IE3x00 MACsec le MACsec Key Agreement Protocol
Tlhahisoleseding ya Sehlahiswa
Litlhaloso
- Tekanyetso: IEEE 802.1AE
- Maemakepe a Tšehetsoeng: 1 gigabit ethernet downlink ports
- Encryption: 802.1AE encryption le MACsec Key Agreement
(MKA)
Litaelo tsa Tšebeliso ea Sehlahisoa
E nolofalletsa MACsec le MKA
Ho nolofalletsa MACsec le MKA ho sehokelo, latela tsena
mehato:
- Sebelisa leano le hlalositsoeng la MKA ho sehokelo.
- Lokisa likhetho tse lakatsehang tsa MKA.
Maano a MKA
Melaoana ea MKA e hlalosa boitšoaro ba MACsec le MKA ka
segokahanyi. O ka hlophisa likhetho tse latelang:
- Mokhoa o le mong oa Host: Mokhoa ona o boloka EAP e le 'ngoe e netefalitsoeng
ho sebelisa MACsec le MKA.
Lipalo-palo tsa MKA
U ka fumana tlhahisoleseding mabapi le boemo ba mananeo a MKA le
view Lipalopalo tsa MKA. Libali tse ling tsa bohlokoa le lintlha
kenyeletsa:
- Kakaretso ea Likopano tsa MKA: Palo eohle ea MKA e sebetsang
mananeo. - Liphihlelo tse Sirelelitsoeng: Palo ea MKA e sirelelitsoeng hajoale
mananeo. - Mekhahlelo e Emetseng: Palo ea linako tsa MKA tse emetseng.
Example Command Output:
Switch# show mka sessions Total MKA Sessions....... 1 Secured Sessions... 1 Pending Sessions... 0 Interface Local-TxSCI Policy-Name Inherited Key-Server Port-ID Peer-RxSCI MACsec-Peers Status CKN Gi1/0/1 204c.9e85.ede4/002b p2 NO YES 43 c800.8459.e764/002a 1 Secured 0100000000000000000000000000000000000000000000000000000000000000
Boemo ba MKA bo qaqileng
U ka fumana lintlha tse qaqileng tsa boemo ba MKA e itseng
seboka. Lintlha li kenyelletsa:
- Boemo: Boemo ba hajoale ba seshene ea MKA (mohlala,
TIRELETSENG). - Tx-SCI ea Lehae: Seteishene se Sireletsehileng sa sebakeng seo
Sekhetho. - Interface MAC Aterese: Aterese ea MAC ea sebopeho.
- MKA Port Identifier: Setsebi sa boemakepe sa MKA.
- ID ea Seboka sa Audit: ID ea nako ea tlhahlobo.
- Lebitso la CAK (CKN): Lebitso la Senotlolo sa Mokhatlo oa Khokahano
(CKN). - Identifier Member (MI): Setsebi sa setho.
- Nomoro ea Molaetsa (MN): Nomoro ea molaetsa.
- Karolo ea EAP: Karolo ea EAP.
- Seva ea Bohlokoa: E bontša hore na sesebelisoa ke sesebelisoa sa senotlolo (YES
kapa NO). - MKA Cipher Suite: The cipher suite e sebelisoang ke MKA.
- Boemo ba morao-rao ba SAK: Boemo ba Mokhatlo oa morao-rao o Sireletsehileng
Senotlolo (SAK) bakeng sa ho amohela le ho fetisa. - SAK AN ea morao-rao: Nomoro ea morao-rao ea Mokhatlo oa SAK.
- SAK KI (KN) ea morao-rao: SAK Key Identifier (KN) ea morao-rao.
- Boemo ba SAK ea Khale: Boemo ba SAK ea khale.
- Old SAK AN: Nomoro ea khale ea Mokhatlo oa SAK.
- Old SAK KI (KN): SAK Key Identifier ea khale (KN).
Example Command Output:
Switch#show mka sessions interface G1/0/1 de MKA Detailed Status for MKA Session ================================= === Boemo: SECURED - Secured MKA Session with MACsec Local Tx-SCI............. 204c.9e85.ede4/002b Interface MAC Address.... 204c.9e85.ede4 MKA Port Identifier...... 43 Interface Name........... GigabitEthernet1/0/1 Audit Session ID......... CAK Name (CKN)....... ...... ............. YES MKA Cipher Suite......... AES-0100000000000000000000000000000000000000000000000000000000000000-CMAC Latest SAK Status........ Rx & Tx Latest SAK AN.. .......... 46 Latest SAK KI (KN)....... D05CBEC5D67594543D89567CEAE128 (0) Old SAK Status........... FIRST-SAK Old SAK AN.. ............. 46 Old SAK KI (KN)......... FIRST-SAK (05)
FAQ (Lipotso Tse Botsoang Hangata)
Q: Ke likou life tse tšehetsang MACsec ho ESS-3300?
A: MACsec e tšehetsoa ho 1 gigabit ethernet downlink port
feela.
P: MKA e emetse eng?
A: MKA e emetse MACsec Key Agreement.
P: Nka nolofalletsa MACsec le MKA joang ho sehokelo?
A: Ho nolofalletsa MACsec le MKA ho sehokelo, sebelisa MKA e hlalositsoeng
pholisi ho segokanyimmediamentsi sa sebolokigolo le configure a lakatsa dikgetho bakeng sa
MKA.
P: Sepheo sa leano la MKA ke sefe?
A: Leano la MKA le hlalosa boitšoaro ba MACsec le MKA ho
segokahanyi.
P: Nka khona joang view Lipalopalo tsa MKA?
A: U ka sebelisa taelo ea "show mka statistics" ho view MKA
dipalopalo, ho kenyeletswa palo yohle ya dikopano tsa MKA, tse sireleditsweng
mananeo, le linako tse emetseng.
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Khaolo ena e na le likarolo tse latelang: · MACsec le MACsec Key Agreement (MKA) Protocol, leqepheng la 1 · Certificate Based MACsec , leqepheng la 2 · MKA Policies, leqepheng la 2 · Single-Host Mode, leqepheng la 2 · MKA Statistics, leqepheng la 3 · Mokhoa oa ho Hlophisa Encryption ea MACsec, leqepheng la 8
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
MACsec ke tekanyetso ea IEEE 802.1AE bakeng sa ho netefatsa le ho ngolla lipakete pakeng tsa lisebelisoa tse peli tse khonang ho MACsec. Sesebelisoa se tšehetsa 802.1AE encryption le MACsec Key Agreement (MKA) ho li-ports tsa downlink bakeng sa encryption pakeng tsa switch le lisebelisoa tse amohelang. Protocol ea MKA e fana ka linotlolo tse hlokahalang tsa nako le ho laola linotlolo tse hlokehang tsa ho ngolla.
Bohlokoa Ho ESS-3300, MACsec e tšehetsoa ho 1 gigabit ethernet downlink port feela.
MACsec le MACsec Key Agreement (MKA) di kenngwa tshebetsong ka mora netefatso e atlehileng ho sebediswa moralo wa MACsec o thehilweng hodima setifikeiti kapa Pre Shared Key (PSK). O ka laola boitšoaro ba lipakete tse sa ngolisoang ka har'a sehokelo ha MACsec e lumelloa ka ho sebelisa taelo ea macsec access-control {must-secure | lokela-sireletso}. Ha MACsec e nolofalitsoe ho sehokelo, sephethephethe sohle sa li-interface se sirelelitsoe ka ho sa feleng (ke hore, ho tlameha ho sireletseha ke maemo a kamehla). Taolo ea phihlello ea macsec e tlamehang ho sireletseha ha e lumelle lipakete life kapa life tse sa ngolisoang hore li fetisoe kapa li amoheloe ho tsoa sebopehong se tšoanang sa 'mele. Sephethephethe se theoha ho fihlela kopano ea MKA e sirelelitsoe. Leha ho le joalo, ho nolofalletsa MACsec ho li-interfaces tse khethiloeng, u ka khetha ho lumella lipakete tse sa ngolisoang hore li fetisoe kapa li amoheloe ho tsoa sebopehong se tšoanang sa 'mele ka ho beha taolo ea phihlello ea macsec hore e bolokehe. Khetho ena e lumella sephethephethe se sa ngolisoang ho phalla ho fihlela seshene ea MKA e sirelelitsoe. Kamora hore seshene ea MKA e sireletsoe, ho ka phalla feela sephethephethe se patiloeng. Bakeng sa lintlha tsa tlhophiso, sheba Configuring MACsec MKA Sehokelong u sebelisa PSK, leqepheng la 15.
MACsec le Protocol 1 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Setifikeiti se thehiloeng ho MACsec
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Setifikeiti se thehiloeng ho MACsec
Karolo ea Setifikeiti e thehiloeng ho MACsec Encryption e sebelisa netefatso e thehiloeng ho port 802.1X e nang le Extensible Authentication Protocol Transport Layer Security (EAP-TLS) ho nka Litifikeiti bakeng sa likou moo ho hlokehang ho ngolisoa ha MACsec. Mochini oa EAP-TLS o sebelisoa bakeng sa netefatso le ho fumana senotlolo sa Master Session (MSK) eo ho eona ho nkiloeng Konopo ea Connectivity Association (CAK) bakeng sa protocol ea MACsec Key Agreement (MKA). Karolo ena e lumella linotlolo hore li laoloe ho seva e bohareng (CA) holim'a PSK (Senotlolo sa Pele se Kopanetsoeng) se thehiloeng ho MACsec. Ho fetola MACsec hoa tšehetsoa. Sheba Configuring Certificate Based MACsec, leqepheng la 16 bakeng sa lintlha tse ling.
Meeli le Lithibelo
MACsec e thehiloeng ho setifikeiti e na le mefokolo le lithibelo tsena: · Maemakepe a tlameha ho ba maemong a phihlello kapa mokhoa oa kutu. · MKA ha e tšehetsoe ke li-port-channel. · Ho fumaneha ho hoholo ha MKA ha hoa tšehetsoa. · Li-ports tse se nang switchport ha li tšehetsoe. · Likou tsa ESS3300 tsa uplink ha li na PHY ka hona ha li tšehetse MACSec.
Maano a MKA
Ho nolofalletsa MKA ho sehokelo, leano le hlalositsoeng la MKA le lokela ho sebelisoa ho sehokelo. O ka hlophisa likhetho tsena:
· Lebitso la pholisi, le se ke la feta litlhaku tse 16 tsa ASCII. · Lekunutu (encryption) ea 0, 30, kapa 50 byte bakeng sa sebopeho se seng le se seng sa 'mele
Mokhoa oa Moamoheli a le Mong
Palo e bontša kamoo seshene e le 'ngoe e netefalitsoeng ea EAP e sirelelitsoeng ke MACsec ka ho sebelisa MKA.
Setšoantšo sa 1: MACsec ka Mokhoa o le Mong oa Moamoheli o nang le Secured Data Session
MACsec le Protocol 2 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Lipalo-palo tsa MKA
Lipalo-palo tsa MKA
Li-counter tse ling tsa MKA li kopanngoa lefatšeng ka bophara, ha tse ling li nchafatsoa lefatšeng ka bophara le nakong ka 'ngoe. U ka boela ua fumana tlhahisoleseding mabapi le boemo ba mananeo a MKA.
