MACsec?


Userlevel 3
Hello,

are there any plans to implement IEEE 802.1AE on Enterasys / Extreme switches and APs in future?
I think especially for inter switch links it would be a great security benefit.

Kind regards
Christoph

11 replies

Userlevel 6
Hello Christoph

As of right now 802.1AE is not supported on any of the equipment. The S series switches are capable of supporting 802.1AE but it has not been added to the SW as of yet. I believe the other half of MACsec (802.1X-2010) is still under development

If that changes we will let you know

Thanks
P
Userlevel 4
Paul Russo wrote:

Hello Christoph

As of right now 802.1AE is not supported on any of the equipment. The S series switches are capable of supporting 802.1AE but it has not been added to the SW as of yet. I believe the other half of MACsec (802.1X-2010) is still under development

If that changes we will let you know

Thanks
P

Paul, are there any changes about 802.1AE on Extreme devices?
Userlevel 2
I will go ahead and change this to an idea so we can track with product management. thank you Christoph!
Hi there,

Seems like MACsec is now implemented in S- and 71- Series, since FW Version 8.41.

Does anyone have some experience already?

Thanks,
Martin
Userlevel 5
Hello Martin,

nothing by way of operational network experience to offer but I'll kick in some trivia to give the thread a fresh timestamp. I expect this will be a popular topic before long. As new features go, this one is pretty cool.

* hardware required: 7100-Series or S-Series s180-class
* MACsec implementation is standards based - 8.02.1ae-2006 and 802.1x-1020
* limited testing verifies interop with Juniper MACsec
* MACsec licenses are applied per module.
eval license available here:
https://extranet.extremenetworks.com/mysupport/licensing/Pages/default.aspx
extranet account required - immediate request/license turnaround
* MACsec can be supported on every port in an S-Series chassis.
* current implementation is switch to switch.
* easily implemented - the example minimum config below can be mirrored on both sides
1) set macsec port mka enable tg.1.1
2) set macsec pre-shared-key port tg.1.1 ckn foo cak passphrase bar

*
MACsec is supported on 1Gb/s and 10Gb/s ports and will run on fiber, copper, DAC etc.
* 40Gb/s when run in 10G/s mode only. No virtual port support, physical ports only

Regards,
Mike


Mike D wrote:

Hello Martin,

nothing by way of operational network experience to offer but I'll kick in some trivia to give the thread a fresh timestamp. I expect this will be a popular topic before long. As new features go, this one is pretty cool.

* hardware required: 7100-Series or S-Series s180-class
* MACsec implementation is standards based - 8.02.1ae-2006 and 802.1x-1020
* limited testing verifies interop with Juniper MACsec
* MACsec licenses are applied per module.
eval license available here:
https://extranet.extremenetworks.com/mysupport/licensing/Pages/default.aspx
extranet account required - immediate request/license turnaround
* MACsec can be supported on every port in an S-Series chassis.
* current implementation is switch to switch.
* easily implemented - the example minimum config below can be mirrored on both sides
1) set macsec port mka enable tg.1.1
2) set macsec pre-shared-key port tg.1.1 ckn foo cak passphrase bar

*
MACsec is supported on 1Gb/s and 10Gb/s ports and will run on fiber, copper, DAC etc.
* 40Gb/s when run in 10G/s mode only. No virtual port support, physical ports only

Regards,
Mike


Hi Michael,

thanks for your reply!

We've now tested Macsec with two new SSA-180... Works really good so far!

Unfortunately it's not working if we change the 10G SFPs with 1G SFPs.
Can you confirm this?

Would have been great for some cases where we just have a 1G-EtherConnect between to sites.

Regards,
Martin
Userlevel 7
Mike D wrote:

Hello Martin,

nothing by way of operational network experience to offer but I'll kick in some trivia to give the thread a fresh timestamp. I expect this will be a popular topic before long. As new features go, this one is pretty cool.

* hardware required: 7100-Series or S-Series s180-class
* MACsec implementation is standards based - 8.02.1ae-2006 and 802.1x-1020
* limited testing verifies interop with Juniper MACsec
* MACsec licenses are applied per module.
eval license available here:
https://extranet.extremenetworks.com/mysupport/licensing/Pages/default.aspx
extranet account required - immediate request/license turnaround
* MACsec can be supported on every port in an S-Series chassis.
* current implementation is switch to switch.
* easily implemented - the example minimum config below can be mirrored on both sides
1) set macsec port mka enable tg.1.1
2) set macsec pre-shared-key port tg.1.1 ckn foo cak passphrase bar

*
MACsec is supported on 1Gb/s and 10Gb/s ports and will run on fiber, copper, DAC etc.
* 40Gb/s when run in 10G/s mode only. No virtual port support, physical ports only

Regards,
Mike


Hi,

Can you please detail what's happening when changing to a 1G SFP instead of a 10G SFP. Afaik, 1G is supported.
Mike D wrote:

Hello Martin,

nothing by way of operational network experience to offer but I'll kick in some trivia to give the thread a fresh timestamp. I expect this will be a popular topic before long. As new features go, this one is pretty cool.

