Community discussions

MikroTik App
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

802.1AE MACsec Progress or Examples ?

Sat Aug 01, 2020 9:12 am

Hi, just wondering if there is any formal documentation for Mikrotik's 802.1AE (AKA MACsec) in RoS v7.
Given its been in RoS v7 at least since its early beta release I was hoping to see some doco on it by now.
As of yet I have not got it working between devices( Get as far as it 'negotiating', and can see specific 802.1AE traffic via torch).
Is there a particular hardware requirement for it to work, or is it going to be a kernel feature no matter the HW ?

macsec1.png
/interface macsec
add cak=228ef255aa23ff6729ee664acb66e91f ckn=49df411fcb9800773e2b0e39233e069c3955c799d08abe2898c81053e4bc4897 \
    disabled=no interface=ether5 name=macsec1 profile=default
[admin@under desk] /interface/macsec> print
Flags: I - inactive, X - disabled, R - running 
 0   name="macsec1" interface=ether5 status="negotiating" cak=228ef255aa23ff6729ee664acb66e91f 
     ckn=49df411fcb9800773e2b0e39233e069c3955c799d08abe2898c81053e4bc4897 profile=default 
[admin@under desk] /interface/macsec> 


Cheers

https://developers.redhat.com/blog/2016 ... k-traffic/

https://en.wikipedia.org/wiki/IEEE_802.1AE
You do not have the required permissions to view the files attached to this post.
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Sun Feb 28, 2021 8:29 am

Bump..
Any news on this front Mikrotik I have tried with 7.1beta4 and still cannot get MACSEC up???
 
mcbrown90
just joined
Posts: 5
Joined: Fri May 07, 2021 12:34 pm

Re: 802.1AE MACsec Progress or Examples ?

Fri May 07, 2021 12:39 pm

another bump.
Really interested in MACSEC options.

Would this eventually also available on SWos?
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: 802.1AE MACsec Progress or Examples ?

Mon Oct 25, 2021 12:26 pm

same here ... status hangs on "negotiating"
rOSv71.rc4 on both end devices

Device 1 = CRS109-8G-1S-2HnD
Device 2 = RB951Ui-2HnD

config on BOTH devices is identical
/interface macsec profile
add name=macsec-01 server-priority=5
/interface macsec
add ckn=766469656b336a356b733832336b3575 disabled=no interface=ether3-PtP_2_CRS name=S2S-L2-MACsec01 profile=macsec-01
this is what i see on BOTH devices (which are directly connected on ether3 each with a single ethernet cable)
 [spippan@MikroTik951Ui-RRZ-01] /interface/macsec> print int 1
Flags: I - inactive, X - disabled, R - running 
 0   name="S2S-L2-MACsec01" interface=ether3-PtP_2_CRS status="negotiating" cak=4ab8ab80a1730f9fcca040eabfbfe6ed 
     ckn=766469656b336a356b733832336b3575 profile=macsec-01 
-- [Q quit|D dump|C-z pause] 
 
0x6d61726b
just joined
Posts: 2
Joined: Thu Oct 28, 2021 7:01 pm

Re: 802.1AE MACsec Progress or Examples ?

Thu Oct 28, 2021 7:23 pm

I have the same issues with 7.1rc5 when trying to establish a MACsec link between two CRS326-24G-2S+ devices.

The process hangs on:
[admin@MikroTik] /interface/macsec> print
Flags: I - inactive, X - disabled, R - running 
 0   name="macsec-test" interface=ether9 status="negotiating" cak=09db3ef1000000000000000000000000 ckn=e9ac profile=default

Is there any documentation or information available on how to setup/test MACsec?
Are there any log filters or outputs available to further track down those issues?
Has this feature been tested at Microtik site and should it work in general?
Last edited by 0x6d61726b on Thu Oct 28, 2021 7:25 pm, edited 1 time in total.
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Sun Nov 28, 2021 11:14 am

Please Mikrotik, can you add some comments on where MACSEC is currently at..
Now trying with 7.1rc7 using x86... All I see is ether-type traffic 888e on the interface I configured it on between 2x VM's.
I can add an IP against the 'macsec1' interface using the command line( not winbox ) too,.

mikrotik macsec rc7.jpg
You do not have the required permissions to view the files attached to this post.
 
sybreeder
just joined
Posts: 1
Joined: Thu Apr 07, 2022 2:08 pm

Re: 802.1AE MACsec Progress or Examples ?

