Community discussions

MikroTik App
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

802.1AE MACsec Progress or Examples ?

Sat Aug 01, 2020 9:12 am

Hi, just wondering if there is any formal documentation for Mikrotik's 802.1AE (AKA MACsec) in RoS v7.
Given its been in RoS v7 at least since its early beta release I was hoping to see some doco on it by now.
As of yet I have not got it working between devices( Get as far as it 'negotiating', and can see specific 802.1AE traffic via torch).
Is there a particular hardware requirement for it to work, or is it going to be a kernel feature no matter the HW ?

macsec1.png
/interface macsec
add cak=228ef255aa23ff6729ee664acb66e91f ckn=49df411fcb9800773e2b0e39233e069c3955c799d08abe2898c81053e4bc4897 \
    disabled=no interface=ether5 name=macsec1 profile=default
[admin@under desk] /interface/macsec> print
Flags: I - inactive, X - disabled, R - running 
 0   name="macsec1" interface=ether5 status="negotiating" cak=228ef255aa23ff6729ee664acb66e91f 
     ckn=49df411fcb9800773e2b0e39233e069c3955c799d08abe2898c81053e4bc4897 profile=default 
[admin@under desk] /interface/macsec> 


Cheers

https://developers.redhat.com/blog/2016 ... k-traffic/

https://en.wikipedia.org/wiki/IEEE_802.1AE
You do not have the required permissions to view the files attached to this post.
MTCNA
Grad Dip CYBER, MIT, BIT,CERT IV Electronics.
ITIL
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Sun Feb 28, 2021 8:29 am

Bump..
Any news on this front Mikrotik I have tried with 7.1beta4 and still cannot get MACSEC up???
MTCNA
Grad Dip CYBER, MIT, BIT,CERT IV Electronics.
ITIL
 
mcbrown90
just joined
Posts: 3
Joined: Fri May 07, 2021 12:34 pm

Re: 802.1AE MACsec Progress or Examples ?

Fri May 07, 2021 12:39 pm

another bump.
Really interested in MACSEC options.

Would this eventually also available on SWos?
 
User avatar
spippan
Member Candidate
Member Candidate
Posts: 134
Joined: Wed Nov 12, 2014 1:00 pm

Re: 802.1AE MACsec Progress or Examples ?

Mon Oct 25, 2021 12:26 pm

same here ... status hangs on "negotiating"
rOSv71.rc4 on both end devices

Device 1 = CRS109-8G-1S-2HnD
Device 2 = RB951Ui-2HnD

config on BOTH devices is identical
/interface macsec profile
add name=macsec-01 server-priority=5
/interface macsec
add ckn=766469656b336a356b733832336b3575 disabled=no interface=ether3-PtP_2_CRS name=S2S-L2-MACsec01 profile=macsec-01
this is what i see on BOTH devices (which are directly connected on ether3 each with a single ethernet cable)
 [spippan@MikroTik951Ui-RRZ-01] /interface/macsec> print int 1
Flags: I - inactive, X - disabled, R - running 
 0   name="S2S-L2-MACsec01" interface=ether3-PtP_2_CRS status="negotiating" cak=4ab8ab80a1730f9fcca040eabfbfe6ed 
     ckn=766469656b336a356b733832336b3575 profile=macsec-01 
-- [Q quit|D dump|C-z pause] 
---
127.0.0.1 is where the heart is
MTCNA // MTCWE // MTCTCE - Austria
 
0x6d61726b
just joined
Posts: 1
Joined: Thu Oct 28, 2021 7:01 pm

Re: 802.1AE MACsec Progress or Examples ?

Thu Oct 28, 2021 7:23 pm

I have the same issues with 7.1rc5 when trying to establish a MACsec link between two CRS326-24G-2S+ devices.

