Hy all,
I am new to the forum and sorry for my english.
I job with Alcatel OS6860E U28 and P24 and I meet a problem with the MACSec (802.1ae).
AOS: 8.5.164.R01.
In the datasheet, they tell that MACSec was implement but only in SA Static Mode.
I configure my equipement with CLI indicate in the doc:
security key 1 algorithm aes-gcm-128 encrypt-key ............
security key 2 algorithm aes-gcm-128 encrypt-key ............
security key 3 algorithm aes-gcm-128 encrypt-key ............
security key 4 algorithm aes-gcm-128 encrypt-key ............
security key-chain 2 name KeyMACSec
security key-chain 2 key 1
security key-chain 2 key 2
security key-chain 2 key 3
security key-chain 2 key 4
interfaces port 1/1/25 (for P24 and 1/1/29 for U28) macsec admin-state enable mode static sci-tx 0x01 key-chain 2 encryption sci-rx 0x01 key-chain 2 encryption
I generate traffic
I sniff the packet with wireshark, and I don't see 802.1AE Security tag.
I need help please.
MACSec on 6860E 8.5.R01
Re: MACSec on 6860E 8.5.R01
At an mirror port you can't see the encrypted packet because the macsec is in the hardware (after the mirroring). You can only see this with a TAP within the cable. With your option encryption at the interface command encrytpion is enabled.
in the following show commands you see the encrypted RX and TX packets.
Without the encryption option you will only see protected packets.
With 8.5R2 there is now the possibilty to use the dynamic mode - I prefere this (instead the static mode).
best regards
Silvio
in the following show commands you see the encrypted RX and TX packets.
Code: Select all
> show interfaces macsec 1/1/26 statistics
Chassis/Slot/Port 1/1/26
Byte Transmitted : 28892749, Untagged TX Pkts : 0
Too Long TX Pkts : 1, Byte Received : 26466285
Untagged RX Pkts : 0, No Tagged RX Pkts : 27
Bad Tagged RX Pkts : 0, Unknown SCI RX Pkts: 0
No SCI RX Pkts : 0, Overrun RX Pkts : 0
SCI-TX: 0x0000000000001001
TX Protected Pkts : 0, TX Encrypted Pkts : 18336
TX Octets Protected: 0, TX Octets Encrypted: 0
SA: 0
TX Protected Pkts: 0, TX Encrypted Pkts: 18336
SA: 1
TX Protected Pkts: 0, TX Encrypted Pkts: 0
SCI-RX: 0x0000000000001002
SCI-RX: 0x0000000000001002
RX Unused SA Pkts : 0, RX No Using SA Pkts: 0
RX Late Pkts : 0, RX Not Valid Pkts : 0
RX Invalid Pkts : 0, RX Delayed Pkts : 0
RX Unchecked Pkts : 0, RX OK Pkts : 18111
RX Octets Validated: 0, RX Octets Decrypted: 26249135
SA: 0
RX Unused SA Pkts: 0, RX No Using SA Pkts: 0
RX Not Valid Pkts: 0, RX Invalid Pkts : 0
RX OK Pkts : 18111
SA: 1
RX Unused SA Pkts: 0, RX No Using SA Pkts: 0
RX Not Valid Pkts: 0, RX Invalid Pkts : 0
RX OK Pkts : 0
With 8.5R2 there is now the possibilty to use the dynamic mode - I prefere this (instead the static mode).
best regards
Silvio
Re: MACSec on 6860E 8.5.R01
I Silvio,
Thank for your answer.
I send a mail to my revendor to give me AOS 8.5R02 to implement the dynamic mode.
Can you give CLI for implement this.
Thank so much.
Roronoa
Thank for your answer.
I send a mail to my revendor to give me AOS 8.5R02 to implement the dynamic mode.
Can you give CLI for implement this.
Thank so much.
Roronoa
Re: MACSec on 6860E 8.5.R01
here an example:
regards
Silvio
Code: Select all
security key 1 algorithm aes-cmac-128 hex-key 0x111 keyed-name 0x222
security key-chain 1 name MACsec1
security key-chain 1 key 1
interfaces port 1/1/25 macsec mode dynamic key-chain 1 server-priority 20 encryption
interfaces port 1/1/25 macsec admin-state enable
Silvio
Re: MACSec on 6860E 8.5.R01
Thank you very much for your help.
I just tested, it's OK.
Best regards
Roronoa
I just tested, it's OK.
Best regards
Roronoa
Re: MACSec on 6860E 8.5.R01
Thanks for all the help.