Thu Apr 07, 2022 2:12 pm

bump...
I've Tried to configure it on latest routeros 7.2 but it is negotiating only. Any documentation how to configure macsec on router v7.2 ?
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Sun Apr 10, 2022 6:06 am

I have not seen Mikrotik do anything in this area.!!!

The MACSEC option has been there in the console since the very first v7 RC public release back in 2019. Its 2022 and NOTHING, yet > interface/macsec is there hidden in place sight of the console terminal...


bump...
I've Tried to configure it on latest routeros 7.2 but it is negotiating only. Any documentation how to configure macsec on router v7.2 ?
 
Network5
newbie
Posts: 27
Joined: Sat Mar 22, 2014 11:42 pm

Re: 802.1AE MACsec Progress or Examples ?

Tue Jun 28, 2022 6:23 pm

I've tried today to setup the MACsec between a 2004 and 1016, both with 7.3.1 that we have in LAB. We need to encrypt an internal gigabit link for a client.
When the MACsec is coming up, the 1016 is rebooting, till the interface is disabled.

With WireGuard the throughput is something less than 1G for UDP and 500M for TCP in both directions.
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Wed Jul 06, 2022 6:03 am

Noted, will take a look soon.

If you need wirespeed macsec, I suggest getting yourselves a couple of second hand Cisco 3850's with an appropriate NIM module each.( config e.g https://community.cisco.com/t5/network- ... -p/3368918 )
 
buraglio
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Mon Aug 10, 2015 5:59 pm
Location: +1 (217)
Contact:

Re: 802.1AE MACsec Progress or Examples ?

Tue Aug 02, 2022 4:26 pm

This appears to be just not done or I am missing something (which is perfectly feasible). 7.4 has the same behavior, stuck in "negotiating".

nb

I've tried today to setup the MACsec between a 2004 and 1016, both with 7.3.1 that we have in LAB. We need to encrypt an internal gigabit link for a client.
When the MACsec is coming up, the 1016 is rebooting, till the interface is disabled.

With WireGuard the throughput is something less than 1G for UDP and 500M for TCP in both directions.
 
Njumaen
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Wed Feb 24, 2016 8:41 pm
Location: Bielefeld, Germany
Contact:

Re: 802.1AE MACsec Progress or Examples ?

Thu Aug 25, 2022 8:30 am

As I assume I will see a working macsec shortly before I die, I used wireguard (eth --- eth) and VXLAN (bridge -- wg --- wg --- bridge) now to get my external port towards my hAPac in the garden quite secure.

But I still hope for macsec! 😜
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: 802.1AE MACsec Progress or Examples ?

Wed Sep 07, 2022 12:12 am

this is something which frustrates me ....
still have to work this around with a wireguard interconnect and vxlan bridged to PHY port to get a decent throughput
but MACsec would kill this overhead finally

please MT, do smth about this finally
this could be a killer feature against some way overpriced cisco hardware!
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: 802.1AE MACsec Progress or Examples ?

Wed Sep 07, 2022 7:53 am

Agreed, I'd love to see hardware MACSEC available. Especially for the broadcast video world where it is often required.
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: 802.1AE MACsec Progress or Examples ?

Sat Sep 24, 2022 9:21 pm

Agreed, I'd love to see hardware MACSEC available. Especially for the broadcast video world where it is often required.
so far we have it in 7.6beta8 working ;)


viewtopic.php?p=958682&hilit=macsec#p958682
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: 802.1AE MACsec Progress or Examples ?

Sat Sep 24, 2022 9:52 pm

I just saw that!

I know that some of the Marvell Prestera chips support MACSEC in hardware - would love to hear from MikroTik if there are plans to put MACSEC into the chip.

I need to add MACSEC in my v7 lab and play with it some.
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Sat Oct 01, 2022 2:15 am

Happy to report MACSEC on v7.6 beta 10 on CHR is now working and passing IP....
Excellent work...

Just make sure you use the same CAK / CKN on both ends and happy times ahead..
Now for VLAN's over MACSEC.... hmmm
 
Njumaen
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Wed Feb 24, 2016 8:41 pm
Location: Bielefeld, Germany
Contact:

Re: 802.1AE MACsec Progress or Examples ?

Sat Oct 01, 2022 6:56 pm

Here with outside wAPac connected to hAPac MACSEC on v7.6 beta 10 works flawlessly. Even with PoE turned off and on again.