Ena ke example of the show mka statistics command output:
Fetola# bonts'a linako tsa mka
Kakaretso ea Likopano tsa MKA……. 1 Secured Sessions… 1 Pending Sessions… 0
========================================== ==========================================
Sehokedi
Sebaka-TxSCI
Leano-Lebitso
Lefa
Key-server
Port-ID
Lithaka-RxSCI
MACsec-Lithaka
Boemo
CKN
========================================== ==========================================
Gi1/0/1
204c.9e85.ede4/002b p2
NO
EE
43
c800.8459.e764/002a 1
Sireletsehile
0100000000000000000000000000000000000000000000000000000000000000
Switch#show mka sessions interface G1/0/1
Kakaretso ea Likopano Tsohle tsa MKA tse sebetsang hajoale ho Interface GigabitEthernet1/0/1…
========================================== ==========================================
Sehokedi
Sebaka-TxSCI
Leano-Lebitso
Lefa
Key-server
Port-ID
Lithaka-RxSCI
MACsec-Lithaka
Boemo
CKN
========================================== ==========================================
Gi1/0/1
204c.9e85.ede4/002b p2
NO
EE
43
c800.8459.e764/002a 1
Sireletsehile
0100000000000000000000000000000000000000000000000000000000000000
Switch#show mka sessions interface G1/0/1 de
Boemo ba MKA ka botlalo ba Session ea MKA ===================================== Boemo: SECURED – Secured MKA Session with MACsec
Tx-SCI ea lehae…………. 204c.9e85.ede4/002b Aterese ea MAC ea Sehokelo…. 204c.9e85.ede4 MKA Port Identifier…… 43 Interface Name……….. GigabitEthernet1/0/1 Audit Session ID……… CAK Name (CKN)……….. 0100000000000000000000000000000000000000000000000000000000000000 46 Setho sa Setho (MI)… D05CBEC5D67594543D89567CEAE Nomoro ea Molaetsa ( MN)…… 128 EAP Role…………….. NA Key Server……………… YES MKA Cipher Suite……… AES-XNUMX-CMAC
Latest SAK Status…….. Rx & Tx Latest SAK AN………… 0 Latest SAK KI (KN)……. D46CBEC05D5D67594543CEAE00000001 (1) Old SAK Status……….. FIRST-SAK Old SAK AN……………… 0 Old SAK KI (KN)………. FIRST-SAK (0)
SAK Transmit Wait Time… 0s (Ha ke emele hore balekane ba arabe) SAK Retire Time………. 0s (Ha ho Old SAK ea ho tlohela mosebetsi)
MACsec le Protocol 3 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Lipalo-palo tsa MKA
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Lebitso la Leano la MKA………. p2 Key Server Bohlokoa…… 2 Delay Protection……… NO Replay Protection…….. YES Bapala Fesetere Size……. 0 Lekunutu Offset… 0 Agility Agility…….. 80C201 Romela Phatlalatso e Sireletsehileng.. DISABLED SAK Cipher Suite……… 0080C20001000001 (GCM-AES-128) MACsec Capability…….. 3grity, MACsec Infidential ……….. EE
# of MACsec Capable Live Peers………… 1 # ea MACsec Capable Live Peers e Arabile.. 1
Lenane la Lithaka tse Phelang:
MI
MN
Rx-SCI (Lithaka)
KS Bohlokoa
————————————————————————-
38046BA37D7DA77E06D006A9 89555
c800.8459.e764/002a 10
Lethathamo la Lithaka tse ka Lebelloang:
MI
MN
Rx-SCI (Lithaka)
KS Bohlokoa
————————————————————————-
Lethathamo la Lithaka tse Khutletseng:
MI
MN
Rx-SCI (Lithaka)
KS Bohlokoa
————————————————————————-
Switch#show mka sessions de Switch#bontša lintlha tse qaqileng tsa linako
Boemo ba MKA ka botlalo ba Session ea MKA ===================================== Boemo: SECURED – Secured MKA Session with MACsec
Tx-SCI ea lehae…………. 204c.9e85.ede4/002b Aterese ea MAC ea Sehokelo…. 204c.9e85.ede4 MKA Port Identifier…… 43 Interface Name……….. GigabitEthernet1/0/1 Audit Session ID……… CAK Name (CKN)……….. 0100000000000000000000000000000000000000000000000000000000000000 46 Setho sa Setho (MI)… D05CBEC5D67594543D89572CEAE Nomoro ea Molaetsa ( MN)…… 128 EAP Role…………….. NA Key Server……………… YES MKA Cipher Suite……… AES-XNUMX-CMAC
Latest SAK Status…….. Rx & Tx Latest SAK AN………… 0 Latest SAK KI (KN)……. D46CBEC05D5D67594543CEAE00000001 (1) Old SAK Status……….. FIRST-SAK Old SAK AN……………… 0 Old SAK KI (KN)………. FIRST-SAK (0)
SAK Transmit Wait Time… 0s (Ha ke emele hore balekane ba arabe) SAK Retire Time………. 0s (Ha ho Old SAK ea ho tlohela mosebetsi)
Lebitso la Leano la MKA………. p2 Key Server Bohlokoa…… 2 Delay Protection……… NO Replay Protection…….. YES Bapala Fesetere Size……. 0 Confidentiality Offset… 0 Algorithm Agility…….. 80C201
MACsec le Protocol 4 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Lipalo-palo tsa MKA
SAK Cipher Suite……… 0080C20001000001 (GCM-AES-128) MACsec Capability…….. 3 (MACsec Integrity, Confidentiality, & Offset) MACsec Desired……….. YES
# of MACsec Capable Live Peers………… 1 # ea MACsec Capable Live Peers e Arabile.. 1
Lenane la Lithaka tse Phelang:
MI
MN
Rx-SCI (Lithaka)
KS Bohlokoa
————————————————————————-
38046BA37D7DA77E06D006A9 89560
c800.8459.e764/002a 10
Lethathamo la Lithaka tse ka Lebelloang:
MI
MN
Rx-SCI (Lithaka)
KS Bohlokoa
————————————————————————-
Lethathamo la Lithaka tse Khutletseng:
MI
MN
Rx-SCI (Lithaka)
KS Bohlokoa
————————————————————————-
Switch#sh mka pol
Kakaretso ea Leano la MKA…
Leano
KS
Lieha Replay Window Conf Cipher
Li-interface
Lebitso
Bohlokoa Sireletsa Sireletsa Size Offset Suite(li)
E sebelisitsoe
================================================= ================================================= ==
*LEANO LA TLHOKOMELO* 0
NNETE E FOSAHETSENG 0
0
GCM-AES-128
p1
1
NNETE E FOSAHETSENG 0
0
GCM-AES-128
p2
2
NNETE E FOSAHETSENG 0
0
GCM-AES-128
Gi1/0/1
Switch#sh mka poli
Switch#sh mka policy p2
Switch#sh mka policy p2 ?
lintlha tse qaqileng tsa tlhophiso/litaba bakeng sa Leano la MKA
Kakaretso ea liboka tsohle tse sebetsang tsa MKA tse sebelisitsoeng leano
|
Liphetoho tse hlahisoang
Switch#sh mka policy p2 de
Tlhophiso ea Leano la MKA (“p2”) ======================================================================= Lebitso la Leano la MKA….. 2 Lekunutu Offset. 2 Romela Phatlalatso e Sireletsehileng..DISABLED Cipher Suite(li)…….. GCM-AES-0
Li-interface tse kentsoeng… GigabitEthernet1/0/1
Switch#sh mka policy p2
Kakaretso ea Leano la MKA…
Leano
KS
Lieha Replay Window Conf Cipher
Li-interface
Lebitso
Bohlokoa Sireletsa Sireletsa Size Offset Suite(li)
E sebelisitsoe
================================================= ================================================= ==
p2
2
NNETE E FOSAHETSENG 0
0
GCM-AES-128
Gi1/0/1
MACsec le Protocol 5 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Lipalo-palo tsa MKA
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Switch#sh mka se? mananeo
Switjha#sh mka ? default-policy keychains policy presharedkeys sessions kakaretso ea lipalo-palo
MKA Default Policy lintlha tsa MKA Pre-Shared-Key Key-Chains MKA Policy tlhahisoleseding ea tlhophiso ea MKA Preshared Keys MKA Sessions kakaretso ea lipalo tsa Global MKA MKA Kakaretso ea Session & lipalo tsa lefatše
Fetola#sh mka lipalo
Switch#sh mka statistics ?
segokanyimmediamentsi sa sebolokigolo Lipalopalo bakeng sa MKA Session ka segokanyimmediamentsi sa sebolokigolo
Local-sci Statistics for Session ea MKA e khethiloeng ke Local Tx-SCI
|
Liphetoho tse hlahisoang
Switch#sh mka statistics inter Switch#show mka statistics interface G1/0/1
Lipalopalo tsa MKA tsa Session ====================== Boiteko ba Netefatso.. 0
CA Statistics Pairwise CAKs Derived… 0 Pairwise CAK Rekeys….. 0 Group CAKs Generated…. 0 Sehlopha sa CAK se Amohetse….. 0
SA Lipalopalo SAKs Hlahisoa………. 1 SAKs Rekeyed………… 0 SAKs Received……….. 0 SAK Responses Received.. 1
MKPDU Statistics MKPDUs Validated & Rx… 89585 “Distributed SAK”.. 0 “Distributed CAK”.. 0 MKPDUs Transmitted…… 89596 “Distributed SAK”.. 1 “Distributed CAK”.. 0
Switjha#show mka ?
Leano la kamehla-leano la MKA lintlha
liketane tsa linotlolo
Liketane tsa Linotlolo tsa MKA tse Abelaneng Pele
leano
Lintlha tsa tlhophiso ea Leano la MKA
presharedkeys MKA Preshared Keys
mananeo
Kakaretso ea liboka tsa MKA
lipalo-palo
Lipalopalo tsa MKA tsa lefats'e
kakaretso
Kakaretso ea liboka tsa MKA le lipalo-palo tsa lefats'e
Switch#show mka summ Switch#show mka summary
Kakaretso ea Likopano tsa MKA……. 1 Secured Sessions… 1 Pending Sessions… 0
MACsec le Protocol 6 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Lipalo-palo tsa MKA
========================================== ==========================================
Sehokedi
Sebaka-TxSCI
Leano-Lebitso
Lefa
Key-server
Port-ID
Lithaka-RxSCI
MACsec-Lithaka
Boemo
CKN
========================================== ==========================================
Gi1/0/1
204c.9e85.ede4/002b p2
NO
EE
43
c800.8459.e764/002a 1
Sireletsehile
0100000000000000000000000000000000000000000000000000000000000000
MKA Global Statistics ====================== Lipalopalo tsa Session tsa MKA
Sireletsehile…………………….. 1 Maiteko a Netefatso hape.. 0
E hlakotsoe (E sirelelitsoe)………. 0 Keepalive Timeouts ……… 0
CA Statistics Pairwise CAKs Derived…… 0 Pairwise CAK Rekeys…….. 0 Group CAKs Generated……. 0 Li-CAK tsa Sehlopha li Amohetse…….. 0
Lipalopalo tsa SA SAKs Tse Hlahisitsoeng…………. 1 SAKs Rekeyed…………… 0 SAKs Received………….. 0 SAK Responses Received….. 1
MKPDU Statistics MKPDUs Validated & Rx…… 89589 “Distributed SAK”….. 0 “Distributed CAK”….. 0 MKPDUs Transmitted……… 89600 “Distributed SAK”….. 1 “Distributed CAK”….. 0
Lipalo-palo tsa Lithako tsa Liphoso tsa MKA ========================== Ho hloleha ha Thuto
Ho hloleha ho Hlahisa ………………. 0 Reauthentication Failures…….. 0 Duplicate Auth-Mgr Handle…….. 0
SAK Failures SAK Generation …………………. 0 Hash Key Generation………….. 0 SAK Encryption/Wrap………….. 0 SAK Decryption/Unwrap…………… 0 SAK Cipher Mismatch………….. 0
CA Failures Group CAK Generation …………. 0 Sehlopha sa CAK Encryption/Wrap…….. 0 Sehlopha sa CAK Decryption/Unwrap…… 0 Pairwise CAK Derivation………. 0 CKN Derivation …………………. 0 ICK Derivation …………………. 0 KEK Derivation…………………. 0 Bokhoni bo sa sebetseng ba Peer MACsec… 0
MACsec E hloleha ho Rx SC Pōpo…………………. 0
MACsec le Protocol 7 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Mokhoa oa ho lokisa MACsec Encryption
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Tx SC Creation …………………. 0 Rx SA Installation……………… 0 Tx SA Installation…………… 0
MKPDU e hloleha ho MKPDU Tx………………………. 0 MKPDU Rx Validation………….. 0 MKPDU Rx Bad Peer MN…………. 0 MKPDU Rx Lenane la Lithaka la moraorao MN.. 0
Fetoha#
Mokhoa oa ho lokisa MACsec Encryption
Litlhoko tse hlokahalang bakeng sa MACsec Encryption
Litlhoko tse hlokahalang bakeng sa Encryption ea MACsec: · Netefatsa hore netefatso ea 802.1x le AAA li hlophisitsoe sesebelisoa sa hau.
E lokisa MKA le MACsec
Tlhophiso ea kamehla ea MACsec MKA
MACsec e koetsoe. Ha ho maano a MKA a hlophisitsoeng.
