
CAK Name (CKN)........... 02
Member Identifier (MI)... 8387013B6C4D6106D4443285
Message Number (MN)...... 439243
EAP Role................. NA
Key Server............... NO
MKA Cipher Suite......... AES-256-CMAC
Latest SAK Status........ Rx & Tx
Latest SAK AN............ 0
Latest SAK KI (KN)....... F5720CC2E83183F1E673DACD00000001 (1)
Old SAK Status........... FIRST-SAK
Old SAK AN............... 0
Old SAK KI (KN).......... FIRST-SAK (0)
SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)
SAK Retire Time.......... 0s (No Old SAK to retire)
SAK Rekey Time........... 0s (SAK Rekey interval not applicable)
MKA Policy Name.......... subint100
Key Server Priority...... 0
Delay Protection......... NO
Delay Protection Timer.......... 0s (Not enabled)
Confidentiality Offset... 0
Algorithm Agility........ 80C201
SAK Rekey On Live Peer Loss........ NO
Send Secure Announcement.. DISABLED
SCI Based SSCI Computation.... NO
SAK Cipher Suite......... 0080C20001000004 (GCM-AES-XPN-256)
MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired........... YES
# of MACsec Capable Live Peers............ 1
# of MACsec Capable Live Peers Responded.. 0
Live Peers List:
MI MN Rx-SCI (Peer) KS RxSA SSCI
Priority Installed
---------------------------------------------------------------------------------------
F5720CC2E83183F1E673DACD 439222 78bc.1aac.1420/001a 0 YES 1
Potential Peers List:
MI MN Rx-SCI (Peer) KS RxSA SSCI
Priority Installed
---------------------------------------------------------------------------------------
8500-1#show mka keychains
MKA PSK Keychain(s) Summary...
Keychain Latest CKN Interface(s)
Name Latest CAK Applied
===============================================================================================
keychain_vlan100 02 Fo0/2/4.100
8500-1#show mka policy
MKA Policy defaults :
Send-Secure-Announcements: DISABLED
MKA Policy Summary...
Codes : CO - Confidentiality Offset, ICVIND - Include ICV-Indicator,
SAKR OLPL - SAK-Rekey On-Live-Peer-Loss,
DP - Delay Protect, KS Prio - Key Server Priority
Policy KS DP CO SAKR ICVIND Cipher Interfaces
Name Prio OLPL Suite(s) Applied
===============================================================================
*DEFAULT POLICY* 0 FALSE 0 FALSE TRUE GCM-AES-128
GCM-AES-256
subint100 0 FALSE 0 FALSE TRUE GCM-AES-XPN-256 Fo0/2/4.100
8500-1#show mka summary
Total MKA Sessions....... 1
Secured Sessions... 1
Pending Sessions... 0
====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
Port-ID Peer-RxSCI MACsec-Peers Status CKN
====================================================================================================
Fo0/2/4.100 78bc.1aac.1521/001a subint100 NO NO
26 78bc.1aac.1420/001a 1 Secured 02
MKA Global Statistics
=====================
MKA Session Totals
Secured.................... 14
Fallback Secured........... 0
Reauthentication Attempts.. 0
Deleted (Secured).......... 13
Keepalive Timeouts......... 0
CA Statistics
Pairwise CAKs Derived...... 0
Pairwise CAK Rekeys........ 0
Group CAKs Generated....... 0
Group CAKs Received........ 0
SA Statistics
SAKs Generated.............. 0
SAKs Rekeyed................ 2
SAKs Received............... 18
SAK Responses Received...... 0
