The purpose of this blog is to provide a simple guide on how to configure MACsec in OCI. You can configure FastConnect to use MACsec (IEEE standard 802.1AE) to protect network-to-network connections on Layer 2.
To enable MACsec, you will need to use an advanced encryption standard (AES) encryption algorithm. The two connected networks exchange and verify security keys, and then establish a secure bidirectional link.
The Oracle Cloud Infrastructure Vault service securely stores the encrypted keys used by the FastConnect circuit leveraging the MACsec security feature.
MACsec Requirements in OCI
To use MACsec, the following requirements must be met:
MACsec Parameters
When configuring MACsec on your CPE, refer to the table for various required parameters.
MACsec Configuration
FastConnect with MACsec integrates with the Vault service. Here’s an overview of the steps to fully configure FastConnect with MACsec.
Creating the Vault
Navigate to the OCI menu and select Identity & Security -> Vault.
Select Create Vault, provide a name, and click on Create Vault.
We will need to select the Vault once it has been created and create the Master Key Encryption and the Secret Keys used for the MACsec encryption.
Below is the Master Key creation.
Below are the CAK and CKN key creations.
Once the Vault and Keys have been created, we can associate them with a new FastConnect circuit or and existing FastConnect circuit.
If you decide to add MACsec encryption to an existing FastConnect cross-connect, remember that changing the encryption settings requires restarting the BGP session, which briefly suspends BGP traffic.
Create a FastConnect circuit
Navigate to the OCI menu and select Networking -> FastConnect.
Create the new FastConnect circuit, select FastConnect Direct, and click Next.
We will need to provide the appropriate configurations settings for the following fields:
Once we have the FastConnect configured appropriately and the FastConnect provider has made the appropriate patching, we can start configuring the CPE.
In this blog, we will use a Cisco device to show an example of the configuration on the CPE side. We will need to perform the following:
Create Key Chain
Create MACsec Policy
Associate MACsec Policy with the FastConnect interface on the CPE side
Once the CPE side is configured, we can check the Cisco device for the MACsec peer using the show macsec mka session command or by navigating to the OCI console and view the FastConnect circuit to ensure MACsec has been applied and the circuit is up and operational.
Additional Considerations
Since the FastConnect circuit terminates at the edge of both OCI and the customer data center, we need to ensure that spanning-tree BPDUs are not sent across the circuit. Otherwise, the circuit will start to flap, and we will not achieve a stable circuit. To ensure this does not occur, we need to enable bpduguard on the CPE equipment for the interface that the FastConnect terminates.
Additional Resources
Next Post