MKA-PSK: Phetoho ea Boitšoaro ba CKN
Ho sebelisana le li-switches tsa Cisco tse tsamaisang Classic Cisco IOS, tlhophiso ea CKN e tlameha ho ba le zero-padded. Ho tloha ho Cisco IOS XE Everest Release 16.6.1 ho ea pele, bakeng sa linako tsa MKA-PSK, sebakeng sa li-byte tse 32 tse tsitsitseng, Connectivity Association Key name (CKN) e sebelisa khoele e tšoanang hantle le CKN, e hlophisitsoeng e le khoele ea hex bakeng sa senotlolo. Example tlhophiso:
configure terminal key chain KEYCHAINONE macsec key 1234 cryptographic-algorithm aes-128-cmac key-string 123456789ABCDEF0123456789ABCDEF0 lifetime local 12:21:00 Sep 9 2015 bofelo bo sa feleng
Bakeng sa example, se latelang ke sephetho sa taelo ea show mka session:
MACsec le Protocol 8 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
MKA-PSK: Phetoho ea Boitšoaro ba CKN
Hlokomela hore CKN key-string e tšoana hantle le e hlophisitsoeng bakeng sa senotlolo e le hex-string. Bakeng sa tšebelisano lipakeng tsa sethala se tsamaisang IOS XE le sethala se tsamaisang IOS ea khale, se seng se na le phetoho ea boits'oaro ba CKN mme se seng se sena phetoho ea boits'oaro ba CKN, khoele ea hex bakeng sa senotlolo e tlameha ho ba khoele ea litlhaku tse 64 e nang le zero ho sebetsa sesebelisoa se nang le setšoantšo se nang le phetoho ea boits'oaro ba CKN. Bona example ka tlase: Tlhophiso ntle le phetoho ea boits'oaro ba senotlolo sa CKN:
config t key chain KEYCHAINONE macsec key 1234 cryptographic-algorithm aes-128-cmac key-string 123456789ABCDEF0123456789ABCDEF0 lifetime local 12:21:00 Sep 9 2015 infinite
Sephetho:
Tlhophiso e nang le phetoho ea boits'oaro ba senotlolo sa CKN:
config t key chain KEYCHAINONE macsec key 1234000000000000000000000000000000000000000000000000000000000000 cryptographic-algorithm aes-128-cmac key-string 123456789ABCDEF0123456789ABCDEF0 lifetime local 12:21:00 Sep 9 2015 infinite
Sephetho:
MACsec le Protocol 9 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Ho lokisa Leano la MKA
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Ho lokisa Leano la MKA
KAKARETSO MEHATO
1. lokisa terminal 2. mka policy name 3. romela-secure-ditsebiso 4. key-server priority 5. kenyeletsa-icv-indicator 6. macsec-cipher-suite gcm-aes-128 7. lekunutu-offset Offset value 8 Qetella 9. bonts'a leano la mka
LIEKETSENG MHATO
Mohato oa 1
Taelo kapa Ketso e hlophise terminal
Mohato 2 mka leano leano lebitso la
Mohato oa 3 liphatlalatso tse bolokehileng
Morero Kenya mokhoa oa tlhophiso ea lefats'e.
Hlalosa leano la MKA, 'me u kenye mokhoa oa ho seta leano la MKA. Bolelele ba lebitso la pholisi ke litlhaku tse 16.
Hlokomela
MACsec cipher suite ya kamehla ho MKA
pholisi e tla lula e le "GCM-AES-128". Haeba e
sesebelisoa se tšehetsa ka bobeli "GCM-AES-128" le
"GCM-AES-256" li-ciphers, e holimo haholo
e khothalelitsoe ho hlalosa le ho sebelisa mosebelisi ea hlalositsoeng
Leano la MKA le kenyelletsa li-bits tse 128 le tse 256 ka bobeli
ciphers kapa 256 bits cipher feela, joalo ka ha ho ka ba joalo
hlokahala.
E lumelletse liphatlalatso tse sireletsehileng.
Hlokomela
Ka kamehla, liphatlalatso tse sireletsehileng li
bokooa.
MACsec le Protocol 10 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Ho lokisa MACsec ho Interface
Mohato oa 4
Taelo kapa Action key-server e tlang pele
Mohato 5 kenyeletsa-icv-indicator Mohato 6 macsec-cipher-suite gcm-aes-128 Mohato 7 lekunutu-offset Offset boleng
Mohato oa 8 Mohato oa 9
end show mka policy
Morero
Lokisa likhetho tsa li-server tsa MKA 'me u behe tse tlang pele (pakeng tsa 0-255).
Hlokomela
Ha boleng ba bohlokoa ba seva bo behiloe ho 255,
thaka e ke ke ea fetoha seva ea senotlolo. The
boleng ba bohlokoa ba seva bo sebetsa feela bakeng sa
MKA PSK; mme eseng bakeng sa MKA EAPTLS.
E nolofalletsa sesupo sa ICV ho MKPDU. Sebelisa mofuta o seng oa taelo ena ho tima sesupo sa ICV - se kenyelletse-icv-indicator.
E lokisa "cipher suite" bakeng sa ho hlahisa SAK e nang le encryption ea 128-bit.
Beha Confidentiality (encryption) offset bakeng sa sebopeho se seng le se seng sa 'mele
Hlokomela
Offset Value e ka ba 0, 30 kapa 50. Haeba u
ho sebelisa Anyconnect ho moreki, ho joalo
E khothalelitsoe ho sebelisa Offset 0.
E khutlela ho mokhoa o khethehileng oa EXEC.
Netefatsa dikenyo tsa hao.
Example
Exampe lokisa leano la MKA:
Switch(config)# mka policy mka_policy Switch(config-mka-policy)# key-server priority 200 Switch(config-mka-policy)# macsec-cipher-suite gcm-aes-128 Switch(config-mka-policy)# secretiality-offset 30 Switch(config-mka-policy)# end
Ho lokisa MACsec ho Interface
Latela mehato ena ho hlophisa MACsec ho sebopeho se nang le seshene e le 'ngoe ea MACsec bakeng sa lentsoe le e' ngoe bakeng sa data:
KAKARETSO MEHATO
1. nolofalletsa 2. lokisa terminal 3. segokanyimmediamentsi sa sebolokigolo-id 4. switchport access vlan vlan-id 5. switchport mode access 6. macsec 7. authentication event linksec fail action authorise vlan vlan-id 8. authentication host-mode multi-domain
MACsec le Protocol 11 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Ho lokisa MACsec ho Interface
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
9. netefatso linksec pholisi e tlameha ho sireletsa 10. netefatso port-control auto 11. authentication periodic 12. netefatso timer reauthenticate 13. authentication tlōlo sireletsa 14. mka policy name 15. dot1x pae authenticator 16. spanning-17 tree endfast18 portfast19 .bontša sehokelo sa netefatso sa seshene-id 20. bonts'a sehokelo sa netefatso ea sekhechana-id lintlha 21. bonts'a sehokelo sa macsec-id 22. bonts'a linako tsa mka
LIEKETSENG MHATO
Mohato oa 1
Taelo kapa Ketso e nolofalletsa ExampLe:
Fetola> nolofalletsa
Morero
E nolofalletsa mokhoa o khethehileng oa EXEC. Kenya phasewete haeba o khothalletsoa.
Mohato oa 2
lokisa terminal ExampLe:
Fetola> lokisa terminal
Kenya mokhoa oa tlhophiso ea lefatše lohle.
Mohato oa 3
interface-id
Hlalosa segokanyimmediamentsi sa sebolokigolo sa MACsec, mme o kenye mokgwa wa tlhophiso ya sebopeho. Khokahano e tlameha ho ba sebopeho sa 'mele.
Mohato oa 4
switchport access vlan vlan-id
Lokisa VLAN ea phihlello bakeng sa boema-kepe.
Mohato oa 5
phihlello ea mokhoa oa switchport
Lokisa sehokelo joalo ka sebaka sa phihlello.
Mohato oa 6
macsec
Numella 802.1ae MACsec ho sehokelo. Taelo ea macsec e thusa MKA MACsec ho lihokelo tsa switch-to-host (downlink ports) feela.
Mohato oa 7
ketsahalo ea netefatso linksec e hloleha ho etsa tumello ea vlan (Boikhethelo) Hlalosa hore switch e sebetsa netefatso
vlan-id
ho hloleha ha ts'ireletso ho tsoa ho mosebelisi ea sa lemoheng
lintlha ka ho fana ka tumello ea VLAN e thibetsoeng boema-kepeng
ka mora teko ya netefatso e hlolehileng.
Mohato oa 8
netefatso ea moamoheli oa li-domain tse ngata
Beakanya mokhoa oa taolo ea netefatso boema-kepeng ho lumella moamoheli le sesebelisoa sa lentsoe ho netefatsoa boema-kepeng bo lumelletsoeng ba 802.1x. Haeba e sa hlophisoa, mokhoa oa kamehla oa moamoheli ha o le mong.
MACsec le Protocol 12 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Ho lokisa MACsec ho Interface
Mohato oa 9 Mohato oa 10 Mohato oa 11 Mohato oa 12 Mohato oa 13
Mohato oa 14
Mohato oa 15 Mohato oa 16
Mohato oa 17
Mohato oa 18 Mohato oa 19 Mohato oa 20 Mohato oa 21 Mohato oa 22
Leano la netefatso la Command or Action linksec le tlameha ho sireletseha
Morero
Beha leano la ts'ireletso la LinkSec ho boloka seboka le MACsec haeba lithaka li le teng. Haeba e sa behoa, ea kamehla e lokela ho sireletseha.
netefatso port-control auto
Numella 802.1x netefatso boema-kepeng. Boema-kepe bo fetoha ho ea sebakeng se lumelletsoeng kapa se sa lumelloeng ho ipapisitse le phapanyetsano ea netefatso lipakeng tsa switch le moreki.
netefatso nako le nako
Lumella kapa Thibela ho Tiisetsoa hape bakeng sa boema-kepe bona.
netefatsa nako ea netefatso hape
Kenya boleng pakeng tsa 1 le 65535 (ka metsotsoana). E fumana boleng ba nako e felileng ea netefatso ho tsoa ho seva. Nako ea kamehla ea ho netefatsa hape ke metsotsoana e 3600.
tlolo ea netefatso sireletsa
Lokisa boema-kepe ho theola liaterese tsa MAC tse sa lebelloang ha sesebelisoa se secha se hokela boema-kepeng kapa ha sesebelisoa se hokela boema-kepe ka mor'a hore palo e kholo ea lisebelisoa e hoketsoe boema-kepeng boo. Haeba e sa hlophisoa, ea kamehla ke ho koala boema-kepe.
lebitso la leano la mka
Sebelisa leano le teng la protocol la MKA sehokelong, 'me u nolofalletse MKA ho sehokelo. Haeba ho se pholisi ea MKA e lokiselitsoeng (ka ho kenya taelo ea lefats'e ea tlhophiso ea mka).
dot1x pae authenticator
Hlophisa boema-kepe hore e be se netefatsang sa 802.1x (PAE).
sephara-sefate portfast
Numella sefate sa ho pharalla Port Fast ho sehokelo ho li-VLAN tsohle tse amanang le tsona. Ha sesebelisoa sa Port Fast se nolofalitsoe, sebopeho se fetoha ka kotloloho ho tloha sebakeng se thibelang ho ea sebakeng sa ho fetisa ntle le ho fetola maemo a mahareng a sefate sa sehlahla.
qetellong ExampLe:
Fetola (config)#end
E khutlela ho mokhoa o khethehileng oa EXEC.
bonts'a segokanyimmediamentsi sa netefatso ea seshene
Netefatsa boemo bo lumelletsoeng ba ts'ireletso ea seshene.
bonts'a lintlha tsa segokanyimmediamentsi sa netefatso Netefatsa lintlha tsa boemo ba tshireletso ba seshene e dumeletsweng.
bontša macsec interface-id
Netefatsa boemo ba MacSec ho sebopeho.
bonts'a linako tsa mka
Netefatsa linako tse behiloeng tsa mka.
kopitsa ho qala-config ho qala-config ExampLe:
Fetola # kopi e sebetsang-config startup-config
(Ka boikhethelo) E boloka likenyo tsa hau ho tlhophiso file.
