Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Contributor II

[2930m/5406] macsec

Hey everyone,

We have a L2 P2P link between 2 sites that we would like to be secured with encryption since it passes over infrastructure that is not in our control.

 

At the ends of the link we have a 2930M and a 5406v3-J9990A both running AOS-SW 16.10.0009.

 

I tried enabling MACSEC on the ports connecting the two switches as documented on these pages:

https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8150_access_security_guide/content/v32677644.html

https://community.arubanetworks.com/t5/Video/MacSec-on-ArubaOS-switches/ta-p/293675

 

But to no avail, the moment I enable the macsec policy the port becomes "disabled by MACSEC" and this is all I get in the logs:

I 09/08/20 22:37:13 00435 ports: port X is Blocked by MACSEC

 

I found a topic about this in the security forum without any resolution:

https://community.arubanetworks.com/t5/Security/MacSec-Configuration/m-p/647475/highlight/false#M48969

 

And was hoping that the lack of resolution is just due to people spending more time here then there.

 

Setup of 5406 switch:

aaa port-access mka key-server-priority 18 S/Xy
aaa port-access mka transmit-interval 4 S/Xy

macsec policy "p2p-policy"
   mode pre-shared-key ckn "[hexstring]" encrypted-cak "[encryptedstring]"
   exit
macsec apply policy S/Xy

Setup of 2930m switch:

aaa port-access mka key-server-priority 14 X
aaa port-access mka transmit-interval 4 X

macsec policy "p2p-policy"
   mode pre-shared-key ckn "[hexstring]" encrypted-cak "[encryptedstring]"
   exit
macsec apply policy X

 

Highlighted
Contributor II

Re: [2930m/5406] macsec

After lots of trouble shooting it seems that the above config is actually perfectly fine and the issue may lie in the infrastructure of the ISP providing the p2p link blocking unknown protocols (using a direct cable between the 5406R and a test switch it worked).

 

Since we in the mean time figured out that macsec actually does not fulfill the need we have we're abandoning this.

 

I'll just ask the forum - is anyone aware of some way to create an encrypted "tunnel" (similar to an SSH tunnel) between the 2 switches that is transparent to the rest of the devices on the LAN that reside on either side of the tunnel?

At the moment the SSL tunnel between the firewalls at the 2 locations is totally killing performance.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: