MACSec on 6860E 8.5.R01

[Roronoa]

Hy all,

I am new to the forum and sorry for my english.

I job with Alcatel OS6860E U28 and P24 and I meet a problem with the MACSec (802.1ae).
AOS: 8.5.164.R01.

In the datasheet, they tell that MACSec was implement but only in SA Static Mode.
I configure my equipement with CLI indicate in the doc:
security key 1 algorithm aes-gcm-128 encrypt-key ............
security key 2 algorithm aes-gcm-128 encrypt-key ............
security key 3 algorithm aes-gcm-128 encrypt-key ............
security key 4 algorithm aes-gcm-128 encrypt-key ............
security key-chain 2 name KeyMACSec
security key-chain 2 key 1
security key-chain 2 key 2
security key-chain 2 key 3
security key-chain 2 key 4
interfaces port 1/1/25 (for P24 and 1/1/29 for U28) macsec admin-state enable mode static sci-tx 0x01 key-chain 2 encryption sci-rx 0x01 key-chain 2 encryption

I generate traffic
I sniff the packet with wireshark, and I don't see 802.1AE Security tag.

I need help please.

[silvio]

At an mirror port you can't see the encrypted packet because the macsec is in the hardware (after the mirroring). You can only see this with a TAP within the cable. With your option encryption at the interface command encrytpion is enabled.
in the following show commands you see the encrypted RX and TX packets.

Code: Select all

> show interfaces macsec 1/1/26 statistics
Chassis/Slot/Port 1/1/26
  Byte Transmitted   : 28892749,   Untagged TX Pkts   :         0
  Too Long TX Pkts   :        1,   Byte Received      :  26466285
  Untagged RX Pkts   :        0,   No Tagged RX Pkts  :        27
  Bad Tagged RX Pkts :        0,   Unknown SCI RX Pkts:         0
  No SCI RX Pkts     :        0,   Overrun RX Pkts    :         0
  SCI-TX: 0x0000000000001001
    TX Protected Pkts  :      0,   TX Encrypted Pkts  :     18336
    TX Octets Protected:      0,   TX Octets Encrypted:         0
      SA: 0
        TX Protected Pkts:    0,   TX Encrypted Pkts:       18336
      SA: 1
        TX Protected Pkts:    0,   TX Encrypted Pkts:           0
  SCI-RX: 0x0000000000001002
  SCI-RX: 0x0000000000001002
    RX Unused SA Pkts  :      0,    RX No Using SA Pkts:        0
    RX Late Pkts       :      0,    RX Not Valid Pkts  :        0
    RX Invalid Pkts    :      0,    RX Delayed Pkts    :        0
    RX Unchecked Pkts  :      0,    RX OK Pkts         :    18111
    RX Octets Validated:      0,    RX Octets Decrypted: 26249135
      SA: 0
        RX Unused SA Pkts:     0,    RX No Using SA Pkts:       0
        RX Not Valid Pkts:     0,    RX Invalid Pkts    :       0
        RX OK Pkts       : 18111
      SA: 1
        RX Unused SA Pkts:     0,    RX No Using SA Pkts:       0
        RX Not Valid Pkts:     0,    RX Invalid Pkts    :       0
        RX OK Pkts       :     0

Without the encryption option you will only see protected packets.
With 8.5R2 there is now the possibilty to use the dynamic mode - I prefere this (instead the static mode).

best regards
Silvio

[Roronoa]

I Silvio,

Thank for your answer.
I send a mail to my revendor to give me AOS 8.5R02 to implement the dynamic mode.
Can you give CLI for implement this.

Thank so much.
Roronoa

[silvio]

here an example:

Code: Select all

security key 1 algorithm aes-cmac-128 hex-key 0x111 keyed-name 0x222
security key-chain 1 name MACsec1
security key-chain 1 key 1
interfaces port 1/1/25 macsec mode dynamic key-chain 1 server-priority 20 encryption
interfaces port 1/1/25 macsec admin-state enable

regards
Silvio

[Roronoa]

Thank you very much for your help.

I just tested, it's OK.

Best regards
Roronoa

[Robetto]

Thanks for all the help.