The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the BPDU Transparency with MACsec feature which enables you to create tunnel between a source customer edges (CE) device and a destination CE device and use this tunnel to carry traffic between these two CEs.
The punt decision in Layer 2 Control Plane Tunneling depends on the interface that is configured with MACsec. If the main interface is configured with MACsec policy, all the MACsec packets are punted so that MACsec sessions are established between customer edge (CE) device and the provider edge (PE) device. If the main interface is not configured with MACsec, all MACsec packets are tunnelled to the remote CE.
MACsec is an IEEE 802.1AE standards based Layer 2 hop-by-hop encryption that provides data confidentiality and integrity for media access independent protocols.
MACsec, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. Only host facing links (links between network access devices and endpoint devices such as a PC or IP phone) can be secured using MACsec.
The 802.1AE encryption with MACsec Key Agreement (MKA) is supported on downlink ports for encryption between the host devices.
MACsec encrypts the entire data except for the Source and Destination MAC addresses of an Ethernet packet.
To provide MACsec services over the WAN or Metro Ethernet, service providers offer Layer 2 transparent services such as E-Line or E-LAN using various transport layer protocols such as Ethernet over Multiprotocol Label Switching (EoMPLS) and L2TPv3.
The packet body in an EAP-over-LAN (EAPOL) Protocol Data Unit (PDU) is referred to as a MACSec Key Agreement PDU (MKPDU). When no MKPDU is received from participants after 3 heartbeats (each heartbeat is of 2 seconds), peers are deleted from the live peer list. For example, if a client disconnects, the participant on the switch continues to operate MKA until 3 heartbeats have elapsed after the last MKPDU is received from the client.
The MKA feature support provides tunneling information such as VLAN tag (802.1Q tag) in the clear so that the service provider can provide service multiplexing such that multiple point to point services can co-exist on a single physical interface and differentiated based on the now visible VLAN ID.
In addition to service multiplexing, VLAN tag in the clear also enables service providers to provide quality of service (QoS) to the encrypted Ethernet packet across the SP network based on the 802.1P (CoS) field that is now visible as part of the 802.1Q tag.
The Layer 2 control plane is divided into many customer and provider control planes. As defined in the IEEE Standard 802.1Q-2011, an L2CP frame is a frame that contains a destination MAC address that is one among the 32 addresses which are reserved for control protocols. You can transport traffic using VPWS or VPLS service.
The decision to punt depends on the interface that is configured with MACsec. If the interface is configured with MACsec policy, all MACsec packets are punted so that MACsec sessions are established between two customer edge (CE) devices. If the interface is not configured with MACSec, all MACsec packets are tunneled to the remote CE. MACsec cannot be configured on a sub-interface.
When CEs are configured with MACsec and PEs are configured with L2VPN VPWS, all MACsec packets are tunneled through VPWS.
When MACsec is configured on PE on any CE connected interface, all MACsec packets on this interface are punted. These packets are not forwarded to remote CEs. When MACsec is configured on the PE’s interface, MACsec session is not established between PE and CE devices.
The following sections describes the procedure for configuring BPDU Transparency with MACsec feature.
Configure an MPLS core
Configure L2VPN Xconnect
Configure MACsec on CE device
Configuring L2VPN Xconnect
Configure IPv4 address on an interface connecting to the core.
Router# configure
Router(config)# interface tengige 0/1/0/8/2.1
Router(config-subif)# no shut
Router(config-subif)# ipv4 address 192.0.2.1/24
Configure an IPv4 loopback interface.
Router# configure
Router(config)# interface loopback 0
Router(config)# ipv4 address 10.0.0.1/32
Configure OSPF as IGP.
Router# configure
Router(config)# router ospf 100 area 0
Router(config-ospf-ar)# interface Tengige 0/1/0/8/3
Router(config-ospf-ar-if)# exit
Router(config-ospf-ar)# interface loopback 1
Configure MPLS LDP for the physical core interface.
Router(config-ospf-ar)# mpls ldp
Router(config-ldp)# interface TenGigE 0/1/8/3
Configure IPv4 address on an interface that connects to the core.
