Wednesday, January 4, 2017

MACsec L2 Hop by Hop encryption

Protect packets on a switch links at layer 2 using MACsec.
traffic (CDP, IP packets, etc)  is encrypted and provides data integrity, confidentiality,

Cisco Trust Sec - CTS is a method to implement open standard MACsec.


on interfaces, issue command "CTS manual" which is manually configuring MACsec on them.
When done manually, need to specify the Security Association Protocol  Pairwise master Key (SAP PMK) which is a encryption key used to encrypt traffic.

Eavesdropper without a proper key wont be able to decrypt the protected traffic.


Example of encrypting traffic between SW 2 and SW4.   CDP traffic is blocked until MACsec is configured both sides.

peer identity unknown due to MACSec is not set on other side.





No comments:

Post a Comment