I’m so happy!
 
psannz
Member Candidate
Member Candidate
Posts: 127
Joined: Mon Nov 09, 2015 3:52 pm
Location: Renningen, Germany

Re: 802.1AE MACsec Progress or Examples ?

Mon Oct 10, 2022 5:36 pm

Here with outside wAPac connected to hAPac MACSEC on v7.6 beta 10 works flawlessly. Even with PoE turned off and on again.
Could you give us some information regarding performance & CPU load?
 
Network5
newbie
Posts: 27
Joined: Sat Mar 22, 2014 11:42 pm

Re: 802.1AE MACsec Progress or Examples ?

Mon Oct 10, 2022 11:37 pm

Today I've tested MACsec between two CCR2004 in LAB. The interface is working without any problem.

These are the results on a 25G link between two sfp28 interfaces. The CCRs were reset to defaults with no other settings set but the ip addresses and the macsec interface.

ping-min-avg-max: 88us / 101us / 263us
jitter-min-avg-max: 0s / 7us / 147us
loss: 0% (0/200)
tcp-download: 334Mbps local-cpu-load:52%
tcp-upload: 336Mbps local-cpu-load:52% remote-cpu-load:52%
udp-download: 477Mbps local-cpu-load:50% remote-cpu-load:65%
udp-upload: 483Mbps local-cpu-load:65% remote-cpu-load:50%
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Fri Oct 14, 2022 12:10 am

Thanks Network5

Thats quite handy information. Especially on CPU load.

I wonder if one/two of the cores was dedicated to that task thus the ~50%'ish cpu-load !! ?
Not bad I guess for a unit that's only got a CPU and no dedicated switch chip. At least there is head room for other activities on the router such as firewall/actual routing/queues etc etc..

As for Mikrotik's future switch range(CRS series) hopefully they will obtain switch chip's that have macsec hardware offload options !!

Cheers
 
Guscht
Member Candidate
Member Candidate
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Re: 802.1AE MACsec Progress or Examples ?

Tue Oct 18, 2022 7:08 pm

Any examples how this works with VLAN-Interfaces and Bonding-Interfaces?
Lets say we have a Bonding eth1+eth2 as LAG0 and a 100 VLANs.

Is all we have to create 2 MACsec Inteface (eth1 and eth2) and thats it?
Or do we have it the cascading way: create MACsec-Interfaces -> create the Bond with the MACsec-Interfaces

EDIT: Awesome "Internal Error"...
Screenshot 2022-10-18 182959.jpg

Thats a real-world Example: Bonding, VLANs and MACsec.
LAG0 consists of eth1, LAG0 is a Port of Bridge BR0. MACsec enabled on eth1.

There is no option to add macsec1 as Interface to the Bonding.
You do not have the required permissions to view the files attached to this post.
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Wed Oct 19, 2022 2:37 am

I think ( and probably wrong !! will need to test ). Based on some playing of other things a few nights ago
If you adjust the MTU of the ETH ( or adjust down the bridge ) by ~ +/- 64bytes, and take and try again, the error may go, as I dont think MTU gets corrected when you add it to bridges/vlans and may be the issue with the bonding.
 
psannz
Member Candidate
Member Candidate
Posts: 127
Joined: Mon Nov 09, 2015 3:52 pm
Location: Renningen, Germany

Re: 802.1AE MACsec Progress or Examples ?

Wed Oct 19, 2022 11:06 am

I think ( and probably wrong !! will need to test ). Based on some playing of other things a few nights ago
If you adjust the MTU of the ETH ( or adjust down the bridge ) by ~ +/- 64bytes, and take and try again, the error may go, as I dont think MTU gets corrected when you add it to bridges/vlans and may be the issue with the bonding.
Actually, default MACSEC Header is 32 Byte. Depending on cyphers used, it may go up to 160Byte in case of AES512.
Still, 64 Byte leaves you quite a bit of headroom :)
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: 802.1AE MACsec Progress or Examples ?

Sun Nov 13, 2022 3:51 pm


There is no option to add macsec1 as Interface to the Bonding.
cause macsec is applied to HARDWARE interfaces
macsec@eth1
macsec@eth2
eth1+2@bond0

watch out for MTU accordingly (1600 would surely suffice on L2)

add the bond0 to the bridge and (pvid "xyz" for untagged traffic and /interface/bridge/vlans settings on bond0 for tagged vlans)

but do not expect a lot of Performance right now.
 
golf0r
just joined
Posts: 5
Joined: Tue Jul 07, 2015 7:32 pm

Re: 802.1AE MACsec Progress or Examples ?