Router# configure
Router(config)# router bgp 100
Router(config-bgp)# bgp router-id 10.10.10.1
Router(config-bgp)# address-family ipv4 unicast
Router(config-bgp-af)# exit
Router(config-bgp)# address-family l2vpn vpls-vpws
Router(config-bgp-af)# exit
Router(config-bgp)# neighbor 172.16.0.1
Router(config-bgp-nbr)# remote-as 2002
Router(config-bgp-nbr)# update-source loopback 2
Router(config-bgp-nbr)# address-family l2vpn vpls-vpws
Router(config-bgp-nbr-af)# next-hop-self
Configure the AC as Layer 2 transport to forward packets to the remote pseudowire.
Router# configure
Router(config)# interface TenGigE 0/1/0/8/2.1 l2tranport
Router(config-if)# encap dot1q 1
Configure L2VPN Xconnect with a neighbour which is a pseudowire.
Router# configure
Router(config)# l2vpn
Router(config-l2vpn)# xconnect group g1
Router(config-l2vpn-xc)# p2p g1
Router(config-l2vpn-xc-p2p)# interface TenGigE 0/1/0/2.1
Router(config-l2vpn-xc-p2p)# neighbor 172.16.0.1 pw-id 1
Router(config-l2vpn-xc-p2p-pw)#
Configure MACsec on CE device
Router# configure
Router(config)# key chain KC1 macsec
Router(config-kc1-MacSec)# key 5010
Router(config-kc1-MacSec-5010)# key-string password 04795B232C766A6C513A5C4E37582F220F0871781167033124465525017A0C7101 cryptographic-algorithm aes-128-cmac
Router(config-kc1-MacSec-5010)# lifetime 11:08:00 Aug 08 2017 infinite
Router(config-kc1-MacSec-5010)# commit
!
Router# configure
Router(config)# interface HundredGigE 0/0/0/3
Router(config-if)# macsec psk-keychain KC1
Router(config-if)# commit
This section shows BPDU Transparency with MACsec running configuration.
/* Configuring MPLS core.*/
/* Configure an IPv4 address on an interface that connects to the MPLS core. */
interface tengige 0/1/0/8/3
no shut
ipv4 address 192.0.2.0/24
!
/* Configure an IPv4 loopback interface. */
interface loop 0
ipv4 address 10.0.0.1/32
/* Configure OSPF as IGP. */
router ospf 100 area 0
interface TenGige 0/1/0/8/3
interface loop 0
!
/* Configure MPLS LDP for the physical core interface. */
mpls ldp
interface TenGige 0/1/0/8/3
!
!
/* Configuring L2VPN Xconnect. */
/* Configure an IPv4 address on an interface that connects to the MPLS core. */
router bgp 100
bgp router-id 192.1.2.22
address-family ipv4 unicast
exit
address-family l2vpn vpls-vpws
neighbor 172.16.0.1
remote-as 100
update-source Loopback2
address-family l2vpn vpls-vpws
next-hop-self
/* Configure L2VPN Xconnect with a neighbour which is a pseudowire. */
l2vpn
xconnect group g1
p2p g1
interface tengige 0/1/0/8/2.1
neighbor 172.16.0.1 pw-id 1
/* Configure MACSec on CE device */
configure
key chain KC1 macsec
key 5010
key-string password 04795B232C766A6C513A5C4E37582F220F0871781167033124465525017A0C7101 cryptographic-algorithm aes-128-cmac
lifetime 11:08:00 Aug 08 2017 infinite
commit
!
configure
interface HundredGigE0/0/0/3
macsec psk-keychain KC1
commit
endThe show outputs given in the following section display the details of the configuration of the BPDU transparency with MACsec feature, and the status of their configuration.
