Question

Encrypt a point to point connection?

  • 28 September 2020
  • 6 replies
  • 42 views

Userlevel 2

We have a point to point connection running between two x460 switches running 16.2.5.4-patch1-12.  We are going through a FISMA readiness audit and are being told that we need to encrypt that P2P connection between those devices.  Is that possible natively or do we need to purchase different equipment and/or newer version of XOS or do we need a 3rd party solution to make that happen?


6 replies

Userlevel 6
Badge +1

Stephen,

MACSEC is an option.

Have a look here:

https://gtacknowledge.extremenetworks.com/articles/Q_A/Is-MACSec-802-1AE-feature-supported-in-EXOS

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-the-LRM-MACsec-adapter-on-a-capable-EXOS-switch-for-basic-secure-operation

To be checked:

  • OS version to be upgraded to 30.1 or higher 
  • MACsec feature pack license is required
  • HW version to be checked

Mig

Userlevel 2

We also have a MPLS network connecting those two locations and two other sites.  Could the same method be used to secure communications between all 4 sites?  If so, would then create two connectivity associations with two different CAKs or do we need to use the same CAK for all associations?

Userlevel 6
Badge +1

Stephen,

Drawing a topology map would help to understand.

To be checked is the number of max MACSEC interfaces you can have on your specific switches

From my understanding one CAK per P2P link is needed.

Mig

Userlevel 2

Simplified topology map is below.

 

 

 

Userlevel 6
Badge +1

Stephen,

 

The P2P link between the x460 is ok for me but the MLPS link is not a P2P link.

For this kind of topology I recommend to request assistance of Extreme Professional Services.

I don’t know if you can encrypt the traffic between the nodes and still exchange the needed information with you ISP switches for the MPLS forwarding.

I’m not an expert on this matter. Not yet :grin:

 

Mig

Userlevel 4

I don’t know if you can encrypt the traffic between the nodes and still exchange the needed information with you ISP switches for the MPLS forwarding.

afaik, you can only use MACsec in this constellation if the MPLS-Provider supports and configures MACsec on the MPLS-Router and all devices that are used inside the MPLS-Network.

Reply