Mon Nov 21, 2022 6:05 pm

Hello,

I tried to get the MACsec connection working, but I always get "Internal Error" and Status "invalid" on both sides.
[admin@MikroTik] > interface/macsec/ print 
Flags: I - inactive, X - disabled, R - running 
 0 I ;;; Internal error
     name="macsecPH" mtu=1468 interface=ether6-slave-local status="invalid" cak=32fe28994a90b276f5b2aa7500000000 ckn=6464937365522a8b222c999e97f25b78c456d8e0 profile=default
the MAC address is always 00:00:00:00:00:00 in Webfig (XX:XX:XX:XX:XX:XX in WinBox)
Is this normal?

Thanks, Daniel
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: 802.1AE MACsec Progress or Examples ?

Tue Nov 22, 2022 4:56 am

paste the whole interfaces and bridge config.
there are many factors which could make it invalid!
Last edited by BartoszP on Wed Nov 30, 2022 8:30 am, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart.
 
golf0r
just joined
Posts: 5
Joined: Tue Jul 07, 2015 7:32 pm

Re: 802.1AE MACsec Progress or Examples ?

Fri Nov 25, 2022 3:56 pm

Hello,
thanks for your answer, here is the whole config:
[admin@MikroTik-mAP2n] /interface> print detail 
Flags: D - dynamic; X - disabled, R - running; S - slave; P - passthrough 
 0  RS  name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:88:CD:49 ifname="eth0" ifindex=9 id=1 last-link-down-time=nov/21/2022 18:51:45 last-link-up-time=nov/21/2022 18:51:46 link-downs=1 

 1      name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:88:CD:4A ifname="eth1" ifindex=10 id=2 link-downs=0 

 2  RS  name="wlan1" default-name="wlan1" type="wlan" mtu=1500 actual-mtu=1500 l2mtu=1600 max-l2mtu=2290 mac-address=D4:CA:6D:88:CD:4B ifname="ath0" ifindex=7 id=3 last-link-up-time=nov/21/2022 18:51:51 link-downs=0 

 3  R   name="bridge2" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1598 mac-address=D4:CA:6D:88:CD:49 ifname="br0" ifindex=6 id=5 last-link-up-time=nov/21/2022 18:51:38 link-downs=0 

 4      name="macsec1" type="macsec" mtu=1468 mac-address=(invalid) id=6 link-downs=0 

[admin@MikroTik-mAP2n] /interface/ethernet> print detail 
Flags: X - disabled, R - running; S - slave 
 0 RS name="ether1" default-name="ether1" mtu=1500 l2mtu=1598 mac-address=D4:CA:6D:88:CD:49 orig-mac-address=D4:CA:6D:88:CD:49 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m auto-negotiation=yes 
      advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full full-duplex=yes tx-flow-control=off rx-flow-control=off speed=100Mbps bandwidth=unlimited/unlimited switch=switch1 

 1    name="ether2" default-name="ether2" mtu=1500 l2mtu=1598 mac-address=D4:CA:6D:88:CD:4A orig-mac-address=D4:CA:6D:88:CD:4A arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m auto-negotiation=yes 
      advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full full-duplex=yes tx-flow-control=off rx-flow-control=off speed=100Mbps bandwidth=unlimited/unlimited switch=switch1 poe-out=off poe-controller="gpio" poe-priority=10 power-cycle-ping-enabled=no power-cycle-interval=none 

[admin@MikroTik-mAP2n] /interface/macsec> print detail 
Flags: I - inactive, X - disabled, R - running 
 0 I name="macsec1" mtu=1468 interface=ether2 status="invalid" cak=32fe28994a90b276f5b2aa7500000000 ckn=6464937365522a8b222c999e97f25b78c456d8e0 profile=default 

[admin@MikroTik-mAP2n] /interface/bridge> print detail 
Flags: X - disabled, R - running 
 0 R name="bridge2" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=D4:CA:6D:88:CD:49 protocol-mode=rstp fast-forward=no igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no 

[admin@MikroTik-mAP2n] /interface/bridge/port> print 
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
# INTERFACE  BRIDGE   HW  PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON
0 ether1     bridge2  no     1  0x80             10                  10  none   
1 wlan1      bridge2         1  0x80             10                  10  none   
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Sat Nov 26, 2022 4:41 am

Hi golf0r.
Use 'export' rather than 'print to show configs. e.g /export file=MyFile.rsc and from the winbox / files you will see the MyFile.rsc which you can drag onto the windows desktop and open with a text editor
or use /export file=[filename] hide-sensitive command to not add in things pike passwords etc.


