Let's dive into a practical example of configuring MACsec (Media Access Control Security) on Cisco devices. MACsec, as you guys probably know, is an IEEE standard for providing security for wired Ethernet communications. It operates at the data link layer (Layer 2) and provides encryption for all traffic on a link. In this article, we will walk through a basic configuration scenario, explaining each step along the way to ensure you get a solid understanding of how to implement MACsec in your network.

Understanding the Basics of MACsec

Before we jump into the configuration, it's essential to understand the fundamental components of MACsec. MACsec uses a key agreement protocol to establish a secure channel between two devices. The key agreement protocol used by Cisco is called MACsec Key Agreement (MKA). MKA handles the authentication, key exchange, and key management processes. Here's a quick rundown of the key components:

• Connectivity Association (CA): A logical association between two MACsec-enabled devices. It defines the security policies and parameters for the secure communication.
• Cipher Suite: The encryption algorithm and key length used to secure the data. Common cipher suites include GCM-AES-128 and GCM-AES-256.
• Key Server: One of the devices in the CA is elected as the key server. The key server is responsible for generating and distributing the session keys.
• Session Keys: The actual keys used to encrypt and decrypt the data. These keys are rotated periodically to maintain security.

MACsec ensures that all traffic between two points is encrypted, preventing eavesdropping, man-in-the-middle attacks, and other security threats. By implementing MACsec, you can significantly enhance the security posture of your network.

Prerequisites

Before starting the configuration, make sure you have the following:

1. Cisco Devices: Two Cisco devices that support MACsec. This could be switches or routers.
2. IOS Version: Ensure your devices are running a Cisco IOS version that supports MACsec. Check the Cisco feature navigator for compatibility.
3. Physical Connectivity: The devices must be physically connected via Ethernet cables.
4. Basic Network Configuration: Ensure basic network configurations such as IP addresses and routing are set up.

Configuration Steps

Now, let's walk through the configuration steps. We'll use a simple scenario where two Cisco switches are connected, and we want to secure the link between them using MACsec. In this example, we will configure the key server manually for simplicity.

Step 1: Enable MACsec Globally

First, you need to enable MACsec globally on both switches. This is done using the macsec global configuration command. Log in to the privileged EXEC mode on each switch and enter the following commands:

Switch(config)# macsec
Switch(config)# end

This command enables the MACsec feature on the switch. Without this command, you won't be able to configure MACsec on any interfaces.

Step 2: Configure the Interface

Next, configure the interface on each switch that will be part of the MACsec-protected link. Enter the interface configuration mode for the desired interface. For example:

Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)#

Step 3: Enable MACsec on the Interface

Enable MACsec on the interface using the macsec port-enable command:

Switch(config-if)# macsec port-enable

This command activates MACsec on the interface, preparing it for secure communication.

Step 4: Configure MKA Policy

The MKA policy defines the parameters for the MACsec Key Agreement protocol. You need to create an MKA policy and apply it to the interface. Here's how to create an MKA policy:

Switch(config)# mka policy MY_MKA_POLICY
Switch(config-mka-policy)# key-server priority 10
Switch(config-mka-policy)# cipher-suite gcm-aes-128
Switch(config-mka-policy)# exit

• mka policy MY_MKA_POLICY: Creates an MKA policy named MY_MKA_POLICY.
• key-server priority 10: Sets the key server priority. The switch with the higher priority becomes the key server. Adjust the priority accordingly on each switch.
• cipher-suite gcm-aes-128: Specifies the cipher suite to be used for encryption. In this example, we are using GCM-AES-128.