MACsec le Protocol 13 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Ho lokisa MACsec MKA o sebelisa Pre Shared Key (PSK)
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Ho lokisa MACsec MKA o sebelisa Pre Shared Key (PSK)
KAKARETSO MEHATO
1. lokisa terminal 2. key chain key-chain-name macsec 3. key hex-string 4. cryptographic-algorithm {gcm-aes-128 | gcm-aes-256} 5. khoele ea senotlolo { [0|6|7] pwd-string | pwd-string} 6. bophelo bohle sebakeng [qalo linakoamp {hh::mm::ss | letsatsi | khoeli | selemo}] [nako metsotsoana | mehla ya bofeloamp
{hh::mm::ss | letsatsi | khoeli | selemo}] 7. pheletso
LIEKETSENG MHATO
Mohato oa 1
Taelo kapa Ketso e hlophise terminal
Mohato oa 2 key chain key-lebitso macsec
Mohato oa 3 senotlolo sa hex-khoele
Morero Kenya mokhoa oa tlhophiso ea lefats'e.
E lokisa ketane ea linotlolo ebe e kenya mokhoa oa tlhophiso oa ketane ea linotlolo.
E lokisa sekhetho se ikhethileng bakeng sa senotlolo se seng le se seng sa ketane ea linotlolo 'me e kenye mokhoa oa tlhophiso oa senotlolo.
Hlokomela
Bakeng sa encryption ea 128-bit, sebelisa 32 hex digit
khoele ea senotlolo. Bakeng sa encryption ea 256-bit, sebelisa 64 hex
digit key-string.
Mohato oa 4 Mohato oa 5 Mohato oa 6 Mohato oa 7
cryptographic-algorithm {gcm-aes-128 | gcm-aes-256} Seta algorithm ea netefatso ea li-cryptographic ka encryption ea 128-bit kapa 256-bit.
senotlolo-khoele { [0|6|7] pwd-khoele | pwd-string}
E beha phasewete bakeng sa khoele ea senotlolo. Ho tlameha ho kengoa litlhaku tsa hex feela.
bophelo bohle ba lehae [nako ea ho qalaamp {hh::mm::ss | letsatsi | khoeli E beha bophelo bohle ba senotlolo se arolelanoang pele. | selemo}] [nako metsotsoana | mehla ya bofeloamp {hh::mm::ss | letsatsi | khoeli | selemo}]
QETA
E khutlela ho mokhoa o khethehileng oa EXEC.
Example
Se latelang ke sesupo sa exampLe:
Fetola(config)# Key chain keychain1 macsec Switch(config-key-chain)# key 1000 Switch(config-keychain-key)# cryptographic-algorithm gcm-aes-128 Switch(config-keychain-key)# key-key 12345678901234567890123456789012 Switch(config-keychain-key)# bophelo bohle ba lehae 12:12:00 July 28 2016 12:19:00 July 28 2016 Switch(config-keychain-key)# end
MACsec le Protocol 14 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Ho lokisa MACsec MKA ho Sehokelo se sebelisang PSK
Ho lokisa MACsec MKA ho Sehokelo se sebelisang PSK
Tlhokomeliso Ho qoba ho theoha ha sephethephethe ho pholletsa le linako, taelo ea leano la mka e tlameha ho hlophisoa pele ho taelo ea pele-shared-key-key-chain.
KAKARETSO MEHATO
1. lokisa terminal 2. interface interface-id 3. macsec access-control {lokela ho sireletsa | lokela-secure} 4. macsec 5. mka policy-lebitso-lebitso 6. mka pre-shared-key-key-chain key-chain name 7. macsec replay-protection-protection window-size frame number 8. end
LIEKETSENG MHATO
Mohato oa 1
Taelo kapa Ketso e hlophise terminal
Mohato oa 2 segokanyimmediamentsi sa sebolokigolo-id
Mohato oa 3 oa taolo ea phihlello ea macsec {e tlameha ho sireletsa | lokela ho sireletsoa}
Morero
Kenya mokhoa oa tlhophiso ea lefatše lohle.
E kenya mokhoa oa tlhophiso ea sebopeho.
(Boikhethelo) E laola boitšoaro ba lipakete tse sa ngolisoang ka mokhoa o hlakileng.
· lokela-sireletso : E lumella sephethephethe se sa ngolisoang ho phalla ho fihlela seshene ea MKA e sirelelitsoe. Kamora hore seshene ea MKA e sireletsoe, ho ka phalla feela sephethephethe se patiloeng.
· E tlameha ho sireletseha : E beha hore feela sephethephethe se patiloeng sa MACsec se ka phallang. Kahoo, ho fihlela seboka sa MKA se sirelelitsoe, sephethephethe sea theoha.
Mohato oa 4 Mohato oa 5 Mohato oa 6 Mohato oa 7 Mohato oa 8
macsec mka policy-name mka pre-shared-key-key-chain key-chain name macsec replay-protection window-size frame number end
E nolofalletsa MACsec ho sehokelo. E lokisa leano la MKA. E lokisa lebitso la ketane ea linotlolo tsa MKA tse arolelanoeng pele. E beha boholo ba fensetere ea MACsec bakeng sa ts'ireletso ea ho bapala hape. E khutlela ho mokhoa o khethehileng oa EXEC.
Example
E latelang example e hlophisa leano la MKA le lebitso la senotlolo se arolelanoeng pele sa MKA, le ho seta boholo ba fensetere ea MACsec bakeng sa ts'ireletso ea papali hape:
MACsec le Protocol 15 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Ho Hlophisa Setifikeiti Thehiloe MACsec
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Switjha(config)# segokanyimmediamentsi sa sebolokigolo GigabitEthernet 1/1 Switch(config-ha)# mka policy mka_policy Switch(config-if)# mka pre-shared-key-key-chain key-name Switch(config-if)# macsec replay -Protection window-size 10 Switch(config-if)# end
Hlokomela Ha ho kgothaletswe ho fetola pholisi ya MKA ho sehokelo se nang le MKA PSK e lokiseditsweng ha kopano e ntse e sebetsa. Leha ho le joalo, haeba ho hlokahala phetoho, u tlameha ho tsosolosa pholisi ka tsela e latelang: 1. Tlosa seboka se teng ka ho tlosa tlhophiso ea macsec ho e 'ngoe le e' ngoe ea li-node tse nkang karolo u sebelisa taelo ea no macsec. 2. Hlophisa leano la MKA mabapi le sehokelo ho e 'ngoe le e 'ngoe ea libaka tse nkang karolo u sebelisa taelo ea leano la mka-lebitso. 3. Lumella lenaneo le lecha sebakeng se seng le se seng se nkang karolo ka ho sebelisa taelo ea macsec.
E latelang examples bontša mokhoa oa ho configure segokanyimmediamentsi sa sebolokigolo ho sebelisa lokela-secured ho e-na le ya kamehla lokela ho-sireletsehile le mokhoa oa ho fetola e khutlela ho ea kamehla lokela-secured.
Ela hloko Ho fetola taolo ea phihlello ha ho lumelloe ha lenaneo le ntse le tsoela pele. Pele o hloka ho tlosa tlhophiso ea MACsec ka ho sebelisa taelo ea no macsec, ebe o hlophisa taolo ea phihlello.
ExampLe 1: Ho fetoha ho tloha ho seo u lokelang ho se sireletsa ho ea ho se lokelang ho sireletseha:
Switch(config-if)#no macsec Switch(config-ha)#macsec-control-control e lokela ho sireletsa Switch(config-if)#macsec // sena se fetola taolo ea phihlello ho tsoa ho ts'ireletso e tlamehang ho sireletsoa hape e qala seboka sa macsec ka e ncha. boitsoaro.
ExampLe 2: Ho fetoha ho tloha ho e lokelang ho sireletswa ho ya ho e tlamehang ho sireletseha:
Fetoha(config-haeba)#no macsec Switch(config-ha)#ha ho macsec access-control Fetolela(config-ha)#macsec
Ho Hlophisa Setifikeiti Thehiloe MACsec
Ho lokisa MACsec le MKA lihokelong tsa ntlha-to-point, etsa mesebetsi ena: · Ho Hlahisa Lipara tse ka Sehloohong · Ho Hlophisa Ngoliso ka SCEP · Ho Hlophisa Ngoliso ka Botsona · Ho Hlophisa Encryption ea Switch-to-Switch MACsec, leqepheng la 23
MACsec le Protocol 16 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Litlhoko tsa Setifikeiti tse Thehiloeng ho MACsec
Litlhoko tsa Setifikeiti tse Thehiloeng ho MACsec
Netefatsa hore o na le Seva ea Bolaoli ba Setifikeiti (CA) e lokiselitsoeng marang-rang a hau. · Hlahisa setifikeiti sa CA. Netefatsa hore o hlophisitse Cisco Identity Services Engine (ISE). Netefatsa hore 802.1x netefatso le AAA li hlophisitsoe sesebelisoa sa hau.
Ho Hlahisa Lipara tse ka Sehloohong
KAKARETSO MEHATO
1. nolofalletsa 2. lokisa terminal 3. crypto key hlahisa rsa label label-name general-keys modulus size 4. end 5. show authentication session interface-id
LIEKETSENG MHATO
Mohato oa 1
Taelo kapa Ketso e nolofalletsa ExampLe:
Sesebelisoa> lumella
Morero E nolofalletsa mokhoa o khethehileng oa EXEC. Kenya phasewete ea hau, haeba u khothalletsoa.
Mohato oa 2
lokisa terminal ExampLe:
Sesebelisoa # lokisa terminal
E kenya mokhoa oa tlhophiso ea lefats'e.
Mohato oa 3
crypto key hlahisa rsa label label-name general-keys modulus size
ExampLe:
Sesebelisoa(config)# crypto key hlahisa rsa label general-keys modulus 2048
E hlahisa li-key pair tsa RSA bakeng sa ho saena le ho ngolla.
U ka boela ua fana ka label ho para e 'ngoe le e 'ngoe ea linotlolo u sebelisa lebitso la sehlooho. Leibole e hlalosoa ke trustpoint e sebelisang li-key pair. Haeba u sa fane ka lengolo, li-key pair li tla ngoloa ka bo eona .
Haeba u sa sebelise mantsoe a mang a bohlokoa taelo ena e hlahisa sepheo se le seng sa bohlokoa sa RSA. Haeba modulus e sa hlalosoa, ho sebelisoa senotlolo sa kamehla sa 1024. O ka hlakisa litekanyo tse ling tsa modulus ka lebitso la sehlooho la modulus.
Mohato oa 4
qetellong ExampLe:
Sesebelisoa(config)# pheletso
E tsoa maemong a tlhophiso ea lefats'e ebe e khutlela mokhoeng o khethehileng oa EXEC.
Mohato oa 5
bonts'a segokanyimmediamentsi sa seshene sa netefatso-id ExampLe:
E netefatsa boemo bo lumelletsoeng ba ts'ireletso ea seshene.
MACsec le Protocol 17 ea Tumellano ea Bohlokoa ea MACsec (MKA).
E lokisa Ngoliso o sebelisa SCEP
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Taelo kapa Ketso
Sesebelisoa sa # se bonts'a sebopeho sa nako ea netefatso gigabitethernet 0/1/1
Morero
E lokisa Ngoliso o sebelisa SCEP
Porothokhole e Bonolo ea Ngoliso ea Setifikeiti (SCEP) ke protocol e ntlafalitsoeng ea Cisco e sebelisang HTTP ho buisana le bolaoli ba setifikeiti (CA) kapa bolaoli ba ngoliso (RA). SCEP ke mokhoa o sebelisoang haholo oa ho romella le ho amohela likopo le setifikeiti.
Mohato oa 1 Mohato oa 2 Mohato oa 3 Mohato oa 4
Mohato oa 5 Mohato oa 6 Mohato oa 7 Mohato oa 8
Tsamaiso
Taelo kapa Ketso e nolofalletsa ExampLe:
Sesebelisoa> lumella
Morero E nolofalletsa mokhoa o khethehileng oa EXEC. Kenya phasewete ea hau, haeba u khothalletsoa.
lokisa terminal ExampLe:
Sesebelisoa # lokisa terminal
E kenya mokhoa oa tlhophiso ea lefats'e.
lebitso la seva sa crypto pki trustpoint ExampLe:
Sesebelisoa(config)# crypto pki trustpoint ka
E phatlalatsa trustpoint le lebitso le fanoeng ebe e kenya mokhoa oa tlhophiso oa ca-trustpoint.
ngodiso url url lebitso pem
ExampLe:
Sesebelisoa(ca-trustpoint)# ngoliso url http://url:80
E totobatsa URL ea CA moo sesebelisoa sa hau se lokelang ho romella likopo tsa setifikeiti ho eona.
Aterese ea IPv6 e ka eketsoa ho URL e kentsoeng ka masakaneng. Bakeng sa mohlalaample: http:// [2001:DB8:1:1::1]:80.
