summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-09-14 08:09:02 +0200
committerGitHub <noreply@github.com>2024-09-14 08:09:02 +0200
commit4e7240a8b5c437f3ded54c474ee3e77c4df5749b (patch)
tree40419022f946a53b0fe0201a85171f429e5c436f
parent3cfe0e25bb0e14380d4be296c68cfc6c059d22dc (diff)
parent8435b83795ae4a14395dfa9d4892b96d85b6041a (diff)
downloadvyos-documentation-4e7240a8b5c437f3ded54c474ee3e77c4df5749b.tar.gz
vyos-documentation-4e7240a8b5c437f3ded54c474ee3e77c4df5749b.zip
Merge pull request #1547 from vyos/mergify/bp/sagitta/pr-1546
add mac sec over wan (backport #1546)
-rw-r--r--docs/configuration/interfaces/macsec.rst48
1 files changed, 47 insertions, 1 deletions
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst
index 0c0c052b..1ab7f361 100644
--- a/docs/configuration/interfaces/macsec.rst
+++ b/docs/configuration/interfaces/macsec.rst
@@ -236,4 +236,50 @@ the unencrypted but authenticated content.
set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01
set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
- set interfaces macsec macsec1 source-interface 'eth1' \ No newline at end of file
+ set interfaces macsec macsec1 source-interface 'eth1'
+
+***************
+MACsec over wan
+***************
+
+MACsec is an interesting alternative to existing tunneling solutions that
+protects layer 2 by performing integrity, origin authentication, and optionally
+encryption. The typical use case is to use MACsec between hosts and access
+switches, between two hosts, or between two switches. in this example below,
+we use VXLAN and MACsec to secure the tunnel.
+
+**R1 MACsec01**
+
+.. code-block:: none
+
+ set interfaces macsec macsec1 address '192.0.2.1/24'
+ set interfaces macsec macsec1 address '2001:db8::1/64'
+ set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+ set interfaces macsec macsec1 security encrypt
+ set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+ set interfaces macsec macsec1 security static peer SEC02 key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+ set interfaces macsec macsec1 security static peer SEC02 mac '00:11:22:33:44:02'
+ set interfaces macsec macsec1 source-interface 'vxlan1'
+ set interfaces vxlan vxlan1 mac '00:11:22:33:44:01'
+ set interfaces vxlan vxlan1 remote '10.1.3.3'
+ set interfaces vxlan vxlan1 source-address '172.16.100.1'
+ set interfaces vxlan vxlan1 vni '10'
+ set protocols static route 10.1.3.3/32 next-hop 172.16.100.2
+
+**R2 MACsec02**
+
+.. code-block:: none
+
+ set interfaces macsec macsec1 address '192.0.2.2/24'
+ set interfaces macsec macsec1 address '2001:db8::2/64'
+ set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+ set interfaces macsec macsec1 security encrypt
+ set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+ set interfaces macsec macsec1 security static peer SEC01 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+ set interfaces macsec macsec1 security static peer SEC01 mac '00:11:22:33:44:01'
+ set interfaces macsec macsec1 source-interface 'vxlan1'
+ set interfaces vxlan vxlan1 mac '00:11:22:33:44:02'
+ set interfaces vxlan vxlan1 remote '10.1.2.2'
+ set interfaces vxlan vxlan1 source-address '172.16.100.2'
+ set interfaces vxlan vxlan1 vni '10'
+ set protocols static route 10.1.2.2/32 next-hop 172.16.100.1