Now, apply the MKA policy to the interface:

Switch(config-if)# macsec mka policy MY_MKA_POLICY

Step 5: Configure Static Key (Optional but Recommended for Initial Setup)

For initial setup and testing, configuring a static key is often easier. In a production environment, you would typically use dynamic key exchange. Here's how to configure a static key:

Switch(config)# macsec static-key MY_STATIC_KEY
Switch(config-static-key)# key 0 ENCRYPTED_KEY
Switch(config-static-key)# exit

Replace MY_STATIC_KEY with a name for your static key configuration and ENCRYPTED_KEY with the actual encrypted key. To encrypt the key, use the following command:

Switch# show macsec pre-shared-key ENCRYPT_ME

Replace ENCRYPT_ME with the actual key you want to encrypt. The output will provide the encrypted key, which you can then use in the key 0 ENCRYPTED_KEY command. Apply the static key to the MKA policy:

Switch(config-mka-policy)# pre-shared-key static MY_STATIC_KEY
Switch(config-mka-policy)# exit

Step 6: Verify the Configuration

After configuring MACsec, it's important to verify that it is working correctly. Use the following commands to check the status:

• show macsec interface GigabitEthernet1/0/1: This command shows the MACsec status for the specified interface.
• show mka session interface GigabitEthernet1/0/1: This command displays the MKA session details for the interface.

Example output:

Switch# show macsec interface GigabitEthernet1/0/1
GigabitEthernet1/0/1 is up, line protocol is up
  MACsec is enabled
  Operational status: Secure
  Encryption: Enabled
  Confidentiality Offset: 0 bytes
  Replay Protection: Enabled
  Replay Window Size: 64
  Current Cipher Suite: GCM-AES-128
  Key Server: Yes
  ... (rest of the output)

Switch# show mka session interface GigabitEthernet1/0/1
Interface: GigabitEthernet1/0/1
  Session ID: 0000000000000001
  Key Server: Yes
  Key Server Priority: 10
  Status: Active
  ... (rest of the output)

If the Operational status is Secure and the Status is Active, MACsec is successfully configured and running on the interface.

Complete Configuration Example

Here's a complete configuration example for both switches. This example assumes that GigabitEthernet1/0/1 on both switches is connected.

Switch 1 Configuration:

enable
configure terminal
macsec
interface GigabitEthernet1/0/1
 macsec port-enable
 macsec mka policy MY_MKA_POLICY
exit
mka policy MY_MKA_POLICY
 key-server priority 10
 cipher-suite gcm-aes-128
 pre-shared-key static MY_STATIC_KEY
exit
macsec static-key MY_STATIC_KEY
 key 0 ENCRYPTED_KEY
exit
end
write memory

Switch 2 Configuration:

enable
configure terminal
macsec
interface GigabitEthernet1/0/1
 macsec port-enable
 macsec mka policy MY_MKA_POLICY
exit
mka policy MY_MKA_POLICY
 key-server priority 5
 cipher-suite gcm-aes-128
 pre-shared-key static MY_STATIC_KEY
exit
macsec static-key MY_STATIC_KEY
 key 0 ENCRYPTED_KEY
exit
end
write memory

Important Considerations:

• Make sure the ENCRYPTED_KEY is the same on both switches.
• Adjust the key-server priority so that only one switch is the key server. The switch with the higher priority will be the key server.

Troubleshooting

If MACsec is not working as expected, here are some troubleshooting tips:

1. Check Connectivity: Ensure that the physical connectivity between the switches is good.
2. Verify Configuration: Double-check the configuration on both switches to ensure that all parameters are correctly configured.
3. Check Logs: Look at the system logs for any error messages related to MACsec or MKA.
4. Debug Commands: Use debug commands such as debug mka all to get more detailed information about the MKA process.

Advanced Configuration Options

• Dynamic Key Exchange: In a production environment, you should use dynamic key exchange instead of static keys. This provides better security and key management.
• Multiple Cipher Suites: You can configure multiple cipher suites in the MKA policy. The switches will negotiate the best cipher suite to use.
• Connectivity Association Key Name (CKN) and Connectivity Association Key (CAK): These parameters can be used to further enhance the security of the MKA process.

Conclusion

Alright guys, that’s a comprehensive overview and a practical example of configuring MACsec on Cisco devices. By following these steps, you can secure your Ethernet links and protect your network from various security threats. Remember to always verify your configuration and monitor your network for any issues. Implementing MACsec is a great way to enhance your network's security posture. Keep practicing and exploring advanced configurations to master this important security feature. Using MACsec and understanding its components like the Connectivity Association (CA), Cipher Suite, Key Server, and Session Keys will significantly improve your network infrastructure's security. Happy networking!