/* Verify if IGP on the core is up. */
Router# show ospf neighbor
Group Wed Aug 16 20:32:33.665 UTC
Indicates MADJ interface
# Indicates Neighbor awaiting BFD session up
Neighbors for OSPF 100
Neighbor ID Pri State Dead Time Address Interface
172.16.0.1 1 FULL/DR 00:00:30 10.1.1.2 TenGigE0/1/0/8/0
Neighbor is up for 06:05:27Total neighbor count: 1
/* Verify if the MPLS core is up. */
Router# show mpls ldp neighbor
Wed Aug 16 20:32:38.851 UTC
Peer LDP Identifier: 172.16.0.1:0
TCP connection: 172.16.0.1:64932 - 172.31.255.254:646
Graceful Restart: No
Session Holdtime: 180 sec
State: Oper; Msgs sent/rcvd: 487/523; Downstream-Unsolicited
Up time: 06:05:24
LDP Discovery Sources:
IPv4: (2)
TenGigE0/1/0/8/0
Targeted Hello (172.31.255.254 -> 172.16.0.1, active)
IPv6: (0)
Addresses bound to this peer:
IPv4: (8)
10.0.0.1 10.0.0.2 10.0.0.200 172.16.0.1
192.168.0.1 172.31.255.255 172.16.0.2 10.255.255.254
IPv6: (0)
/* Verify if the BGP neighbor is up. */
Router# show bgp neighbor 10.10.10.1
Wed Aug 16 20:32:52.578 UTC
BGP neighbor is 10.10.10.1
Remote AS 15169, local AS 15169, internal link
Remote router ID 172.31.255.255
BGP state = Established, up for 06:03:40
NSR State: None
Last read 00:00:34, Last read before reset 00:00:00
Hold time is 180, keepalive interval is 60 seconds
Configured hold time: 180, keepalive: 60, min acceptable hold time: 3
Last write 00:00:34, attempted 19, written 19
Second last write 00:01:34, attempted 19, written 19
Last write before reset 00:00:00, attempted 0, written 0
*****************
Connections established 1; dropped 0
/* Verify if the BGP neighbor’s next-hop information is valid. */
Router# show cef 10.10.10.1
Wed Aug 16 20:33:18.949 UTC
10.10.10.1/32, version 16, internal 0x1000001 0x0 (ptr 0x8e0ef628) [1], 0x0 (0x8e287bc0),
0xa20 (0x8e9253e0)
Updated Aug 16 14:27:15.149
local adjacency 172.16.0.1
Prefix Len 32, traffic index 0, precedence n/a, priority 3
via 172.16.0.1/32, TenGigE0/1/0/8/0, 5 dependencies, weight 0, class 0 [flags 0x0]
path-idx 0 NHID 0x0 [0x8eb60568 0x8eb60e70]
next hop 172.16.0.1/32
local adjacency
local label 64001 labels imposed {ImplNull}
/* Verify if L2VPN Xconnect is up. */
Router# show l2vpn xconnect
Wed Aug 16 20:47:01.053 UTC
Legend: ST = State, UP = Up, DN = Down, AD = Admin Down, UR = Unresolved,
SB = Standby, SR = Standby Ready, (PP) = Partially Programmed
XConnect Segment 1 Segment 2
Group Name ST Description ST Description ST
------------------------ ----------------------------- -----------------------------
b1 b1 UP BE100 UP 10.10.10.1 1 UP
----------------------------------------------------------------------------------------
/* Note: If L2VPN is down even though the MPLS LDP neighbor is up, check if the AC is down.
To do this, use the show l2vpn xconnect detail command. */
/* Verify if L2VPN Xconnect is up */
Router# show l2vpn xconnect detail
!
!
AC: Bundle-Ether100, state is up <<<< This indicates that the AC is up.
Type Ethernet
MTU 1500; XC ID 0xa0000002; interworking none
Statistics:
packets: received 761470, sent 0
bytes: received 94326034, sent 0
PW: neighbor 10.10.10.1, PW ID 1, state is up ( established )
PW class not set, XC ID 0xc0000001
Encapsulation MPLS, protocol LDP
Source address 172.16.0.2
PW type Ethernet, control word disabled, interworking none
PW backup disable delay 0 sec
Sequencing not set
!
!
Feedback