That said, you should make sure the Ethernet interface is NOT directly connected to a bridge, as MACSEC does not work like that. It requires the physical interface to itself, and then you would later bond the new UP'ed MACSEC1 interface to things like bridges/vlans etc.
I note your using a mAP2n, that does not have a lot of CPU so any macsec interface will be slow.

[macsec1(ETH2)]------------------[(ETH3)macsec1]
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: 802.1AE MACsec Progress or Examples ?

Mon Nov 28, 2022 9:59 am

Hello,
thanks for your answer, here is the whole config:
[admin@MikroTik-mAP2n] /interface> print detail 
...
 1      name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:88:CD:4A ifname="eth1" ifindex=10 id=2 link-downs=0 
...
 4      name="macsec1" type="macsec" mtu=1468 mac-address=(invalid) id=6 link-downs=0 

...

[admin@MikroTik-mAP2n] /interface/macsec> print detail 
Flags: I - inactive, X - disabled, R - running 
 0 I name="macsec1" mtu=1468 interface=ether2 status="invalid" cak=32fe28994a90b276f5b2aa7500000000 ckn=6464937365522a8b222c999e97f25b78c456d8e0 profile=default 

...

[admin@MikroTik-mAP2n] /interface/bridge/port> print 
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
# INTERFACE  BRIDGE   HW  PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON
0 ether1     bridge2  no     1  0x80             10                  10  none   
1 wlan1      bridge2         1  0x80             10                  10  none   
1. so the "invalid" state is due to the fact, that your ETHER2 (which is the parent to macsec1!) interface is not running (down)
2. you need to add the "macsec1" as a port to your bridge, which you would like to use to connect

what is the INTENDED goal here?
something like that would bridge 2 networks via L2 over a macsec link
mikrotik-forum-macsec-topic164427.png
You do not have the required permissions to view the files attached to this post.
 
golf0r
just joined
Posts: 5
Joined: Tue Jul 07, 2015 7:32 pm

Re: 802.1AE MACsec Progress or Examples ?

Tue Nov 29, 2022 7:17 pm

@killersoft:
the Ethernet interface used for MACsec is not connected to the bridge, I removed ether2 as port of the bridge.

@spippan:
when I am back home I will add macsec1 to the bridge and then try again.

My goal is to create a secure ethernet connection between my Router (CRS109-8G-1S-2HnD-IN) and a Wifi Accesspoint (mAP2nD), because the ethernet cabel goes outside of my house.

So on the Router side I would bridge the macsec interface with the internal ethernet ports and wifi and on the Accesspoint side I would bridge macsec interface only with wifi (now ether1 is also bridged until config runs)
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: 802.1AE MACsec Progress or Examples ?

Wed Nov 30, 2022 8:18 am

So on the Router side I would bridge the macsec interface with the internal ethernet ports and wifi and on the Accesspoint side I would bridge macsec interface only with wifi (now ether1 is also bridged until config runs)
should do the trick
but do not expect any kind of good throughput. a mAP is equipped far in the lower specs area
 
netresponder
just joined
Posts: 2
Joined: Wed Dec 07, 2022 9:53 am

Re: 802.1AE MACsec Progress or Examples ?

Wed Dec 07, 2022 10:16 am

Hello,

sorry my english is not the best.
I used macsec on both ccr1072 an ist works. i got the status invalid if i had no link, negotiating if the link ist up, but MACsec doesn`t work and open-encrypted if all looks fine.
Now my question...

who can i see what kind of MACSec i have configure... MACSec 802.1Q Tag is encrypted oder 802.1Q Tag is clear. I think the first one calls also WAN MACSec and the other LAN MACSec.

my status ist open-encrypted, so i think i actually use WAN MACSec. What must i do if i will use LAN MACSec

Thanks and best regards

Marco
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: 802.1AE MACsec Progress or Examples ?