* hardware required: 7100-Series or S-Series s180-class
* MACsec implementation is standards based - 8.02.1ae-2006 and 802.1x-1020
* limited testing verifies interop with Juniper MACsec
* MACsec licenses are applied per module.
eval license available here:
https://extranet.extremenetworks.com/mysupport/licensing/Pages/default.aspx
extranet account required - immediate request/license turnaround
* MACsec can be supported on every port in an S-Series chassis.
* current implementation is switch to switch.
* easily implemented - the example minimum config below can be mirrored on both sides
1) set macsec port mka enable tg.1.1
2) set macsec pre-shared-key port tg.1.1 ckn foo cak passphrase bar

*
MACsec is supported on 1Gb/s and 10Gb/s ports and will run on fiber, copper, DAC etc.
* 40Gb/s when run in 10G/s mode only. No virtual port support, physical ports only

Regards,
Mike


Hi Stephane,

we first set up the 10G MACSec with the commands from above.
after this we:
- disabled Port (in our case tg.1.2 on both SSAs)
- replaced 10G-SFP+ with 1G-SFP
- enabled Ports tg.1.2

Port ist administratively "up" but remains operational "down" 😞

After this we:
- disabled MACSec on Ports tg.1.2
-> Ports got operationally "up"
- enabled MACSec
-> Ports got operationally "down"

That's all!

Did we anything wrong?... or at least something right!?

Regards,
Martin
Mike D wrote:

Hello Martin,

nothing by way of operational network experience to offer but I'll kick in some trivia to give the thread a fresh timestamp. I expect this will be a popular topic before long. As new features go, this one is pretty cool.

* hardware required: 7100-Series or S-Series s180-class
* MACsec implementation is standards based - 8.02.1ae-2006 and 802.1x-1020
* limited testing verifies interop with Juniper MACsec
* MACsec licenses are applied per module.
eval license available here:
https://extranet.extremenetworks.com/mysupport/licensing/Pages/default.aspx
extranet account required - immediate request/license turnaround
* MACsec can be supported on every port in an S-Series chassis.
* current implementation is switch to switch.
* easily implemented - the example minimum config below can be mirrored on both sides
1) set macsec port mka enable tg.1.1
2) set macsec pre-shared-key port tg.1.1 ckn foo cak passphrase bar

*
MACsec is supported on 1Gb/s and 10Gb/s ports and will run on fiber, copper, DAC etc.
* 40Gb/s when run in 10G/s mode only. No virtual port support, physical ports only

Regards,
Mike


Hi Stephane,

Any Ideas yet?

We've tested it successfully between a 71G and a 71K via 1G-copper.
Either one connection and 2-port LACP is working fine and encrypted 😃

Regards,
Martin
Mike D wrote:

Hello Martin,

nothing by way of operational network experience to offer but I'll kick in some trivia to give the thread a fresh timestamp. I expect this will be a popular topic before long. As new features go, this one is pretty cool.

* hardware required: 7100-Series or S-Series s180-class
* MACsec implementation is standards based - 8.02.1ae-2006 and 802.1x-1020
* limited testing verifies interop with Juniper MACsec
* MACsec licenses are applied per module.
eval license available here:
https://extranet.extremenetworks.com/mysupport/licensing/Pages/default.aspx
extranet account required - immediate request/license turnaround
* MACsec can be supported on every port in an S-Series chassis.
* current implementation is switch to switch.
* easily implemented - the example minimum config below can be mirrored on both sides
1) set macsec port mka enable tg.1.1
2) set macsec pre-shared-key port tg.1.1 ckn foo cak passphrase bar

*
MACsec is supported on 1Gb/s and 10Gb/s ports and will run on fiber, copper, DAC etc.
* 40Gb/s when run in 10G/s mode only. No virtual port support, physical ports only

Regards,
Mike


Hi Michael,

I want to test MACSec with a eval license, but when I follow the link you provided there is no option for MACSec eval license. How can I get one?

Regards,

Uwe
Hi there,

according to a GTAC Service Request I initiated there is no support for 1G SFPs on 10G-Ports running MACSec on a S180 SSA (SSA-G8018-0652).

Nevertheless we successfully configured MACSec on two SSA-180 between the ports tg.1.2 with a 1G SFP!!!! 😃
Now with the latest firmware 8.42.

Regards,
Martin

Reply