HPE FlexNetwork 5510 HI Series Macsec Configuration Manual
  1. Manuals
  2. Brands
  3. HPE Manuals
  4. Network Router
  5. FlexNetwork 5510 HI Series
  6. Macsec configuration manual

HPE FlexNetwork 5510 HI Series Macsec Configuration Manual

Hide thumbs Also See for FlexNetwork 5510 HI Series:
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual , Installation Manual
HPE FlexNetwork 5510 HI Switch Series
MACsec Configuration Guide
Part number: 5200-1247
Software version: Release 1118P02
Document version: 6W100-20160328

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FlexNetwork 5510 HI Series and is the answer not in the manual?

Questions and answers

Related Manuals for HPE FlexNetwork 5510 HI Series

Summary of Contents for HPE FlexNetwork 5510 HI Series

  • Page 1 HPE FlexNetwork 5510 HI Switch Series MACsec Configuration Guide Part number: 5200-1247 Software version: Release 1118P02 Document version: 6W100-20160328...
  • Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Configuring MACsec ······················································································· 2     Overview ···························································································································································· 2   Basic concepts ··········································································································································· 2   MACsec services ······································································································································· 2   MACsec applications ·································································································································· 3   MACsec operating mechanism ·················································································································· 3   Protocols and standards ···························································································································· 5   Feature and hardware compatibility ··················································································································· 5  ...

  • Page 4: Configuring Macsec

    Configuring MACsec Overview Media Access Control Security (MACsec) secures data communication on IEEE 802 LANs. MACsec provides services such as data encryption, frame integrity check, and data origin validation for frames on the MAC sublayer of the Data Link Layer. Basic concepts Connectivity association (CA) is a group of participants that use the same key and key algorithm.

  • Page 5: Macsec Applications

    MACsec applications MACsec supports the following application modes: • Client-oriented mode—Secures data transmission between the client and the access device. In this mode, the authentication server generates and distributes the CAK to the client and the access device. In this mode, MACsec must operate with 802.1X authentication. Figure 1 Client-oriented mode NOTE: In client-oriented mode, an MKA-enabled port on the access device must perform port-based...
  • Page 6 Figure 3 MACsec interactive process in client-oriented mode The following shows the MACsec process: After the client passes 802.1X authentication, the RADIUS server distributes the generated CAK to the client and the access device. After receiving the CAK, the client and the access device exchange EAPOL-MKA packets. The client and the access device exchange the MACsec capability and required parameters for session establishment.

  • Page 7: Protocols And Standards

    • The interfaces on LSWM2XGT2PM(JH156A) and LSWM2SP2PM(JH157A) interface modules installed on switch models except HPE 5510 24G SFP 4SFP+ HI 1-slot Switch (JH149A). The interface modules do not support hot swapping if MKA is enabled on such interfaces. MACsec configuration task list In device-oriented mode, the MACsec configuration takes effect on Layer 2 and Layer 3 Ethernet ports.

  • Page 8: Enabling Mka

    Tasks at a glance Remarks (Optional.) Enabling MACsec desire (Optional.) Configuring a preshared key This task is required in device-oriented mode. (Optional.) Configuring the MKA key server priority (Optional.) Use one of the following methods to configure MACsec protection parameters: •...

  • Page 9: Configuring A Preshared Key

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, the port does not Enable MACsec desire. macsec desire expect MACsec protection for outbound frames. Configuring a preshared key In device-oriented mode, configure a preshared key as the CAK to be used during MKA negotiation. To successfully establish an MKA session between two devices, make sure the connected MACsec ports are configured with the same preshared key.

  • Page 10: Configuring Macsec Protection Parameters In Interface View

    ports. The port with the lowest SCI value (a combination of MAC address and port ID) becomes the key server. A port with priority 255 cannot become the key server. For a successful key server selection, make sure a minimum of one participant's key server priority is not 255. To configure the MKA key server priority: Step Command...

  • Page 11: Configuring The Macsec Validation Mode

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Enable MACsec replay macsec replay-protection By default, MACsec replay protection. enable protection is enabled on the port. The default setting is 0, and Set the MACsec replay macsec replay-protection frames are accepted only in the protection window size.

  • Page 12: Applying An Mka Policy

    Step Command Remarks You can create multiple MKA policies. The default setting is 0. (Optional.) Set the MACsec macsec confidentiality-offset MACsec uses the confidentiality confidentiality offset. offset-value offset propagated by the key server. Enable MACsec replay protection: By default, MACsec replay replay-protection enable protection is enabled.