SAK Rekeyed as KN Mismatch.. 0
MKPDU Statistics
MKPDUs Validated & Rx...... 737255
"Distributed SAK"..... 18
"Distributed CAK"..... 0
MKPDUs Transmitted......... 738485
"Distributed SAK"..... 0
"Distributed CAK"..... 0
MKA Error Counter Totals
========================
Session Failures
Bring-up Failures................ 0
Reauthentication Failures........ 0
Duplicate Auth-Mgr Handle........ 0
SAK Failures
SAK Generation................... 0
Hash Key Generation.............. 0
SAK Encryption/Wrap.............. 0
SAK Decryption/Unwrap............ 0
SAK Cipher Mismatch.............. 0
CA Failures
Group CAK Generation............. 0
Group CAK Encryption/Wrap........ 0
Group CAK Decryption/Unwrap...... 0
Pairwise CAK Derivation.......... 0
CKN Derivation................... 0
ICK Derivation................... 0
KEK Derivation................... 0
Invalid Peer MACsec Capability... 0
MACsec Failures
Rx SC Creation................... 0
Tx SC Creation................... 0
Rx SA Installation............... 0
Tx SA Installation............... 0
MKPDU Failures
MKPDU Tx............................... 0
MKPDU Rx ICV Verification.............. 0
MKPDU Rx Fallback ICV Verification..... 0
MKPDU Rx Validation.................... 0
MKPDU Rx Bad Peer MN................... 0
MKPDU Rx Non-recent Peerlist MN........ 0
SAK USE Failures
SAK USE Latest KN Mismatch............. 0
SAK USE Latest AN not in USE........... 0
8500-1#show macsec statistics interface Fo0/2/4.100
MACsec Statistics for FortyGigabitEthernet0/2/4.100
SecY Counters
Ingress Untag Pkts: 0
Ingress No Tag Pkts: 0
Ingress Bad Tag Pkts: 0
Ingress Unknown SCI Pkts: 0
Ingress No SCI Pkts: 0
Ingress Overrun Pkts: 0
Ingress Validated Octets: 0
Ingress Decrypted Octets: 11853398
Egress Untag Pkts: 0
Egress Too Long Pkts: 0
Egress Protected Octets: 0
Egress Encrypted Octets: 11782598
Controlled Port Counters
IF In Octets: 14146226
IF In Packets: 191065
IF In Discard: 0
IF In Errors: 0
IF Out Octets: 14063174
IF Out Packets: 190042
IF Out Errors: 0
Transmit SC Counters (SCI: 78BC1AAC1521001A)
Out Pkts Protected: 0
Out Pkts Encrypted: 190048
Transmit SA Counters (AN 0)
Out Pkts Protected: 0
Out Pkts Encrypted: 190048
Receive SA Counters (SCI: 78BC1AAC1420001A AN 0)
In Pkts Unchecked: 0
In Pkts Delayed: 0
In Pkts OK: 191069
In Pkts Invalid: 0
In Pkts Not Valid: 0
In Pkts Not using SA: 0
In Pkts Unused SA: 0
In Pkts Late: 0
|
8500-2#show mka sessions
Total MKA Sessions....... 1
Secured Sessions... 1
Pending Sessions... 0
====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
Port-ID Peer-RxSCI MACsec-Peers Status CKN
====================================================================================================
Fo0/2/0.100 78bc.1aac.1420/001a subint100 NO YES
26 78bc.1aac.1521/001a 1 Secured 02
8500-2#show mka sessions detail
MKA Detailed Status for MKA Session
===================================
Status: SECURED - Secured MKA Session with MACsec
TX-SSCI.................. 1
Local Tx-SCI............. 78bc.1aac.1420/001a
Interface MAC Address.... 78bc.1aac.1420
MKA Port Identifier...... 26
Interface Name........... FortyGigabitEthernet0/2/0.100
Audit Session ID.........
CAK Name (CKN)........... 02
Member Identifier (MI)... F5720CC2E83183F1E673DACD
Message Number (MN)...... 438678
EAP Role................. NA
Key Server............... YES
MKA Cipher Suite......... AES-256-CMAC
Latest SAK Status........ Rx & Tx
Latest SAK AN............ 0
Latest SAK KI (KN)....... F5720CC2E83183F1E673DACD00000001 (1)
Old SAK Status........... FIRST-SAK
Old SAK AN............... 0
Old SAK KI (KN).......... FIRST-SAK (0)
SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)
SAK Retire Time.......... 0s (No Old SAK to retire)
SAK Rekey Time........... 0s (SAK Rekey interval not applicable)
MKA Policy Name.......... subint100
Key Server Priority...... 0
Delay Protection......... NO
Delay Protection Timer.......... 0s (Not enabled)
Confidentiality Offset... 0
Algorithm Agility........ 80C201
SAK Rekey On Live Peer Loss........ NO
Send Secure Announcement.. DISABLED
SCI Based SSCI Computation.... NO
SAK Cipher Suite......... 0080C20001000004 (GCM-AES-XPN-256)
MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired........... YES
# of MACsec Capable Live Peers............ 1
# of MACsec Capable Live Peers Responded.. 1
Live Peers List:
MI MN Rx-SCI (Peer) KS RxSA SSCI
Priority Installed
---------------------------------------------------------------------------------------
8387013B6C4D6106D4443285 438697 78bc.1aac.1521/001a 0 YES 2
Potential Peers List:
MI MN Rx-SCI (Peer) KS RxSA SSCI
Priority Installed
---------------------------------------------------------------------------------------
8500-2#show mka keychains
MKA PSK Keychain(s) Summary...
Keychain Latest CKN Interface(s)
Name Latest CAK Applied
===============================================================================================
keychain_vlan100 02 Fo0/2/0.100
8500-2#show mka policy
MKA Policy defaults :
Send-Secure-Announcements: DISABLED
MKA Policy Summary...
Codes : CO - Confidentiality Offset, ICVIND - Include ICV-Indicator,
SAKR OLPL - SAK-Rekey On-Live-Peer-Loss,
DP - Delay Protect, KS Prio - Key Server Priority
Policy KS DP CO SAKR ICVIND Cipher Interfaces
Name Prio OLPL Suite(s) Applied
===============================================================================
*DEFAULT POLICY* 0 FALSE 0 FALSE TRUE GCM-AES-128
GCM-AES-256
subint100 0 FALSE 0 FALSE TRUE GCM-AES-XPN-256 Fo0/2/0.100
8500-2#show mka summary
Total MKA Sessions....... 1
Secured Sessions... 1
Pending Sessions... 0
====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
Port-ID Peer-RxSCI MACsec-Peers Status CKN
====================================================================================================
Fo0/2/0.100 78bc.1aac.1420/001a subint100 NO YES
26 78bc.1aac.1521/001a 1 Secured 02
MKA Global Statistics
=====================
MKA Session Totals
Secured.................... 8
Fallback Secured........... 0
Reauthentication Attempts.. 0
Deleted (Secured).......... 7
Keepalive Timeouts......... 0
CA Statistics
Pairwise CAKs Derived...... 0
Pairwise CAK Rekeys........ 0
Group CAKs Generated....... 0
Group CAKs Received........ 0
SA Statistics
SAKs Generated.............. 13
SAKs Rekeyed................ 4
SAKs Received............... 0
SAK Responses Received...... 12
SAK Rekeyed as KN Mismatch.. 0
MKPDU Statistics
MKPDUs Validated & Rx...... 524753
"Distributed SAK"..... 0
"Distributed CAK"..... 0
MKPDUs Transmitted......... 524796
"Distributed SAK"..... 12
"Distributed CAK"..... 0
MKA Error Counter Totals
========================
Session Failures
Bring-up Failures................ 0
Reauthentication Failures........ 0
Duplicate Auth-Mgr Handle........ 0
SAK Failures
SAK Generation................... 0
Hash Key Generation.............. 0
SAK Encryption/Wrap.............. 0
SAK Decryption/Unwrap............ 0
SAK Cipher Mismatch.............. 0
CA Failures
Group CAK Generation............. 0
Group CAK Encryption/Wrap........ 0
Group CAK Decryption/Unwrap...... 0
Pairwise CAK Derivation.......... 0