The process hangs on:
[admin@MikroTik] /interface/macsec> print
Flags: I - inactive, X - disabled, R - running 
 0   name="macsec-test" interface=ether9 status="negotiating" cak=09db3ef1000000000000000000000000 ckn=e9ac profile=default

Is there any documentation or information available on how to setup/test MACsec?
Are there any log filters or outputs available to further track down those issues?
Has this feature been tested at Microtik site and should it work in general?
Last edited by 0x6d61726b on Thu Oct 28, 2021 7:25 pm, edited 1 time in total.
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Sun Nov 28, 2021 11:14 am

Please Mikrotik, can you add some comments on where MACSEC is currently at..
Now trying with 7.1rc7 using x86... All I see is ether-type traffic 888e on the interface I configured it on between 2x VM's.
I can add an IP against the 'macsec1' interface using the command line( not winbox ) too,.

mikrotik macsec rc7.jpg
You do not have the required permissions to view the files attached to this post.
MTCNA
Grad Dip CYBER, MIT, BIT,CERT IV Electronics.
ITIL
 
sybreeder
just joined
Posts: 1
Joined: Thu Apr 07, 2022 2:08 pm

Re: 802.1AE MACsec Progress or Examples ?

Thu Apr 07, 2022 2:12 pm

bump...
I've Tried to configure it on latest routeros 7.2 but it is negotiating only. Any documentation how to configure macsec on router v7.2 ?
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Sun Apr 10, 2022 6:06 am

I have not seen Mikrotik do anything in this area.!!!

The MACSEC option has been there in the console since the very first v7 RC public release back in 2019. Its 2022 and NOTHING, yet > interface/macsec is there hidden in place sight of the console terminal...


bump...
I've Tried to configure it on latest routeros 7.2 but it is negotiating only. Any documentation how to configure macsec on router v7.2 ?
MTCNA
Grad Dip CYBER, MIT, BIT,CERT IV Electronics.
ITIL
 
Network5
just joined
Posts: 8
Joined: Sat Mar 22, 2014 11:42 pm

Re: 802.1AE MACsec Progress or Examples ?

Tue Jun 28, 2022 6:23 pm

I've tried today to setup the MACsec between a 2004 and 1016, both with 7.3.1 that we have in LAB. We need to encrypt an internal gigabit link for a client.
When the MACsec is coming up, the 1016 is rebooting, till the interface is disabled.

With WireGuard the throughput is something less than 1G for UDP and 500M for TCP in both directions.
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Wed Jul 06, 2022 6:03 am

Noted, will take a look soon.

If you need wirespeed macsec, I suggest getting yourselves a couple of second hand Cisco 3850's with an appropriate NIM module each.( config e.g https://community.cisco.com/t5/network- ... -p/3368918 )
MTCNA
Grad Dip CYBER, MIT, BIT,CERT IV Electronics.
ITIL
 
buraglio
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Mon Aug 10, 2015 5:59 pm
Location: +1 (217)
Contact:

Re: 802.1AE MACsec Progress or Examples ?

Tue Aug 02, 2022 4:26 pm

This appears to be just not done or I am missing something (which is perfectly feasible). 7.4 has the same behavior, stuck in "negotiating".

nb

I've tried today to setup the MACsec between a 2004 and 1016, both with 7.3.1 that we have in LAB. We need to encrypt an internal gigabit link for a client.
When the MACsec is coming up, the 1016 is rebooting, till the interface is disabled.

With WireGuard the throughput is something less than 1G for UDP and 500M for TCP in both directions.
ForwardingPlane, LLC
https://www.forwardingplane.net
 
Njumaen
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Wed Feb 24, 2016 8:41 pm

Re: 802.1AE MACsec Progress or Examples ?

Thu Aug 25, 2022 8:30 am

As I assume I will see a working macsec shortly before I die, I used wireguard (eth --- eth) and VXLAN (bridge -- wg --- wg --- bridge) now to get my external port towards my hAPac in the garden quite secure.

But I still hope for macsec! 😜
 
User avatar
spippan
Member Candidate
Member Candidate
Posts: 134
Joined: Wed Nov 12, 2014 1:00 pm

Re: 802.1AE MACsec Progress or Examples ?

