summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorfett0 <fernando.gmaidana@gmail.com>2024-09-13 18:38:29 -0300
committerfett0 <fernando.gmaidana@gmail.com>2024-09-13 18:38:29 -0300
commitb7ad59279d4b253d0aaa4783acca9bd294c3c4f4 (patch)
tree0ece4301e60f5b26739add9fa9bda3150f306ae5
parent1151f2021be39dec17c6db6d2d2bdcfeb0a8d7eb (diff)
downloadvyos-documentation-b7ad59279d4b253d0aaa4783acca9bd294c3c4f4.tar.gz
vyos-documentation-b7ad59279d4b253d0aaa4783acca9bd294c3c4f4.zip
add mac sec over wan
-rw-r--r--docs/configuration/interfaces/macsec.rst48
1 files changed, 47 insertions, 1 deletions
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst
index 0c0c052b..1ab7f361 100644
--- a/docs/configuration/interfaces/macsec.rst
+++ b/docs/configuration/interfaces/macsec.rst
@@ -236,4 +236,50 @@ the unencrypted but authenticated content.
set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01
set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
- set interfaces macsec macsec1 source-interface 'eth1' \ No newline at end of file
+ set interfaces macsec macsec1 source-interface 'eth1'
+
+***************
+MACsec over wan
+***************
+
+MACsec is an interesting alternative to existing tunneling solutions that
+protects layer 2 by performing integrity, origin authentication, and optionally
+encryption. The typical use case is to use MACsec between hosts and access
+switches, between two hosts, or between two switches. in this example below,
+we use VXLAN and MACsec to secure the tunnel.
+
+**R1 MACsec01**
+
+.. code-block:: none
+
+ set interfaces macsec macsec1 address '192.0.2.1/24'
+ set interfaces macsec macsec1 address '2001:db8::1/64'
+ set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+ set interfaces macsec macsec1 security encrypt
+ set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+ set interfaces macsec macsec1 security static peer SEC02 key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+ set interfaces macsec macsec1 security static peer SEC02 mac '00:11:22:33:44:02'
+ set interfaces macsec macsec1 source-interface 'vxlan1'
+ set interfaces vxlan vxlan1 mac '00:11:22:33:44:01'
+ set interfaces vxlan vxlan1 remote '10.1.3.3'
+ set interfaces vxlan vxlan1 source-address '172.16.100.1'
+ set interfaces vxlan vxlan1 vni '10'
+ set protocols static route 10.1.3.3/32 next-hop 172.16.100.2
+
+**R2 MACsec02**
+
+.. code-block:: none
+
+ set interfaces macsec macsec1 address '192.0.2.2/24'
+ set interfaces macsec macsec1 address '2001:db8::2/64'
+ set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+ set interfaces macsec macsec1 security encrypt
+ set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+ set interfaces macsec macsec1 security static peer SEC01 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+ set interfaces macsec macsec1 security static peer SEC01 mac '00:11:22:33:44:01'
+ set interfaces macsec macsec1 source-interface 'vxlan1'
+ set interfaces vxlan vxlan1 mac '00:11:22:33:44:02'
+ set interfaces vxlan vxlan1 remote '10.1.2.2'
+ set interfaces vxlan vxlan1 source-address '172.16.100.2'
+ set interfaces vxlan vxlan1 vni '10'
+ set protocols static route 10.1.2.2/32 next-hop 172.16.100.1