Category: Security – layer 2

Configuring MACsec Encryption

This article describes the simplest way to enable MACSec using preconfigured static key-string. The example was tried on Catalyst 3850 and should work on other switches too.

There is another article that I wrote years ago which describes a more complex implementation with dot1x etc.

MACSec

Media Access Control Security is the way to secure point-to-point Ethernet links by implementing data integrity check and encryption of Ethernet frame.

When you configure MACsec on a switch interface (and of course, on the other switch connected to that interface), all traffic going through the link is secured using data integrity checks and encryption.

Data integrity is done by appending 8-byte header and a 16-byte trailer to the Ethernet packet which is generated before a data is sent and checked upon receiving on the other switch to prove that the data inside the frame was not modified on the way. If the check fails, the packet gets dropped.

MACSec – Media Access Control Security

UPDATE on 11 Jul 2019:
I wrote a fresh article describing how to implement MACSec on Cisco devices in the simplest way possible. I think that one is maybe what most of you are searching for.. get it here

Media Access Control Security or MACSec is the Layer 2 hop to hop network traffic protection.

Just like IPsec protects network layer, and SSL protects application data, MACSec protects traffic at data link layer (Layer 2).

MACSec is standardized IEEE 802.1AE hop-by-hop encryption that enables confidentiality and integrity of data at layer 2.

It encrypts entire Ethernet packet except Source and Destination MAC addresses on any device-to-device, switch-to-switch, router-to-switch, host-to-switch directly connected wired L2 connection.

MacSec

If we compare MACSec with, for example, IPsec, MACsec provides same security but on layer 2 for each hop separately. On each hop, packets are received and decrypted enabling other features like QoS and load balancing to function. Same data is again encrypted before being sent out to next device on the way towards the destination. MACsec works on host-to-switch connection and on switch-to-switch connection enabling line-rate up to 10 GigabitEthernet fast encryption.

It uses, especially for that occasion developed and optimised Galois/Counter Mode Advanced Encryption Standard 128 (GCM-AES-128) which makes line-rate encryption/decryption possible.

There is some difference in MACSec on the connection between host and switch, and MACSec on the connection from switch to switch

MACsec uses MACsec Key Agreement (MKA) which is standardized protocol to provide the required session keys and manages the required encryption keys on a MACSec connection between hosts (PC, server, etc.) and switch.

PVLAN – Private VLANs

Isolating Traffic inside a VLAN Using Private VLANs

In the article VACL – VLAN Access Lists we mention one way how to provide security on switch device like Cisco Catalyst switch. In this article we will see the other way of providing security with use of private VLANs – PVLAN.

private VLAN - PVLANThe whole idea is to make possible to group VLANs inside the VLANs. You see from the picture here on the right that this will give you the opportunity to make group od computers or servers inside main (primary) VLAN. It will be possible to have two servers in the VLAN 10 and both of them on the same subnet. Here it becomes little bit strange, then they can be separated into two Secondary VLANs, VLAN 4 and VLAN 5.

If you are interested in the PVLAN configuration: PVLAN configuration article 

SPAN – Switched Port Analyzer technology and configuration

In simple words SPAN technology enables port mirroring on selected switch.

In some cases you will need that some kind of server, PC or other network device receives a copy of network traffic that is destinated for some other device in the network. Why would you want that? Maybe you need some kind of control of the traffic or you want to implement IDS – Intrusion Detection System or something else. In that case you can configure every Cisco switch to send a copy of the traffic to one of the ports that is connected to sensor device.