CKN Derivation................... 0
ICK Derivation................... 0
KEK Derivation................... 0
Invalid Peer MACsec Capability... 0
MACsec Failures
Rx SC Creation................... 0
Tx SC Creation................... 0
Rx SA Installation............... 1
Tx SA Installation............... 0
MKPDU Failures
MKPDU Tx............................... 0
MKPDU Rx ICV Verification.............. 0
MKPDU Rx Fallback ICV Verification..... 0
MKPDU Rx Validation.................... 0
MKPDU Rx Bad Peer MN................... 0
MKPDU Rx Non-recent Peerlist MN........ 0
SAK USE Failures
SAK USE Latest KN Mismatch............. 0
SAK USE Latest AN not in USE........... 0
8500-2#show macsec statistics interface Fo0/2/0.100
MACsec Statistics for FortyGigabitEthernet0/2/0.100
SecY Counters
Ingress Untag Pkts: 0
Ingress No Tag Pkts: 0
Ingress Bad Tag Pkts: 0
Ingress Unknown SCI Pkts: 0
Ingress No SCI Pkts: 0
Ingress Overrun Pkts: 0
Ingress Validated Octets: 0
Ingress Decrypted Octets: 11767966
Egress Untag Pkts: 0
Egress Too Long Pkts: 0
Egress Protected Octets: 0
Egress Encrypted Octets: 11838828
Controlled Port Counters
IF In Octets: 14045710
IF In Packets: 189805
IF In Discard: 0
IF In Errors: 0
IF Out Octets: 14128836
IF Out Packets: 190832
IF Out Errors: 0
Transmit SC Counters (SCI: 78BC1AAC1420001A)
Out Pkts Protected: 0
Out Pkts Encrypted: 190834
Transmit SA Counters (AN 0)
Out Pkts Protected: 0
Out Pkts Encrypted: 190834
Receive SA Counters (SCI: 78BC1AAC1521001A AN 0)
In Pkts Unchecked: 0
In Pkts Delayed: 0
In Pkts OK: 189812
In Pkts Invalid: 0
In Pkts Not Valid: 0
In Pkts Not using SA: 0
In Pkts Unused SA: 0
In Pkts Late: 0
|
來自不同子介面的可達性以及192.168.0.0/16子網之間的可達性均成功。下一個ping測試演示了成功的連線:
8500-1#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
8500-1#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
8500-1#ping 192.168.101.10 source 192.168.100.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
8500-1#
從提供商邊緣(PE)裝置上的ICMP測試捕獲資料包後,您可以比較加密幀和未加密幀。請注意,兩個幀上的乙太網外部MAC報頭相同,且dot1q標籤可見。但是,加密幀顯示的是0x88E5(MACsec)的EtherType,而未加密幀顯示的是0x0800(IPv4)的EtherType以及ICMP協定資訊:
| 加密訊框VLAN 100 |
未加密的訊框VLAN 200 |
F241.03.03-9500-1#show monitor capture cap buffer detail | begin Frame 80
Frame 80: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits) on interface /tmp/epc_ws/wif_to_ts_pipe, id 0
Interface id: 0 (/tmp/epc_ws/wif_to_ts_pipe)
Interface name: /tmp/epc_ws/wif_to_ts_pipe
Encapsulation type: Ethernet (1)
Arrival Time: Jul 29, 2024 23:50:16.528191000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1722297016.528191000 seconds
[Time delta from previous captured frame: 0.224363000 seconds]
[Time delta from previous displayed frame: 0.224363000 seconds]
[Time since reference or first frame: 21.989269000 seconds]
Frame Number: 80
Frame Length: 150 bytes (1200 bits)
Capture Length: 150 bytes (1200 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:vlan:ethertype:macsec:data]
Ethernet II, Src: 78:bc:1a:ac:15:21 (78:bc:1a:ac:15:21), Dst: 78:bc:1a:ac:14:20 (78:bc:1a:ac:14:20)
Destination: 78:bc:1a:ac:14:20 (78:bc:1a:ac:14:20)
Address: 78:bc:1a:ac:14:20 (78:bc:1a:ac:14:20)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 78:bc:1a:ac:15:21 (78:bc:1a:ac:15:21)
Address: 78:bc:1a:ac:15:21 (78:bc:1a:ac:15:21)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100
000. .... .... .... = Priority: Best Effort (default) (0)
...0 .... .... .... = DEI: Ineligible
.... 0000 0110 0100 = ID: 100
Type: 802.1AE (MACsec) (0x88e5)
802.1AE Security tag
0010 11.. = TCI: 0x0b, VER: 0x0, SC, E, C
0... .... = VER: 0x0
.0.. .... = ES: Not set
..1. .... = SC: Set
...0 .... = SCB: Not set
.... 1... = E: Set
.... .1.. = C: Set
.... ..00 = AN: 0x0
Short length: 0
Packet number: 147
System Identifier: 78:bc:1a:ac:15:21 (78:bc:1a:ac:15:21)
Port Identifier: 26
ICV: 2b80cff435c7ef5a8d21b473b998cfb4
Data (102 bytes)
0000 99 53 71 3e f6 c7 9b bb 00 21 68 48 d6 ca 26 af .Sq>.....!hH..&.