Lentsoe la sehlooho la pem le eketsa meeli ea mangolo a ntlafalitsoeng a lekunutu (PEM) ho kopo ea setifikeiti.
rsakeypair label
E hlakisa hore na ke li-key pair life tse tla amahanngoa le setifikeiti.
ExampLe:
Hlokomela
Sesebelisoa(ca-trustpoint)# rsakeypair exampleCAkeys
Lebitso la rsakeypair le tlameha ho ts'oana le lebitso la trust-point.
nomoro ea serial ha e eo ExampLe:
Sesebelisoa(ca-trustpoint)# serial-number none
ip-aterese ha ho na ExampLe:
Sesebelisoa(ca-trustpoint)# ip-aterese ha e eo
revocation-check crl ExampLe:
Ha ho lentsoe la sehlooho le hlalosang hore nomoro ea serial e ke ke ea kenyelletsoa kopong ea setifikeiti.
Ha ho lentsoe la bohlokoa le hlalosang hore ha ho aterese ea IP e lokelang ho kenyelletsoa kopong ea setifikeiti.
E hlalosa CRL e le mokhoa oa ho netefatsa hore setifikeiti sa thaka ha se so hlakoloe.
MACsec le Protocol 18 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Ho Hlophisa Ngoliso ka Botsona
Mohato oa 9
Mohato oa 10 Mohato oa 11 Mohato oa 12 Mohato oa 13
Taelo kapa Ketso
Sesebelisoa(ca-trustpoint)# revocation-check crl
Morero
liperesente tse ingolisang ka boits'oaro bocha
E nolofalletsa ho ingolisa, ho lumella moreki ho
ExampLe:
kopa setifikeiti sa rollover ho tsoa ho CA.
Sesebelisoa(ca-trustpoint)# auto-inroll 90 regenerate Haeba ho ingolisa ka boiketsetso ho sa lumelloa, moreki o tlameha ho ingolisa hape ho PKI ea hau holim'a setifikeiti.
ho felloa ke nako.
Ka ho sa feleng, ke feela Domain Name System (DNS) lebitso la sesebelisoa le kenyellelitsoeng setifikeiting.
Sebelisa khang ea liperesente ho hlakisa hore setifikeiti se secha se tla kopuoa kamora peresentetage ea bophelo bohle ba setifikeiti sa hajoale se fihletsoe.
Sebelisa lentsoe la sehlooho le nchafalitsoeng ho hlahisa senotlolo se secha bakeng sa setifikeiti le haeba senotlolo se boletsoeng se se se ntse se le teng.
Haeba li-key pair tse romelloang li ka romelloa kantle ho naha, li-key pair tse ncha le tsona li tla romelloa kantle ho naha. Maikutlo a latelang a tla hlaha ho tlhophiso ea trustpoint ho bonts'a hore na para ea bohlokoa e ka romeloa kantle ho naha: "! RSA key pair e amanang le trustpoint e ka romelloa kantle ho naha. ”
Ho khothaletsoa hore ho hlahisoe li-key pair tse ncha ka mabaka a ts'ireletso.
tsoa ExampLe:
Sesebelisoa(ca-trustpoint)# tsoa
E tsoa mokhoeng oa tlhophiso ea ca-trustpoint 'me e khutlela mokhoeng oa tlhophiso ea lefatše lohle.
crypto pki netefatsa lebitso ExampLe:
Sesebelisoa(config)# crypto pki netefatsa myca
E khutlisa setifikeiti sa CA ebe oa se netefatsa.
qetellong ExampLe:
Sesebelisoa(config)# pheletso
E tsoa maemong a tlhophiso ea lefats'e ebe e khutlela mokhoeng o khethehileng oa EXEC.
bonts'a setifikeiti sa crypto pki lebitso la trustpoint ExampLe:
Sesebelisoa# bonts'a setifikeiti sa crypto pki ka
E bonts'a tlhahisoleseling mabapi le setifikeiti sa sebaka sa trust.
Ho Hlophisa Ngoliso ka Botsona
Haeba CA ea hau e sa tšehetse SCEP kapa haeba khokahanyo ea marang-rang pakeng tsa router le CA e sa khonehe. Etsa mosebetsi o latelang ho theha ngoliso ea setifikeiti ka letsoho:
MACsec le Protocol 19 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Ho Hlophisa Ngoliso ka Botsona
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Mohato oa 1 Mohato oa 2 Mohato oa 3 Mohato oa 4
Mohato oa 5 Mohato oa 6 Mohato oa 7 Mohato oa 8 Mohato oa 9 Mohato oa 10
Tsamaiso
Taelo kapa Ketso e nolofalletsa ExampLe:
Sesebelisoa> lumella
Morero E nolofalletsa mokhoa o khethehileng oa EXEC. Kenya phasewete ea hau, haeba u khothalletsoa.
lokisa terminal ExampLe:
Sesebelisoa # lokisa terminal
E kenya mokhoa oa tlhophiso ea lefats'e.
lebitso la seva sa crypto pki trustpoint ExampLe:
Sesebelisoa# crypto pki trustpoint ka
E phatlalatsa trustpoint le lebitso le fanoeng ebe e kenya mokhoa oa tlhophiso oa ca-trustpoint.
ngodiso url url-lebitso
ExampLe:
Sesebelisoa(ca-trustpoint)# ngoliso url http://url:80
E totobatsa URL ea CA moo sesebelisoa sa hau se lokelang ho romella likopo tsa setifikeiti ho eona.
Aterese ea IPv6 e ka eketsoa ho URL e kentsoeng ka masakaneng. Bakeng sa mohlalaample: http:// [2001:DB8:1:1::1]:80.
Lentsoe la sehlooho la pem le eketsa meeli ea mangolo a ntlafalitsoeng a lekunutu (PEM) ho kopo ea setifikeiti.
rsakeypair label
E hlakisa hore na ke li-key pair life tse tla amahanngoa le setifikeiti.
ExampLe:
Sesebelisoa(ca-trustpoint)# rsakeypair exampleCAkeys
nomoro ea serial ha e eo ExampLe:
Sesebelisoa(ca-trustpoint)# serial-number none
E hlalosa hore linomoro tsa serial li ke ke tsa kenyelletsoa kopong ea setifikeiti.
ip-aterese ha ho na ExampLe:
Sesebelisoa(ca-trustpoint)# ip-aterese ha e eo
Ha ho lentsoe la bohlokoa le hlalosang hore ha ho aterese ea IP e lokelang ho kenyelletsoa kopong ea setifikeiti.
revocation-check crl ExampLe:
Sesebelisoa(ca-trustpoint)# revocation-check crl
E hlalosa CRL e le mokhoa oa ho netefatsa hore setifikeiti sa thaka ha se so hlakoloe.
tsoa ExampLe:
Sesebelisoa(ca-trustpoint)# tsoa
E tsoa mokhoeng oa tlhophiso ea ca-trustpoint 'me e khutlela mokhoeng oa tlhophiso ea lefatše lohle.
crypto pki netefatsa lebitso ExampLe:
Sesebelisoa(config)# crypto pki netefatsa myca
E khutlisa setifikeiti sa CA ebe oa se netefatsa.
MACsec le Protocol 20 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
E nolofalletsa 802.1x Netefatso le Tlhophiso ea AAA
Mohato oa 11 Mohato oa 12
Mohato oa 13 Mohato oa 14
Taelo kapa Action crypto pki ngolisa lebitso ExampLe:
Sesebelisoa(config)# crypto pki ngolisa myca
Morero
E hlahisa kopo ea setifikeiti mme e bonts'a kopo ea ho kopitsa le ho e manamisa ho seva sa setifikeiti.
Kenya lintlha tsa ngoliso ha u botsoa. Bakeng sa mohlalaample, hlakisa hore na ho kenyelletsa sesebelisoa sa FQDN le aterese ea IP kopong ea setifikeiti.
U boetse u fuoa khetho ea ho hlahisa kopo ea setifikeiti ho terminal ea console.
Setifikeiti se kentsoeng sa base-64 se nang le lihlooho tsa PEM kapa ntle le tsona joalo ka ha se kopuoa sea bonts'oa.
setifikeiti sa lebitso la ho kenya chelete ea crypto pki
E kenya setifikeiti ka TFTP ho terminal ea console,
ExampLe:
e nkang setifikeiti se fanoeng.
Sesebelisoa(config)# crypto pki import myca certificate Sesebediswa se leka ho fumana setifikeiti se filweng ka TFTP se sebedisa se tshwanang. filelebitso le sebelisitsoeng ho romella kopo,
ntle le katoloso e fetotswe ho tloha ho “.req” ho ya ho “.crt”. Bakeng sa
setifikeiti sa senotlolo sa tšebeliso, likeketso “-sign.crt” le
"-encr.crt" li sebelisoa.
Sesebelisoa se fetisa se amohetsoeng files, e netefatsa disetifikeiti, mme e kenye disetifikeiti sebakeng sa bobolokelo sa setifikeiti sa ka hare ho switjha.
Hlokomela
Li-CA tse ling li iphapanyetsa lintlha tsa bohlokoa tsa tšebeliso
kopong ea setifikeiti le ho fana ka kakaretso
litifikeiti tsa tšebeliso ea morero. Haeba CA ea hau e iphapanyetsa
lintlha tsa bohlokoa tsa tšebeliso setifikeiting
kopo, kenya feela sepheo se akaretsang
setifikeiti. Router e ke ke ea sebelisa e 'ngoe ea lisebelisoa
lipara tse peli tsa bohlokoa tse hlahisitsoeng.
qetellong ExampLe:
Sesebelisoa(config)# pheletso
bonts'a setifikeiti sa crypto pki lebitso la trustpoint ExampLe:
Sesebelisoa# bonts'a setifikeiti sa crypto pki ka
E tsoa maemong a tlhophiso ea lefats'e ebe e khutlela mokhoeng o khethehileng oa EXEC.
E bonts'a tlhahisoleseling mabapi le setifikeiti sa sebaka sa trust.
E nolofalletsa 802.1x Netefatso le Tlhophiso ea AAA
KAKARETSO MEHATO
1. nolofalletsa 2. lokisa terminal 3. aaa new-model 4. dot1x system-auth-control
MACsec le Protocol 21 ea Tumellano ea Bohlokoa ea MACsec (MKA).
E nolofalletsa 802.1x Netefatso le Tlhophiso ea AAA
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
5. lebitso la seva sa radius 6. aterese ip-address auth-port port-number acct-port port-number 7. automate-tester username 8. key string 9. radius-server deadtime minutes 10. tsoa 11. aaa sehlopha sa seva radius sehlopha-lebitso 12. lebitso la seva 13. tsoa 14. aaa netefatso dot1x sehlopha sa kamehla sehlopha-lebitso 15. aaa tumello netweke default group-lebitso
LIEKETSENG MHATO
Mohato oa 1
Taelo kapa Ketso e nolofalletsa ExampLe:
Sesebelisoa> lumella
Morero E nolofalletsa mokhoa o khethehileng oa EXEC. Kenya phasewete ea hau haeba u khothalletsoa.
Mohato oa 2
lokisa terminal ExampLe:
Sesebelisoa # lokisa terminal
E kenya mokhoa oa tlhophiso ea lefats'e.
Mohato oa 3
aaa mohlala o mocha ExampLe:
Sesebelisoa(config)# aaa mofuta o mocha
E nolofalletsa AAA.
Mohato oa 4
dot1x tsamaiso-auth-control ExampLe:
Sesebelisoa(config)# dot1x system-auth-control
E thusa 802.1X sesebelisoa sa hau.
Mohato oa 5
lebitso la seva sa radius ExampLe:
Sesebelisoa(config)# seva sa radius ISE
E hlakisa lebitso la litlhophiso tsa li-server tsa RADIUS bakeng sa tokisetso ea Protected Access Credential (PAC) 'me e kenye mokhoa oa litlhophiso tsa seva sa RADIUS.
Mohato oa 6
aterese ea ip-aterese auth-port-port-number acct-port-port-number
E lokisa aterese ea IPv4 bakeng sa li-accounting tsa seva sa RADIUS le liparamente tsa netefatso.
ExampLe:
Sesebelisoa(config-radius-server)# aterese ipv4 Auth-port 4 acct-port 1645
Mohato oa 7
automate-tester username
ExampLe:
Sesebelisoa(config-radius-server)# automate-tester username dummy
E thusa sesebelisoa sa tlhahlobo ea mosebelisi bakeng sa seva ea RADIUS.
