diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-09-14 08:09:02 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-14 08:09:02 +0200 |
| commit | 4e7240a8b5c437f3ded54c474ee3e77c4df5749b (patch) | |
| tree | 40419022f946a53b0fe0201a85171f429e5c436f | |
| parent | 3cfe0e25bb0e14380d4be296c68cfc6c059d22dc (diff) | |
| parent | 8435b83795ae4a14395dfa9d4892b96d85b6041a (diff) | |
| download | vyos-documentation-sagitta.tar.gz vyos-documentation-sagitta.zip | |
Merge pull request #1547 from vyos/mergify/bp/sagitta/pr-1546sagitta
add mac sec over wan (backport #1546)
| -rw-r--r-- | docs/configuration/interfaces/macsec.rst | 48 |
1 files changed, 47 insertions, 1 deletions
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst index 0c0c052b..1ab7f361 100644 --- a/docs/configuration/interfaces/macsec.rst +++ b/docs/configuration/interfaces/macsec.rst @@ -236,4 +236,50 @@ the unencrypted but authenticated content. set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7' set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01 set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' - set interfaces macsec macsec1 source-interface 'eth1'
\ No newline at end of file + set interfaces macsec macsec1 source-interface 'eth1' + +*************** +MACsec over wan +*************** + +MACsec is an interesting alternative to existing tunneling solutions that +protects layer 2 by performing integrity, origin authentication, and optionally +encryption. The typical use case is to use MACsec between hosts and access +switches, between two hosts, or between two switches. in this example below, +we use VXLAN and MACsec to secure the tunnel. + +**R1 MACsec01** + +.. code-block:: none + + set interfaces macsec macsec1 address '192.0.2.1/24' + set interfaces macsec macsec1 address '2001:db8::1/64' + set interfaces macsec macsec1 security cipher 'gcm-aes-128' + set interfaces macsec macsec1 security encrypt + set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' + set interfaces macsec macsec1 security static peer SEC02 key 'eadcc0aa9cf203f3ce651b332bd6e6c7' + set interfaces macsec macsec1 security static peer SEC02 mac '00:11:22:33:44:02' + set interfaces macsec macsec1 source-interface 'vxlan1' + set interfaces vxlan vxlan1 mac '00:11:22:33:44:01' + set interfaces vxlan vxlan1 remote '10.1.3.3' + set interfaces vxlan vxlan1 source-address '172.16.100.1' + set interfaces vxlan vxlan1 vni '10' + set protocols static route 10.1.3.3/32 next-hop 172.16.100.2 + +**R2 MACsec02** + +.. code-block:: none + + set interfaces macsec macsec1 address '192.0.2.2/24' + set interfaces macsec macsec1 address '2001:db8::2/64' + set interfaces macsec macsec1 security cipher 'gcm-aes-128' + set interfaces macsec macsec1 security encrypt + set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7' + set interfaces macsec macsec1 security static peer SEC01 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' + set interfaces macsec macsec1 security static peer SEC01 mac '00:11:22:33:44:01' + set interfaces macsec macsec1 source-interface 'vxlan1' + set interfaces vxlan vxlan1 mac '00:11:22:33:44:02' + set interfaces vxlan vxlan1 remote '10.1.2.2' + set interfaces vxlan vxlan1 source-address '172.16.100.2' + set interfaces vxlan vxlan1 vni '10' + set protocols static route 10.1.2.2/32 next-hop 172.16.100.1 |