Wed Sep 07, 2022 12:12 am

this is something which frustrates me ....
still have to work this around with a wireguard interconnect and vxlan bridged to PHY port to get a decent throughput
but MACsec would kill this overhead finally

please MT, do smth about this finally
this could be a killer feature against some way overpriced cisco hardware!
---
127.0.0.1 is where the heart is
MTCNA // MTCWE // MTCTCE - Austria
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1643
Joined: Fri Aug 10, 2012 6:46 am
Location: Denver, CO USA
Contact:

Re: 802.1AE MACsec Progress or Examples ?

Wed Sep 07, 2022 7:53 am

Agreed, I'd love to see hardware MACSEC available. Especially for the broadcast video world where it is often required.
Global - MikroTik Support & Consulting - English | Español +1 855-645-7684
https://iparchitechs.com/ecosystem/mikr ... consulting mikrotiksupport@iparchitechs.com
 
User avatar
spippan
Member Candidate
Member Candidate
Posts: 134
Joined: Wed Nov 12, 2014 1:00 pm

Re: 802.1AE MACsec Progress or Examples ?

Sat Sep 24, 2022 9:21 pm

Agreed, I'd love to see hardware MACSEC available. Especially for the broadcast video world where it is often required.
so far we have it in 7.6beta8 working ;)


viewtopic.php?p=958682&hilit=macsec#p958682
---
127.0.0.1 is where the heart is
MTCNA // MTCWE // MTCTCE - Austria
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1643
Joined: Fri Aug 10, 2012 6:46 am
Location: Denver, CO USA
Contact:

Re: 802.1AE MACsec Progress or Examples ?

Sat Sep 24, 2022 9:52 pm

I just saw that!

I know that some of the Marvell Prestera chips support MACSEC in hardware - would love to hear from MikroTik if there are plans to put MACSEC into the chip.

I need to add MACSEC in my v7 lab and play with it some.
Global - MikroTik Support & Consulting - English | Español +1 855-645-7684
https://iparchitechs.com/ecosystem/mikr ... consulting mikrotiksupport@iparchitechs.com
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Sat Oct 01, 2022 2:15 am

Happy to report MACSEC on v7.6 beta 10 on CHR is now working and passing IP....
Excellent work...

Just make sure you use the same CAK / CKN on both ends and happy times ahead..
Now for VLAN's over MACSEC.... hmmm
MTCNA
Grad Dip CYBER, MIT, BIT,CERT IV Electronics.
ITIL
 
Njumaen
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Wed Feb 24, 2016 8:41 pm

Re: 802.1AE MACsec Progress or Examples ?

Sat Oct 01, 2022 6:56 pm

Here with outside wAPac connected to hAPac MACSEC on v7.6 beta 10 works flawlessly. Even with PoE turned off and on again.

I’m so happy!
 
psannz
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Nov 09, 2015 3:52 pm
Location: Renningen, Germany

Re: 802.1AE MACsec Progress or Examples ?

Mon Oct 10, 2022 5:36 pm

Here with outside wAPac connected to hAPac MACSEC on v7.6 beta 10 works flawlessly. Even with PoE turned off and on again.
Could you give us some information regarding performance & CPU load?
 
Network5
just joined
Posts: 8
Joined: Sat Mar 22, 2014 11:42 pm

Re: 802.1AE MACsec Progress or Examples ?

Mon Oct 10, 2022 11:37 pm

Today I've tested MACsec between two CCR2004 in LAB. The interface is working without any problem.

These are the results on a 25G link between two sfp28 interfaces. The CCRs were reset to defaults with no other settings set but the ip addresses and the macsec interface.

ping-min-avg-max: 88us / 101us / 263us
jitter-min-avg-max: 0s / 7us / 147us
loss: 0% (0/200)
tcp-download: 334Mbps local-cpu-load:52%
tcp-upload: 336Mbps local-cpu-load:52% remote-cpu-load:52%
udp-download: 477Mbps local-cpu-load:50% remote-cpu-load:65%
udp-upload: 483Mbps local-cpu-load:65% remote-cpu-load:50%
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Fri Oct 14, 2022 12:10 am

Thanks Network5

Thats quite handy information. Especially on CPU load.

