Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

[2930m/5406] macsec

This thread has been viewed 13 times

  • 1.  [2930m/5406] macsec

    MVP
    Posted Sep 09, 2020 07:37 AM

    Hey everyone,

    We have a L2 P2P link between 2 sites that we would like to be secured with encryption since it passes over infrastructure that is not in our control.

     

    At the ends of the link we have a 2930M and a 5406v3-J9990A both running AOS-SW 16.10.0009.

     

    I tried enabling MACSEC on the ports connecting the two switches as documented on these pages:

    https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8150_access_security_guide/content/v32677644.html

    https://community.arubanetworks.com/t5/Video/MacSec-on-ArubaOS-switches/ta-p/293675

     

    But to no avail, the moment I enable the macsec policy the port becomes "disabled by MACSEC" and this is all I get in the logs:

    I 09/08/20 22:37:13 00435 ports: port X is Blocked by MACSEC

     

    I found a topic about this in the security forum without any resolution:

    https://community.arubanetworks.com/t5/Security/MacSec-Configuration/m-p/647475/highlight/false#M48969

     

    And was hoping that the lack of resolution is just due to people spending more time here then there.

     

    Setup of 5406 switch:

    aaa port-access mka key-server-priority 18 S/Xy
aaa port-access mka transmit-interval 4 S/Xy

macsec policy "p2p-policy"
   mode pre-shared-key ckn "[hexstring]" encrypted-cak "[encryptedstring]"
   exit
macsec apply policy S/Xy

    Setup of 2930m switch:

    aaa port-access mka key-server-priority 14 X
aaa port-access mka transmit-interval 4 X

macsec policy "p2p-policy"
   mode pre-shared-key ckn "[hexstring]" encrypted-cak "[encryptedstring]"
   exit
macsec apply policy X

     



  • 2.  RE: [2930m/5406] macsec

    MVP
    Posted Sep 14, 2020 07:43 PM

    After lots of trouble shooting it seems that the above config is actually perfectly fine and the issue may lie in the infrastructure of the ISP providing the p2p link blocking unknown protocols (using a direct cable between the 5406R and a test switch it worked).

     

    Since we in the mean time figured out that macsec actually does not fulfill the need we have we're abandoning this.

     

    I'll just ask the forum - is anyone aware of some way to create an encrypted "tunnel" (similar to an SSH tunnel) between the 2 switches that is transparent to the rest of the devices on the LAN that reside on either side of the tunnel?

    At the moment the SSL tunnel between the firewalls at the 2 locations is totally killing performance.