Ka mokhoa ona, sesebelisoa se romella melaetsa ea netefatso ea liteko nako le nako ho seva sa RADIUS. E batla karabo ea RADIUS ho tsoa ho seva. Katleho
MACsec le Protocol 22 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
E lokisa ho Fetola-ho-Switch MACsec Encryption
Mohato 8 Mohato 9 Mohato 10 Mohato 11 Mohato 12 Mohato 13 Mohato 14 Mohato 15
Taelo kapa Ketso
Morero
molaetsa ha o hlokehe - netefatso e hlōlehileng e lekane, hobane e bontša hore seva se ntse se phela.
khoele ea senotlolo ExampLe:
Sesebelisoa(config-radius-server)# key dummy123
E lokisa senotlolo sa netefatso le kholiso bakeng sa likhokahano tsohle tsa RADIUS lipakeng tsa sesebelisoa le seva ea RADIUS.
metsotso ea ho qetela ea radius-server
ExampLe:
Sesebelisoa(config-radius-server)# radius-server nako ea ho qetela 2
E ntlafatsa nako ea karabelo ea RADIUS ha li-server tse ling li ka 'na tsa se fumanehe, 'me e tlola li-server tse sa fumaneheng hang hang.
tsoa ExampLe:
Sesebelisoa(config-radius-server)# tsoa
E khutlela mokhoeng oa tlhophiso ea lefatše lohle.
aaa sehlopha sa seva sa radius sehlopha-lebitso ExampLe:
Sesebelisoa(config)# aaa sehlopha sa seva sa radius ISEGRP
Kopanya li-server tse fapaneng tsa RADIUS ka manane a ikhethileng le mekhoa e ikhethileng, 'me e kenya mokhoa oa ho hlophisa sehlopha sa seva.
lebitso la seva ExampLe:
Sesebelisoa(config-sg)# lebitso la seva ISE
E fana ka lebitso la seva sa RADIUS.
tsoa ExampLe:
Sesebelisoa(config-sg)# tsoa
E khutlela mokhoeng oa tlhophiso ea lefatše lohle.
aaa netefatso dot1x sehlopha sa kamehla-lebitso ExampLe:
E beha sehlopha sa li-server tsa kamehla tsa netefatso bakeng sa IEEE 802.1x.
Sesebelisoa(config)# aaa netefatso dot1x sehlopha sa kamehla ISEGRP
aaa tumello ea netweke sehlopha sa kamehla sehlopha-lebitso ExampLe:
aaa tumello sehlopha sa kamehla ISEGRP
E beha sehlopha sa kamehla sa tumello ea marang-rang.
E lokisa ho Fetola-ho-Switch MACsec Encryption
Ho sebelisa MACsec MKA ho sebelisa encryption e thehiloeng ho setifikeiti sa MACsec ho li-interfaces, etsa mosebetsi o latelang:
Mohato oa 1
Taelo ea Tsamaiso kapa Ketso e nolofalletsa
Morero E nolofalletsa mokhoa o khethehileng oa EXEC.
MACsec le Protocol 23 ea Tumellano ea Bohlokoa ea MACsec (MKA).
E lokisa ho Fetola-ho-Switch MACsec Encryption
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Mohato 2 Mohato 3 Mohato 4 Mohato 5 Mohato 6 Mohato 7 Mohato 8 Mohato 9 Mohato 10 Mohato 11
Taelo kapa Ketso ExampLe:
Sesebelisoa> lumella
Morero Kenya phasewete ea hau, haeba u khothalletsoa.
lokisa terminal ExampLe:
Sesebelisoa # lokisa terminal
E kenya mokhoa oa tlhophiso ea lefats'e.
segokanyimmediamentsi sa sebolokigolo-id ExampLe:
Sesebelisoa(config)# interface gigabitethernet 2/9
E hlwaya segokanyimmediamentsi sa sebolokigolo sa MACsec, ebe o kenya mokgwa wa tlhophiso ya sehokelo. Khokahano e tlameha ho ba sebopeho sa 'mele.
sehokelo sa marang-rang sa macsec ExampLe:
Sesebelisoa(config-if)# macsec network-link
E nolofalletsa MACsec ho sehokelo.
netefatso periodic ExampLe:
Sesebelisoa(config-if)# nako ea netefatso
(Ka boikhethelo) E nolofalletsa ho netefatsa boema-kepe bona hape.
netefatsa nako ea netefatso hape
ExampLe:
Sesebediswa(config-haeba)# tiisetso timer netefatsa nako
(Boikhethelo) E beha nako ea netefatso hape.
phihlello-session host-mode multi-host
ExampLe:
Sesebelisoa(config-if)# access-session host-mode multi-host
E lumella baamoheli ho kena ho sehokelo.
nako ea ho kena e koetsoe ExampLe:
Sesebelisoa(config-if)# nako ea phihlello e koetsoe
E thibela phihlello ea netefatso ho sehokelo.
access-session port-control auto
ExampLe:
Sesebelisoa(config-if)# access-session port-control auto
E beha boemo ba tumello ea boema-kepe.
dot1x pae bobeli ExampLe:
Sesebelisoa(config-if)# dot1x pae bobeli
E lokisa boema-kepe e le boipiletso ba boema-kepe ba 802.1X (PAE) le bo netefatsang.
dot1x lintlha tsa profile ExampLe:
Sesebelisoa(config-if)# dot1x lintlha tsa profile
E fana ka lintlha tsa 802.1x tsa profile ho sebopeho.
MACsec le Protocol 24 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Example: Phetoho-to-Switch Setifikeiti Thehiloe MACsec
Mohato oa 12 Mohato oa 13 Mohato oa 14 Mohato oa 15
Qetello ea Taelo kapa Ketso ExampLe:
Sesebelisoa(config-if)# end
Morero
E tsoa ho configuration mdoe 'me e khutlela mokhoeng oa EXEC o khethehileng.
bontša macsec interface-id
E bonts'a lintlha tsa MACsec bakeng sa sebopeho.
ExampLe:
Sesebelisoa # se bonts'a sebopeho sa macsec GigabitEthernet 2/9
bonts'a lintlha tsa id tsa sebopeho sa nako ea phihlello
ExampLe:
Sesebelisoa # se bonts'a sebopeho sa phihlello sa GigabitEthernet 2/9 lintlha
E netefatsa netefatso le tumello ea dot1x e atlehileng. Ena ke ntho ea pele eo u lokelang ho e hlahloba. Haeba netefatso ea dot1x e hloleha, MKA e ke ke ea qala.
bonts'a lintlha tsa mka tsa segokanyimmediamentsi sa sebolokigolo
E bonts'a boemo bo felletseng ba seboka sa MKA.
ExampLe:
Sesebediswa# bontša mka seshene segokanyimmediamentsi sa sebolokigolo GigabitEthernet 2/9 lintlha
Example: Phetoho-to-Switch Setifikeiti Thehiloe MACsec
Mohlankanaamptlhophiso ea setifikeiti sa switjha-to-switch se thehiloeng ho MACsec se bontšitsoe ka tlase.
lokisa terminal aaa mofuta o mocha aaa netefatso ea lehae ea kamehla ea tumello ea tumello! ! aaa tiisetso dot1x sehlopha sa kamehla radius ea lehae aaa tumello phethahatsa sebaka sa kamehla aaa tumello ea netweke sehlopha sa kamehla radius ea lehae aaa tumello ea auth-moemeli oa kamehla sehlopha radius aaa tumello credential-jarollotse ea kamehla sebakeng sa aaa accounting identity default qala-emisa sehlopha radius ! ! aaa tšobotsi lenane TLAMEHA
mofuta oa tšobotsi linksec-leano le tlameha ho sireletseha ! aaa lethathamo la litšobotsi macsec-dot1-credentials
mofuta oa tšobotsi linksec-leano le tlameha ho sireletseha ! aaa semelo lenane MUSTS_CA
mofuta oa tšobotsi linksec-leano le tlameha ho sireletseha ! aaa lethathamo la litšobotsi SHOULDS_CA
mofuta oa tšobotsi linksec-leano le lokela ho sireletsoa ! aaa tšobotsi lenane mkadt_CA
mofuta oa tšobotsi linksec-leano le tlameha ho sireletseha ! aaa seboka-id e tloaelehileng
lebitso la mosebedisi le TLAMEHA ho aaa lenane la semelo MUSTS_CA lebitso la mosebelisi MUSTS.mkadt.cisco.com
MACsec le Protocol 25 ea Tumellano ea Bohlokoa ea MACsec (MKA).
E lokisa MKA/MACsec bakeng sa Channel Channel
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
"Crypto pki trustpoint demo" terminal serial-number fqdn MUSTS.mkadt.cisco.com subject-name cn=MUSTS.mkadt.cisco.com,OU=CSG Security,O=Cisco Systems,L=Bengaluru,ST=KA,C= IN
subject-alt-name MUSTS.mkadt.cisco.com revocation-check none rsakeypair demo 2048 hash sha256
eap profile EAP_P mokhoa tls
pki-trustpoint demo
dot1x system-auth-control dot1x lintlha tsa bohlokoa MUSTS-CA
lebitso la mosebedisi le TLAMEHA password 0 MUST_CA ! lintlha tsa dot1x E TLAMEHA lebitso la mosebelisi MUSTS.mkadt.cisco.comcrypto pki netefatsa demo
crypto pki netefatsa crypto pki ngodisa demo setifikeiti sa demo sa crypto pki
mongolisi oa taolo ea mofuta oa leano la 'mapa MUSTS_1 ketsahalo-e qalile papali-tsohle sehlopha sa 10 se etsa-ho fihlela se hlolehile 10 netefatsa u sebelisa dot1x ka bobeli netefatso ea ketsahalo-ho hloleha ho bapisa-tsohle sehlopha sa 10 kamehla se etsa-ho fihlela-ho hloleha 10 emisa dot1x 20 netefatso 10 qala bocha netefatso ya ketsahalo-katleho e bapisa-tsohle tse 10 kamehla ho fihlela ho hloleha 10 kenya tshebetsong tshebeletso DEFAULT_LINKSEC_POLICY_MUST_SECURE
segokanyimmediamentsi sa sebolokigolo GigabitEthernet2/9 switchport mode kena macsec phihlello-session moamoheli-mokhoa oa batho ba bangata phihlello-session koaloa phihlello-session koung taolo auto dot1x pae bobeli dot1x authenticator eap profile Lintlha tsa EAP_P dot1x TLAMELA ho etsa dot1x mokopi eap profile Mongolisi oa taolo ea leano la litšebeletso tsa EAP_P MUSTS_1
E lokisa MKA/MACsec bakeng sa Channel Channel
Ho lokisa MKA/MACsec bakeng sa Port Channel e Sebelisang PSK
KAKARETSO MEHATO
1. lokisa terminal 2. segokanyimmediamentsi sa sebolokigolo-id 3. macsec
MACsec le Protocol 26 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Ho lokisa li-interfaces tse utloahalang tsa Port Channel bakeng sa Layer 2 EtherChannels
4. mka policy-lebitso-lebitso 5. mka pre-shared-key-key-key-key-chain-lebitso 6. channel-group channel-group-nomoro {active | etsa letho } | {ka} 7. pheletso
LIEKETSENG MHATO
Mohato oa 1
Taelo kapa Ketso e hlophise terminal
Mohato oa 2 segokanyimmediamentsi sa sebolokigolo-id
Mohato oa 3 macsec
Mohato oa 4 Mohato oa 5
mka policy-lebitso mka pre-shared-key-key-chain key-chain-lebitso
Morero Kenya mokhoa oa tlhophiso ea lefats'e.
E kenya mokhoa oa tlhophiso ea sebopeho.
E nolofalletsa MACsec ho sehokelo. E ts'ehetsa liteishene tsa boema-kepe tsa layer 2 le layer 3.
E lokisa leano la MKA.
E lokisa lebitso la ketane ea linotlolo tsa MKA tse arolelanoeng pele.
Hlokomela
Senotlolo sa MKA se arolelanoeng esale pele se ka hlophisoa
ho sebopeho sa 'mele kapa li-sub-interfaces
mme eseng ka bobedi.