I wonder if one/two of the cores was dedicated to that task thus the ~50%'ish cpu-load !! ?
Not bad I guess for a unit that's only got a CPU and no dedicated switch chip. At least there is head room for other activities on the router such as firewall/actual routing/queues etc etc..

As for Mikrotik's future switch range(CRS series) hopefully they will obtain switch chip's that have macsec hardware offload options !!

Cheers
MTCNA
Grad Dip CYBER, MIT, BIT,CERT IV Electronics.
ITIL
 
Guscht
Member Candidate
Member Candidate
Posts: 166
Joined: Thu Jul 01, 2010 5:32 pm

Re: 802.1AE MACsec Progress or Examples ?

Tue Oct 18, 2022 7:08 pm

Any examples how this works with VLAN-Interfaces and Bonding-Interfaces?
Lets say we have a Bonding eth1+eth2 as LAG0 and a 100 VLANs.

Is all we have to create 2 MACsec Inteface (eth1 and eth2) and thats it?
Or do we have it the cascading way: create MACsec-Interfaces -> create the Bond with the MACsec-Interfaces

EDIT: Awesome "Internal Error"...
Screenshot 2022-10-18 182959.jpg

Thats a real-world Example: Bonding, VLANs and MACsec.
LAG0 consists of eth1, LAG0 is a Port of Bridge BR0. MACsec enabled on eth1.

There is no option to add macsec1 as Interface to the Bonding.
You do not have the required permissions to view the files attached to this post.
Home: CCR2004, CRS317, CRS328, CRS309, CRS326, hexS, cAPac
Work: from mAPlite to the CCR1072 everything
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Wed Oct 19, 2022 2:37 am

I think ( and probably wrong !! will need to test ). Based on some playing of other things a few nights ago
If you adjust the MTU of the ETH ( or adjust down the bridge ) by ~ +/- 64bytes, and take and try again, the error may go, as I dont think MTU gets corrected when you add it to bridges/vlans and may be the issue with the bonding.
MTCNA
Grad Dip CYBER, MIT, BIT,CERT IV Electronics.
ITIL
 
psannz
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Nov 09, 2015 3:52 pm
Location: Renningen, Germany

Re: 802.1AE MACsec Progress or Examples ?

Wed Oct 19, 2022 11:06 am

I think ( and probably wrong !! will need to test ). Based on some playing of other things a few nights ago
If you adjust the MTU of the ETH ( or adjust down the bridge ) by ~ +/- 64bytes, and take and try again, the error may go, as I dont think MTU gets corrected when you add it to bridges/vlans and may be the issue with the bonding.
Actually, default MACSEC Header is 32 Byte. Depending on cyphers used, it may go up to 160Byte in case of AES512.
Still, 64 Byte leaves you quite a bit of headroom :)
 
User avatar
spippan
Member Candidate
Member Candidate
Posts: 134
Joined: Wed Nov 12, 2014 1:00 pm

Re: 802.1AE MACsec Progress or Examples ?

Sun Nov 13, 2022 3:51 pm


There is no option to add macsec1 as Interface to the Bonding.
cause macsec is applied to HARDWARE interfaces
macsec@eth1
macsec@eth2
eth1+2@bond0

watch out for MTU accordingly (1600 would surely suffice on L2)

add the bond0 to the bridge and (pvid "xyz" for untagged traffic and /interface/bridge/vlans settings on bond0 for tagged vlans)

but do not expect a lot of Performance right now.
---
127.0.0.1 is where the heart is
MTCNA // MTCWE // MTCTCE - Austria
 
golf0r
just joined
Posts: 5
Joined: Tue Jul 07, 2015 7:32 pm

Re: 802.1AE MACsec Progress or Examples ?