  • Page 13: Macsec Configuration Examples

    Task Command display mka { default-policy | policy [ name Display MKA policy information. policy-name ] } display mka statistics [ interface interface-type Display MKA statistics on ports. interface-number ] reset mka session [ interface interface-type Reset MKA sessions on ports. interface-number ] reset mka statistics [ interface interface-type Clear MKA statistics on ports.
  • Page 14 [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 [Device-radius-radius1] key authentication simple name [Device-radius-radius1] key accounting simple money [Device-radius-radius1] user-name-format without-domain [Device-radius-radius1] quit # Configure the authentication domain bbb for 802.1X users. [Device] domain bbb [Device-isp-bbb] authentication lan-access radius-scheme radius1 [Device-isp-bbb] authorization lan-access radius-scheme radius1 [Device-isp-bbb] accounting lan-access radius-scheme radius1 [Device-isp-bbb] quit...

  • Page 15: Device-Oriented Macsec Configuration Example

    Interface GigabitEthernet1/0/1 Protect frames : Yes Active MKA policy : pls Replay protection : Enabled Replay window size : 100 frames Confidentiality offset : 30 bytes Validation mode : Strict Included SCI : No SCI conflict : No Cipher suite : GCM-AES-128 Transmit secure channel: : 00E00100000A0006...

  • Page 16: Configuration Procedure

    To secure data transmission between the two devices by MACsec, perform the following tasks on Device A and Device B, respectively: • Set the MACsec confidentiality offset to 30 bytes. • Enable MACsec replay protection, and set the replay protection window size to 100. •...
  • Page 17 # Set the MACsec confidentiality offset to 30 bytes. [DeviceB-GigabitEthernet1/0/1] macsec confidentiality-offset 30 # Enable MACsec replay protection. [DeviceB-GigabitEthernet1/0/1] macsec replay-protection enable # Set the MACsec replay protection window size to 100. [DeviceB-GigabitEthernet1/0/1] macsec replay-protection window-size 100 # Set the MACsec validation mode to strict. [DeviceB-GigabitEthernet1/0/1] macsec validation mode strict # Enable MKA on GigabitEthernet 1/0/1.
  • Page 18 Current SAK AN Current SAK KI (KN) : 85E004AF49934720AC5131D300000003 (3) Previous SAK status : N/A Previous SAK AN : N/A Previous SAK KI (KN) : N/A Live peer list: Priority Capability Rx-SCI 12A1677D59DD211AE86A0128 00E0020000000106 # Display MACsec information on GigabitEthernet 1/0/1 of Device B. [DeviceB] display macsec interface gigabitethernet 1/0/1 verbose Interface GigabitEthernet1/0/1 Protect frames...

  • Page 19: Troubleshooting Macsec

    Live peer list: Priority Capability Rx-SCI 85E004AF49934720AC5131D3 1216 00E00100000A0006 Troubleshooting MACsec Cannot establish MKA sessions between MACsec devices Symptom The devices cannot establish MKA sessions when the following conditions exist: • The link connecting the devices is up. • The ports at the ends of the link are MACsec capable. Analysis The symptom might occur for the following reasons: •...

  • Page 20: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

  • Page 21: Network Topology Icons

    Convention Description An alert that provides helpful information. TIP: Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 22: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 23: Websites

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 24 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

  • Page 25: Index

    Index Numerics MACsec enable, device MACsec (device-oriented), MACsec configuration, 2, 5, MACsec operating mechanism (device-oriented), displaying applying MACsec, MACsec MKA policy, associating MACsec connectivity association (CA), enabling MACsec connectivity association key (CAK), MACsec desire, MACsec secure association (SA), MACsec MKA, MACsec secure association key (SAK), encrypting MACsec data encryption,...
  • Page 26 protection parameter configuration (interface MACsec MKA policy application, view), MACsec MKA policy configuration, protection parameter configuration (MKA MACsec protection parameter (MKA policy), policy), port protocols and standards, MACsec protection parameter (interface view), replay protection configuration, MACsec protection parameter (MKA policy), services, preshared key troubleshoot,...
  • Page 27 MACsec maintain, MACsec MKA enable, MACsec MKA key server priority, MACsec preshared key, MACsec protection parameter (interface view), MACsec protocols and standards, MACsec secure association (SA), MACsec secure association key (SAK), MACsec services, troubleshooting MACsec, troubleshooting MACsec device cannot establish MKA session, server MACsec MKA key server priority, service...

Table of Contents