Mohato oa 6
mocha-sehlopha sa kanale-sehlopha-nomoro ea {sebetsa | etsa letho } | {ho }
E lokisa boema-kepe ka sehlopha sa kanale ebe e seta mokhoa. Lenane la linomoro tsa kanale ho tloha ho 1 ho isa ho 4096. Kanale ea boema-kepe e amanang le sehlopha sena sa kanale e iketselitse haeba mocha oa boema-kepe o se o le sieo.Bakeng sa mokhoa, khetha le leng la mantsoe a bohlokoa a latelang:
· on - E qobella boema-kepe ho etsa kanale ntle le PAgP kapa LACP. Boemong ba ho sebetsa, EtherChannel e ba teng ha feela sehlopha sa boema-kepe se ho "on mode" se hoketsoe ho sehlopha se seng sa boema-kepe ka har'a mode.
e sebetsa - E nolofalletsa LACP ha feela sesebelisoa sa LACP se fumanoa. E beha boema-kepe boemong bo mafolofolo ba lipuisano moo boema-kepe bo qalang lipuisano le likou tse ling ka ho romela lipakete tsa LACP.
· ho etsa letho - E nolofalletsa LACP boema-kepeng le ho e beha boemong ba lipuisano bo sa reroang moo boema-kepe bo arabelang lipakete tsa LACP tseo bo bo fumanang, empa bo sa qale lipuisano tsa LACP.
Mohato oa 7 qetellong
E khutlela ho mokhoa o khethehileng oa EXEC.
Ho lokisa li-interfaces tse utloahalang tsa Port Channel bakeng sa Layer 2 EtherChannels
Ho theha sebopeho sa mocha oa boema-kepe bakeng sa Layer 2 EtherChannel, etsa mosebetsi ona:
MACsec le Protocol 27 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Ho lokisa li-interfaces tse utloahalang tsa Port Channel bakeng sa Layer 3 EtherChannels
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
KAKARETSO MEHATO
1. lokisa terminal 2. [no] segokanyimmediamentsi sa sebolokigolo-channel channel-group-nomoro 3. switchport 4. switchport mode {access | kutu } 5. pheletso
LIEKETSENG MHATO
Mohato oa 1
Taelo kapa Ketso e hlophise terminal
Mohato oa 2 [no] interface port-channel channel-group-nomoro
Morero Kenya mokhoa oa tlhophiso ea lefats'e.
E theha sehokelo sa port channel.
Hlokomela
Sebelisa mofuta oa no oa taelo ena ho hlakola faele
segokanyimmediamentsi sa sebolokigolo.
Mohato oa 3 switchport Mohato oa 4 switchport mode {access | kutu } Mohato 5 Qetello
E fetola sebopeho se maemong a Layer 3 ho ea ho Layer 2 bakeng sa tlhophiso ea Layer 2.
E abela likou tsohle e le likou tsa phihlello tse sa fetoheng ho VLAN e ts'oanang, kapa e li hlophise joalo ka likutu.
E khutlela ho mokhoa o khethehileng oa EXEC.
Ho lokisa li-interfaces tse utloahalang tsa Port Channel bakeng sa Layer 3 EtherChannels
Ho theha sebopeho sa mocha oa boema-kepe bakeng sa Layer 3 EtherChannel, etsa mosebetsi ona:
KAKARETSO MEHATO
1. lokisa terminal 2. interface port-channel interface-id 3. no switchport 4. ip address ip-address subnet_mask 5. pheletso
LIEKETSENG MHATO
Mohato oa 1
Taelo kapa Ketso e hlophise terminal
Mohato oa 2 interface port-channel interface-id
Mohato oa 3 ha ho na switchport
Mohato oa 4 Mohato oa 5
aterese ea ip ip-aterese subnet_mask qetellong
Morero Kenya mokhoa oa tlhophiso lefatšeng ka bophara. E kenya mokhoa oa tlhophiso ea sebopeho. E fetola sebopeho se maemong a Layer 2 ho ea ho Layer 3 bakeng sa tlhophiso ea Layer 3. E fana ka aterese ea IP le subnet mask ho EtherChannel. E khutlela ho mokhoa o khethehileng oa EXEC.
MACsec le Protocol 28 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Example: Ho lokisa MACsec MKA bakeng sa Port Channel o sebelisa PSK
Example: Ho lokisa MACsec MKA bakeng sa Port Channel o sebelisa PSK
Mokhoa oa Etherchannel - Static/On
E latelang ke joalo kaample tlhophiso ho Sesebelisoa sa 1 le Sesebelisoa sa 2 se nang le Mokhoa oa EtherChannel.
key chain KC macsec key 1000 cryptographic-algorithm aes-128-cmac key-string FC8F5B10557C192F03F60198413D7D45 end
mka policy POLICY key-server priority 0 macsec-cipher-suite gcm-aes-128 secretiality-offset 0 end
segokanyimmediamentsi sa sebolokigolo Te1/0/1 kanale-sehlopha 2 mokgwa wa ka macsec mka pholisi LEANO mka pre-shared-key-key-chain KC end
segokanyimmediamentsi sa sebolokigolo Te1/0/2 kanale-sehlopha 2 mokgwa wa ka macsec mka pholisi LEANO mka pre-shared-key-key-chain KC end
Layer 2 EtherChannel Configuration
Sesebelisoa sa 1
segokanyimmediamentsi sa sebolokigolo-channel 2 switchport switchport mode trunk ha ho ho koala qetellong
Sesebelisoa sa 2
segokanyimmediamentsi sa sebolokigolo-channel 2 switchport switchport mode trunk ha ho ho koala qetellong
Se latelang se bontša e leample tlhahiso ea show etherchannel summary command.
Lifolakha: D - tlase
P - e kopantsoe ka har'a kanale ea boema-kepe
Ke - stand-alone s - fanyehiloe
H – Boemo bo kgethehileng (LACP feela)
R – Lera3
S – Lera2
U - e sebelisoa
f – e hlotsoe ho abela sekopanyi
M - ha e sebelisoe, lihokelo tse fokolang ha li kopane
MACsec le Protocol 29 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Example: Ho lokisa MACsec MKA bakeng sa Port Channel o sebelisa PSK
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
u - ha e lokele ho kopanya w - e emetse ho kopanngoa d - boema-kepe ba kamehla
A - e thehiloeng ke Auto LAG
Palo ea lihlopha tsa likanale tse sebelisoang: 1
Nomoro ea li-aggregator:
1
Lihlopha tsa Li-Port-Channel Protocol Ports
——+—————+————+—————————————————
2
Po2(RU)
-
Layer 3 EtherChannel Configuration
Sesebelisoa sa 1
Te1/0/1(P) Te1/0/2(P)
interface port-channel 2 ha ho switchport ip aterese 10.25.25.3 255.255.255.0 ha ho ho koala ho qetela
Sesebelisoa sa 2
interface port-channel 2 ha ho switchport ip aterese 10.25.25.4 255.255.255.0 ha ho ho koala ho qetela
Se latelang se bontša e leample tlhahiso ea show etherchannel summary command.
Lifolakha: D - tlase
P - e kopantsoe ka har'a kanale ea boema-kepe
Ke - stand-alone s - fanyehiloe
H – Boemo bo kgethehileng (LACP feela)
R – Lera3
S – Lera2
U - e sebelisoa
f – e hlotsoe ho abela sekopanyi
M - ha e sebelisoe, lihokelo tse fokolang ha li kopane - ha li tšoanelehe bakeng sa ho bokellana - li emetse ho kopanngoa d - port ea kamehla
A - e thehiloeng ke Auto LAG
Palo ea lihlopha tsa likanale tse sebelisoang: 1
Nomoro ea li-aggregator:
1
Lihlopha tsa Li-Port-Channel Protocol Ports
MACsec le Protocol 30 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Example: Ho lokisa MACsec MKA bakeng sa Port Channel o sebelisa PSK
——+—————+————+—————————————————
2
Po2(RU)
-
Te1/0/1(P) Te1/0/2(P)
Mokhoa oa Etherchannel - LACP
E latelang ke joalo kaample tlhophiso ho Sesebelisoa sa 1 le Sesebelisoa sa 2 se nang le Mokhoa oa EtherChannel joalo ka LACP.
key chain KC macsec key 1000 cryptographic-algorithm aes-128-cmac key-string FC8F5B10557C192F03F60198413D7D45 end
mka policy POLICY key-server priority 0 macsec-cipher-suite gcm-aes-128 secretiality-offset 0 end
segokanyimmediamentsi sa sebolokigolo Te1/0/1 kanale-sehlopha 2 mode e sebetsang macsec mka pholisi LEANO mka pre-shared-key-chain-chain KC end
segokanyimmediamentsi sa sebolokigolo Te1/0/2 kanale-sehlopha 2 mode e sebetsang macsec mka pholisi LEANO mka pre-shared-key-chain-chain KC end
Layer 2 EtherChannel Configuration
Sesebelisoa sa 1
segokanyimmediamentsi sa sebolokigolo-channel 2 switchport switchport mode trunk ha ho ho koala qetellong
Sesebelisoa sa 2
segokanyimmediamentsi sa sebolokigolo-channel 2 switchport switchport mode trunk ha ho ho koala qetellong
Se latelang se bontša e leample tlhahiso ea show etherchannel summary command.
Lifolakha: D - tlase
P - e kopantsoe ka har'a kanale ea boema-kepe
Ke - stand-alone s - fanyehiloe
H – Boemo bo kgethehileng (LACP feela)
R – Lera3
S – Lera2
U - e sebelisoa
f – e hlotsoe ho abela sekopanyi
MACsec le Protocol 31 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Example: Ho lokisa MACsec MKA bakeng sa Port Channel o sebelisa PSK
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
M - ha e sebelisoe, lihokelo tse fokolang ha li kopane - ha li tšoanelehe bakeng sa ho bokellana - li emetse ho kopanngoa d - port ea kamehla
A - e thehiloeng ke Auto LAG
Palo ea lihlopha tsa likanale tse sebelisoang: 1
Nomoro ea li-aggregator:
1
——+—————+————+—————————————————
2
Po2(SU)
LACP
Layer 3 EtherChannel Configuration
Sesebelisoa sa 1
Te1/1/1(P) Te1/1/2(P)
interface port-channel 2 ha ho switchport ip aterese 10.25.25.3 255.255.255.0 ha ho ho koala ho qetela
Sesebelisoa sa 2
interface port-channel 2 ha ho switchport ip aterese 10.25.25.4 255.255.255.0 ha ho koala
Se latelang se bontša e leample tlhahiso ea show etherchannel summary command.
Lifolakha: D - tlase
P - e kopantsoe ka har'a kanale ea boema-kepe
Ke - stand-alone s - fanyehiloe
H – Boemo bo kgethehileng (LACP feela)
R – Lera3
S – Lera2
U - e sebelisoa
f – e hlotsoe ho abela sekopanyi
M - ha e sebelisoe, lihokelo tse fokolang ha li kopane - ha li tšoanelehe bakeng sa ho bokellana - li emetse ho kopanngoa d - port ea kamehla
A - e thehiloeng ke Auto LAG
Palo ea lihlopha tsa likanale tse sebelisoang: 1
Nomoro ea li-aggregator:
1
Lihlopha tsa Li-Port-Channel Protocol Ports
MACsec le Protocol 32 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
E lokisa Phatlalatso ea Cipher ea MACsec
——+—————+————+—————————————————
2
Po2(RU)
LACP
Te1/1/1(P) Te1/1/2(P)
E Bontša Lithuto tsa MKA tse sebetsang
Se latelang se bonts'a linako tsohle tse sebetsang tsa MKA.
# bonts'a sebopeho sa mananeo a mka Te1/0/1
========================================== ==========================================
Sehokedi
Sebaka-TxSCI
Leano-Lebitso
Lefa
Key-server
Port-ID
Lithaka-RxSCI
MACsec-Lithaka
Boemo
CKN
========================================== ==========================================
Te1/0/1
00a3.d144.3364/0025 LEANO
NO
NO
37 1000
701f.539b.b0c6/0032 1
Sireletsehile
E lokisa Phatlalatso ea Cipher ea MACsec
Ho lokisa Leano la MKA bakeng sa Phatlalatso e Sireletsehileng
KAKARETSO MEHATO
1. lokisa terminal 2. mka policy-lebitso-lebitso 3. key-server priority 4. [ha ho] romela-secure-ditsebiso 5. macsec-cipher-suite {gcm-aes-128 | gcm-aes-256} 6. qetello 7. bonts'a leano la mka
LIEKETSENG MHATO
Mohato oa 1
Taelo kapa Ketso e hlophise terminal
Mohato oa 2 mka pholisi-lebitso
Morero
Kenya mokhoa oa tlhophiso ea lefatše lohle.