Sun Dec 11, 2022 1:04 pm

Hello,

sorry my english is not the best.
I used macsec on both ccr1072 an ist works. i got the status invalid if i had no link, negotiating if the link ist up, but MACsec doesn`t work and open-encrypted if all looks fine.
Now my question...

who can i see what kind of MACSec i have configure... MACSec 802.1Q Tag is encrypted oder 802.1Q Tag is clear. I think the first one calls also WAN MACSec and the other LAN MACSec.

my status ist open-encrypted, so i think i actually use WAN MACSec. What must i do if i will use LAN MACSec

Thanks and best regards

Marco
it is very difficult to quite understand your problem here exactly.
could you paste your config. here and maybe a schematic drawing what you WOULD like to achieve?

ps: are you natively german speaking?
 
netresponder
just joined
Posts: 2
Joined: Wed Dec 07, 2022 9:53 am

Re: 802.1AE MACsec Progress or Examples ?

Tue Dec 13, 2022 4:18 pm

Hello,

sorry my english is not the best.
I used macsec on both ccr1072 an ist works. i got the status invalid if i had no link, negotiating if the link ist up, but MACsec doesn`t work and open-encrypted if all looks fine.
Now my question...

who can i see what kind of MACSec i have configure... MACSec 802.1Q Tag is encrypted oder 802.1Q Tag is clear. I think the first one calls also WAN MACSec and the other LAN MACSec.

my status ist open-encrypted, so i think i actually use WAN MACSec. What must i do if i will use LAN MACSec

Thanks and best regards

Marco
it is very difficult to quite understand your problem here exactly.
could you paste your config. here and maybe a schematic drawing what you WOULD like to achieve?

ps: are you natively german speaking?
Hallo ja spreche besser deutsch als englisch... aber das muss ja auch klappen und man muss seine Wohlfühlzone auch mal verlassen...

Anbei die Konfiguration meiner beiden Mikrotik Router, die MACSec miteinander sprechen.
Ich arbeite bei einem Provider und die Kunden fragen vermehrt an und wollen MACSec über unser Netz übertragen und fragen nach einer Transparenz für dieses Protokoll an. Wir als Provider stellen den Kunden "normale" L2 Switche zur Verfügung und die Kunden schließen an den Kundenport Ihre CPEn an, die dann MACSec übertragen von Punkt A nach Punkt B.
Wir haben um dies zu simulieren zwei Mikrotik Router konfiguriert und MACSec aktiviert. Dieses funktioniert auch und eine Verbindung kommt zu Stande. Im Status wird mir angezeigt "open-encrypted". Ich habe eine png Datei mit angehangen wo unterschieden wird zwischen WAN MACSec und LAN MACSec. Unsere Kunden möchten LAN MACSec über unser Netz übertragen, sprich das VLAN ist Encryprted.
Da mein Status auf den Mikrotik Routern "open-encrypted" anzeigt vermute ich, das meine Konfiguration LAN MACSec konform. Ich wollte dieses nun bestärtigt wissen und gleichzeitig nachfragen was ich konfigurieren müsste um den WAN Mode zu bekommen.

Danke und Gruß
Marco
You do not have the required permissions to view the files attached to this post.
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: 802.1AE MACsec Progress or Examples ?

Wed Dec 14, 2022 11:31 am



it is very difficult to quite understand your problem here exactly.
could you paste your config. here and maybe a schematic drawing what you WOULD like to achieve?

ps: are you natively german speaking?
Da mein Status auf den Mikrotik Routern "open-encrypted" anzeigt vermute ich, das meine Konfiguration LAN MACSec konform. Ich wollte dieses nun bestärtigt wissen und gleichzeitig nachfragen was ich konfigurieren müsste um den WAN Mode zu bekommen.

Danke und Gruß
Marco
okay. also natively german speaking, but i will stick to english furthermore.
thanks for clearing up what your setup is made of.

to your question regarding "WAN mode" i guess it could be possible via switch configuration beforehand. so setting the PVID via the bridge menu for the macsec interface
so setting up a macsec interface (e.g. parent-interface ether1), adding the macsec(!) interface to a bridge and then setting the PVID in bridge > ports to the desired untagged VLAN
the bridge therefor has to be vlan-aware (vlan-filtering enabled)

hope this helps.
 
nickcarr
just joined
Posts: 12
Joined: Tue Jul 13, 2021 6:43 pm

Re: 802.1AE MACsec Progress or Examples ?