0010 80 a5 76 40 19 c9 45 97 b3 5a 48 d3 2d 30 72 a6 ..v@..E..ZH.-0r.
0020 96 47 6e a7 4c 30 90 e5 70 10 80 e8 68 00 5f ad .Gn.L0..p...h._.
0030 7f dd 4a 70 a8 46 00 ef 7d 56 fe e2 66 ba 6c 1b ..Jp.F..}V..f.l.
0040 3a 07 44 4e 5e e7 04 cb cb f4 03 71 8d 40 da 55 :.DN^......q.@.U
0050 9f 1b ef a6 3a 1e 42 c7 05 e6 9e d0 39 6e b7 3f ....:.B.....9n.?
0060 f2 82 cf 66 f2 5b ...f.[
Data: 9953713ef6c79bbb00216848d6ca26af80a5764019c94597b^@&
[Length: 102]
|
F241.03.03-9500-1#show monitor capture cap buff detail | begin Frame 126
Frame 126: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) on interface /tmp/epc_ws/wif_to_ts_pipe, id 0
Interface id: 0 (/tmp/epc_ws/wif_to_ts_pipe)
Interface name: /tmp/epc_ws/wif_to_ts_pipe
Encapsulation type: Ethernet (1)
Arrival Time: Jul 29, 2024 23:50:26.198492000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1722297026.198492000 seconds
[Time delta from previous captured frame: 0.280042000 seconds]
[Time delta from previous displayed frame: 0.280042000 seconds]
[Time since reference or first frame: 31.659570000 seconds]
Frame Number: 126
Frame Length: 118 bytes (944 bits)
Capture Length: 118 bytes (944 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:vlan:ethertype:ip:icmp:data]
Ethernet II, Src: 78:bc:1a:ac:15:21 (78:bc:1a:ac:15:21), Dst: 78:bc:1a:ac:14:20 (78:bc:1a:ac:14:20)
Destination: 78:bc:1a:ac:14:20 (78:bc:1a:ac:14:20)
Address: 78:bc:1a:ac:14:20 (78:bc:1a:ac:14:20)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 78:bc:1a:ac:15:21 (78:bc:1a:ac:15:21)
Address: 78:bc:1a:ac:15:21 (78:bc:1a:ac:15:21)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 200
000. .... .... .... = Priority: Best Effort (default) (0)
...0 .... .... .... = DEI: Ineligible
.... 0000 1100 1000 = ID: 200
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.16.2.1, Dst: 172.16.2.2
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 100
Identification: 0x0055 (85)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: ICMP (1)
Header checksum: 0x5f20 [validation disabled]
[Header checksum status: Unverified]
Source: 172.16.2.1
Destination: 172.16.2.2
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x6a4e [correct]
[Checksum Status: Good]
Identifier (BE): 17 (0x0011)
Identifier (LE): 4352 (0x1100)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Data (72 bytes)
0000 00 00 00 00 00 25 13 c6 ab cd ab cd ab cd ab cd .....%..........
0010 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0020 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0030 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0040 ab cd ab cd ab cd ab cd ........
Data: 00000000002513c6abcdabcdabcdabcdabcdabcdabcdabcdb^@&
[Length: 72]
|
相關資訊
意見