Hlalosa leano la MKA, 'me u kenye mokhoa oa ho seta leano la MKA. Bolelele ba lebitso la pholisi ke litlhaku tse 16.
MACsec le Protocol 33 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Ho Lokisa Phatlalatso e Sireletsehileng Lefatšeng ka Bophara (Ho Maano ohle a MKA)
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Taelo kapa Ketso
Mohato oa 3 oa bohlokoa oa li-key-server
Mohato oa 4 [ha ho] liphatlalatso tse bolokehileng
Mohato oa 5 macsec-cipher-suite {gcm-aes-128 | gcm-aes-256}
Mohato oa 6 Mohato oa 7
end show mka policy
Morero Note
MACsec cipher suite ea kamehla leanong la MKA e tla lula e le "GCM-AES-128". Haeba sesebelisoa se ts'ehetsa li-ciphers tsa "GCM-AES-128" le "GCM-AES-256", ho khothaletsoa haholo ho hlalosa le ho sebelisa pholisi ea MKA e hlalositsoeng ke mosebelisi ho kenyelletsa li-cipher tsa 128 le 256 kapa 256 bits cipher feela, joalo ka ho ka hlokahala.
Lokisa likhetho tsa li-server tsa MKA 'me u behe tse tlang pele (pakeng tsa 0-255).
Hlokomela
Ha boleng ba bohlokoa ba seva bo behiloe ho 255,
thaka e ke ke ea fetoha seva ea senotlolo. The
boleng ba bohlokoa ba seva bo sebetsa feela bakeng sa
MKA PSK; mme eseng bakeng sa MKA EAPTLS.
E nolofalletsa ho romella liphatlalatso tse sireletsehileng. Sebelisa mofuta oa no oa taelo ho tima ho romella liphatlalatso tse sireletsehileng. Ka linako tsohle, liphatlalatso tse sireletsehileng lia tingoa.
E lokisa "cipher suite" bakeng sa ho hlahisa SAK ka encryption ea 128-bit kapa 256-bit.
E khutlela ho mokhoa o khethehileng oa EXEC.
Netefatsa dikenyo tsa hao.
Ho Lokisa Phatlalatso e Sireletsehileng Lefatšeng ka Bophara (Ho Maano ohle a MKA)
KAKARETSO MEHATO
1. lokisa terminal 2. [no] mka defaults leano romela-secure-ditsebiso 3. pheletso
LIEKETSENG MHATO
Mohato oa 1
Taelo kapa Ketso e hlophise terminal
Morero Kenya mokhoa oa tlhophiso ea lefats'e.
Mohato oa 2
[ha ho] mka defaults policy send-secure-ditsebisoE nolofalletsa ho romela liphatlalatso tse sireletsehileng ho li-MKPDU ho pholletsa le maano a MKA. Ka linako tsohle, liphatlalatso tse sireletsehileng lia tingoa.
Mohato oa 3 qetellong
E khutlela ho mokhoa o khethehileng oa EXEC.
MACsec le Protocol 34 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Ho lokisa Liphatlalatso tsa EAPoL ho sehokelo
Ho lokisa Liphatlalatso tsa EAPoL ho sehokelo
KAKARETSO MEHATO
1. lokisa terminal 2. interface interface-id 3. [no] eapol annoucement 4. pheletso
LIEKETSENG MHATO
Mohato oa 1
Taelo kapa Ketso e hlophise terminal
Mohato oa 2 segokanyimmediamentsi sa sebolokigolo-id
Mohato oa 3 [ha ho] phatlalatso ea eapol
Mohato oa 4 qetellong
Morero
Kenya mokhoa oa tlhophiso ea lefatše lohle.
E hlwaya segokanyimmediamentsi sa sebolokigolo sa MACsec, ebe o kenya mokgwa wa tlhophiso ya sehokelo. Khokahano e tlameha ho ba sebopeho sa 'mele.
Lumella liphatlalatso tsa EAPoL. Sebelisa mofuta oa no oa taelo ho tima liphatlalatso tsa EAPoL. Ka linako tsohle, liphatlalatso tsa EAPoL lia tingoa.
E khutlela ho mokhoa o khethehileng oa EXEC.
ExampLes: Ho hlophisa Phatlalatso ea Cipher ea MACsec
Exampe bonts'a mokhoa oa ho hlophisa leano la MKA bakeng sa Phatlalatso e Sireletsehileng:
# lokisa terminal (config)# mka policy mka_policy (config-mka-policy)# key-server 2 (config-mka-policy)# romela-secure-ditsebiso (config-mka-policy)#macsec-cipher-suite gcm- aes-128confidentiality-offset 0 (config-mka-policy)# end
Exampe bonts'a mokhoa oa ho hlophisa Phatlalatso e Sireletsehileng lefatšeng ka bophara:
# lokisa terminal (config)# mka defaults leano romella-secure-liphatlalatso (config)# pheletso
Exampe bonts'a mokhoa oa ho hlophisa Liphatlalatso tsa EAPoL ho sehokelo:
# lokisa terminal (config)# interface GigabitEthernet 1/0/1 (config-haeba)# phatlalatso ea eapol (config-ha)# pheletso
E latelang ke joalo kaample sephetho bakeng sa show running-config interface interface-name taelo e nang le phatlalatso ea EAPoL e lumelletsoeng.
# bonts'a sehokelo se sebetsang sa GigabitEthernet 1/0/1
switchport mode kena macsec access-session host-mode ea baamoheli ba bangata-nako e koetsoeng
MACsec le Protocol 35 ea Tumellano ea Bohlokoa ea MACsec (MKA).
ExampLes: Ho hlophisa Phatlalatso ea Cipher ea MACsec
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
phihlello koung-control auto dot1x pae authenticator dot1x nako ea khutso-nako e khutsitseng 10 dot1x nako tx-nako 5 dot1x timeout supp-timeout 10 dot1x mokopi eap profile Peap Eapol tsebiso e qapa-tree portfast service-leano mofuta oa taolo morekisi Dot1X
E latelang ke joalo kaample tlhahiso ea show mka sessions interface-lebitso la lintlha tse qaqileng tse nang le phatlalatso e sireletsehileng e koetsoeng.
# bonts'a sebopeho sa mananeo a mka GigabitEthernet 1/0/1 lintlha
Boemo ba MKA ka botlalo ba Session ea MKA ===================================== Boemo: SECURED – Secured MKA Session with MACsec
Tx-SCI ea lehae…………. 204c.9e85.ede4/002b Aterese ea MAC ea Sehokelo…. 204c.9e85.ede4 MKA Port Identifier…… 43 Interface Name……….. GigabitEthernet1/0/1 Audit Session ID……… CAK Name (CKN)……….. 0100000000000000000000000000000000000000000000000000000000000000 46 Setho sa Setho (MI)… D05CBEC5D67594543D89567CEAE Nomoro ea Molaetsa ( MN)…… 128 EAP Role…………….. NA Key Server……………… YES MKA Cipher Suite……… AES-XNUMX-CMAC
Latest SAK Status…….. Rx & Tx Latest SAK AN………… 0 Latest SAK KI (KN)……. D46CBEC05D5D67594543CEAE00000001 (1) Old SAK Status……….. FIRST-SAK Old SAK AN……………… 0 Old SAK KI (KN)………. FIRST-SAK (0)
SAK Transmit Wait Time… 0s (Ha ke emele hore balekane ba arabe) SAK Retire Time………. 0s (Ha ho Old SAK ea ho tlohela mosebetsi)
Lebitso la Leano la MKA………. p2 Key Server Bohlokoa…… 2 Delay Protection……… NO Replay Protection…….. YES Bapala Fesetere Size……. 0 Confidentiality Offset… 0 Agility Agility…….. 80C201 Romela Phatlalatso e Sireletsehileng.. DISABLED SAK Cipher Suite……… 0080C20001000001 (GCM-AES-128) MACsec Capability…….. 3 (MACsec, Confidset & Infidset)
MACsec le Protocol 36 ea Tumellano ea Bohlokoa ea MACsec (MKA).
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
ExampLes: Ho hlophisa Phatlalatso ea Cipher ea MACsec
MACsec E Lakatsehang……….. YES
# of MACsec Capable Live Peers………… 1 # ea MACsec Capable Live Peers e Arabile.. 1
Lenane la Lithaka tse Phelang:
MI
MN
Rx-SCI (Lithaka)
KS Bohlokoa
————————————————————————-
38046BA37D7DA77E06D006A9 89555
c800.8459.e764/002a 10
Lethathamo la Lithaka tse ka Lebelloang:
MI
MN
Rx-SCI (Lithaka)
KS Bohlokoa
————————————————————————-
Lethathamo la Lithaka tse Khutletseng:
MI
MN
Rx-SCI (Lithaka)
KS Bohlokoa
————————————————————————-
E latelang ke joalo kaample tlhahiso ea lintlha tsa mananeo a mka a laela hore phatlalatso e sireletsehileng e koetsoe.
# bonts'a lintlha tsa mananeo a mka
Boemo ba MKA ka botlalo ba Session ea MKA ===================================== Boemo: SECURED – Secured MKA Session with MACsec
Tx-SCI ea lehae…………. 204c.9e85.ede4/002b Aterese ea MAC ea Sehokelo…. 204c.9e85.ede4 MKA Port Identifier…… 43 Interface Name……….. GigabitEthernet1/0/1 Audit Session ID……… CAK Name (CKN)……….. 0100000000000000000000000000000000000000000000000000000000000000 46 Setho sa Setho (MI)… D05CBEC5D67594543D89572CEAE Nomoro ea Molaetsa ( MN)…… 128 EAP Role…………….. NA Key Server……………… YES MKA Cipher Suite……… AES-XNUMX-CMAC
Latest SAK Status…….. Rx & Tx Latest SAK AN………… 0 Latest SAK KI (KN)……. D46CBEC05D5D67594543CEAE00000001 (1) Old SAK Status……….. FIRST-SAK Old SAK AN……………… 0 Old SAK KI (KN)………. FIRST-SAK (0)
SAK Transmit Wait Time… 0s (Ha ke emele hore balekane ba arabe) SAK Retire Time………. 0s (Ha ho Old SAK ea ho tlohela mosebetsi)
Lebitso la Leano la MKA………. p2 Key Server Bohlokoa…… 2 Delay Protection……… NO Replay Protection…….. YES
MACsec le Protocol 37 ea Tumellano ea Bohlokoa ea MACsec (MKA).
ExampLes: Ho hlophisa Phatlalatso ea Cipher ea MACsec
MACsec le Porothokhole ea Konokono ea Tumellano ea MACsec (MKA).
Bapala boholo ba fensetere hape……. 0 Lekunutu Offset… 0 Agility Agility…….. 80C201 Romela Phatlalatso e Sireletsehileng.. DISABLED SAK Cipher Suite……… 0080C20001000001 (GCM-AES-128) MACsec Capability…….. 3grity, MACsec Infidential ……….. EE
# of MACsec Capable Live Peers………… 1 # ea MACsec Capable Live Peers e Arabile.. 1
Lenane la Lithaka tse Phelang:
MI
MN
Rx-SCI (Lithaka)
KS Bohlokoa
————————————————————————-
38046BA37D7DA77E06D006A9 89560
c800.8459.e764/002a 10
Lethathamo la Lithaka tse ka Lebelloang:
MI
MN
Rx-SCI (Lithaka)
KS Bohlokoa
————————————————————————-
Lethathamo la Lithaka tse Khutletseng:
MI
MN
Rx-SCI (Lithaka)
KS Bohlokoa
————————————————————————-
E latelang ke joalo kaample sephetho sa pontsho mka policy-name details order with the secure notice disabled.
# bonts'a leano la mka p2 lintlha
Tlhophiso ea Leano la MKA (“p2”) ======================================================================= Lebitso la Leano la MKA….. 2 Lekunutu Offset. 2 Romela Phatlalatso e Sireletsehileng..DISABLED Cipher Suite(li)…….. GCM-AES-0
Li-interface tse kentsoeng… GigabitEthernet1/0/1
MACsec le Protocol 38 ea Tumellano ea Bohlokoa ea MACsec (MKA).
Litokomane / Lisebelisoa
 |
Cisco IE3x00 MACsec le MACsec Key Agreement Protocol [pdf] Bukana ea Mosebelisi IE3x00 MACsec le MACsec Key Agreement Protocol, IE3x00, MACsec le MACsec Key Agreement Protocol, MACsec Key Agreement Protocol, Key Agreement Protocol, Agreement Protocol, Protocol |