Mon Feb 20, 2023 8:39 pm

Hi all.
Same results, but ~28/33% CPU on 25Gbps, with CCR2216 (BW tool -UDP-rOS 7.7).
~450 Mbps Vs ~25Gbps. I can't figure out how to use MACSec in production enviroment.
Today I've tested MACsec between two CCR2004 in LAB. The interface is working without any problem.

These are the results on a 25G link between two sfp28 interfaces. The CCRs were reset to defaults with no other settings set but the ip addresses and the macsec interface.

ping-min-avg-max: 88us / 101us / 263us
jitter-min-avg-max: 0s / 7us / 147us
loss: 0% (0/200)
tcp-download: 334Mbps local-cpu-load:52%
tcp-upload: 336Mbps local-cpu-load:52% remote-cpu-load:52%
udp-download: 477Mbps local-cpu-load:50% remote-cpu-load:65%
udp-upload: 483Mbps local-cpu-load:65% remote-cpu-load:50%
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: 802.1AE MACsec Progress or Examples ?

Tue Feb 21, 2023 2:51 pm

please consider the tests for that being done with 2 clients on each end and NOT with bandwidth test inside the 2 MACsec peers

MACsec is VERY cpu intense in relation to normal forwarding
and as long as there are no hw-offload options enabled in rOS7 with supported (marvell) switch chips, this will always be done in cpu (unlike cisco does it with dedicated ASICs)
MTform_macsec-iperf-tests.png
You do not have the required permissions to view the files attached to this post.
 
emunt6
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Fri Feb 02, 2018 7:00 pm

Re: 802.1AE MACsec Progress or Examples ?

Sun Mar 19, 2023 10:21 pm



Da mein Status auf den Mikrotik Routern "open-encrypted" anzeigt vermute ich, das meine Konfiguration LAN MACSec konform. Ich wollte dieses nun bestärtigt wissen und gleichzeitig nachfragen was ich konfigurieren müsste um den WAN Mode zu bekommen.

Danke und Gruß
Marco
okay. also natively german speaking, but i will stick to english furthermore.
thanks for clearing up what your setup is made of.

to your question regarding "WAN mode" i guess it could be possible via switch configuration beforehand. so setting the PVID via the bridge menu for the macsec interface
so setting up a macsec interface (e.g. parent-interface ether1), adding the macsec(!) interface to a bridge and then setting the PVID in bridge > ports to the desired untagged VLAN
the bridge therefor has to be vlan-aware (vlan-filtering enabled)

hope this helps.
These are 2 different beasts.
Lan-macsec is point-to-point topology.
WAN-macsec is point-to-multipoint ( multihop ) topology, it's need more components to work:
> hub topology management ( peer2peer, star ),
> CIA triad (confidentiality, integrity and availability) components,
> Just like IPSEC infrastructure has: replay protection, key session/exchange, etc. (example: Strongswan - its an infrastructure not just a simple ipsec-tunnel ).

( The whole process is very similiar to a Switch 802.1X on LAN port where PC has to authenticate to get access to the network, the access request arrive to the NAC server where the Switch receives all the parameters what to do with LAN port: VLAN, IP-ADDRESS, ... ).

Linux has some basic stuff for that: macsec + wpa_supplicant, but the rest of the list is missing for the WAN-macsec.
 
Njumaen
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Wed Feb 24, 2016 8:41 pm
Location: Bielefeld, Germany
Contact:

Re: 802.1AE MACsec Progress or Examples ?

Sat Mar 25, 2023 10:37 pm

Anyone got a dhcp-client up and running on a macsec secured LAN-interface?
I always get DHCP offers on the "remote" bridge (see it in the logs) but it never get's the address.

EDIT: It's all my fault! I missed setting the MTU of both macsec-interfaces to 1500. Shame on me! ;-)

And: still no macsec documentation at help.mikrotik.com :(

Ralf.
 
Network5
newbie
Posts: 27
Joined: Sat Mar 22, 2014 11:42 pm

Re: 802.1AE MACsec Progress or Examples ?

Fri May 05, 2023 5:19 pm

We tested the MACsec with 7.9 on CCR2004 and it seems that the performances have drastically increased. We are around 1Gbps when forwarding packets (not generating the traffic from the router itself.) Good job!

Who is online

Users browsing this forum: No registered users and 16 guests