Mon Nov 21, 2022 6:05 pm

Hello,

I tried to get the MACsec connection working, but I always get "Internal Error" and Status "invalid" on both sides.
[admin@MikroTik] > interface/macsec/ print 
Flags: I - inactive, X - disabled, R - running 
 0 I ;;; Internal error
     name="macsecPH" mtu=1468 interface=ether6-slave-local status="invalid" cak=32fe28994a90b276f5b2aa7500000000 ckn=6464937365522a8b222c999e97f25b78c456d8e0 profile=default
the MAC address is always 00:00:00:00:00:00 in Webfig (XX:XX:XX:XX:XX:XX in WinBox)
Is this normal?

Thanks, Daniel
 
User avatar
spippan
Member Candidate
Member Candidate
Posts: 134
Joined: Wed Nov 12, 2014 1:00 pm

Re: 802.1AE MACsec Progress or Examples ?

Tue Nov 22, 2022 4:56 am

paste the whole interfaces and bridge config.
there are many factors which could make it invalid!
Last edited by BartoszP on Wed Nov 30, 2022 8:30 am, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart.
---
127.0.0.1 is where the heart is
MTCNA // MTCWE // MTCTCE - Austria
 
golf0r
just joined
Posts: 5
Joined: Tue Jul 07, 2015 7:32 pm

Re: 802.1AE MACsec Progress or Examples ?

Fri Nov 25, 2022 3:56 pm

Hello,
thanks for your answer, here is the whole config:
[admin@MikroTik-mAP2n] /interface> print detail 
Flags: D - dynamic; X - disabled, R - running; S - slave; P - passthrough 
 0  RS  name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:88:CD:49 ifname="eth0" ifindex=9 id=1 last-link-down-time=nov/21/2022 18:51:45 last-link-up-time=nov/21/2022 18:51:46 link-downs=1 

 1      name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:88:CD:4A ifname="eth1" ifindex=10 id=2 link-downs=0 

 2  RS  name="wlan1" default-name="wlan1" type="wlan" mtu=1500 actual-mtu=1500 l2mtu=1600 max-l2mtu=2290 mac-address=D4:CA:6D:88:CD:4B ifname="ath0" ifindex=7 id=3 last-link-up-time=nov/21/2022 18:51:51 link-downs=0 

 3  R   name="bridge2" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1598 mac-address=D4:CA:6D:88:CD:49 ifname="br0" ifindex=6 id=5 last-link-up-time=nov/21/2022 18:51:38 link-downs=0 

 4      name="macsec1" type="macsec" mtu=1468 mac-address=(invalid) id=6 link-downs=0 

[admin@MikroTik-mAP2n] /interface/ethernet> print detail 
Flags: X - disabled, R - running; S - slave 
 0 RS name="ether1" default-name="ether1" mtu=1500 l2mtu=1598 mac-address=D4:CA:6D:88:CD:49 orig-mac-address=D4:CA:6D:88:CD:49 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m auto-negotiation=yes 
      advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full full-duplex=yes tx-flow-control=off rx-flow-control=off speed=100Mbps bandwidth=unlimited/unlimited switch=switch1 

 1    name="ether2" default-name="ether2" mtu=1500 l2mtu=1598 mac-address=D4:CA:6D:88:CD:4A orig-mac-address=D4:CA:6D:88:CD:4A arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m auto-negotiation=yes 
      advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full full-duplex=yes tx-flow-control=off rx-flow-control=off speed=100Mbps bandwidth=unlimited/unlimited switch=switch1 poe-out=off poe-controller="gpio" poe-priority=10 power-cycle-ping-enabled=no power-cycle-interval=none 

[admin@MikroTik-mAP2n] /interface/macsec> print detail 
Flags: I - inactive, X - disabled, R - running 
 0 I name="macsec1" mtu=1468 interface=ether2 status="invalid" cak=32fe28994a90b276f5b2aa7500000000 ckn=6464937365522a8b222c999e97f25b78c456d8e0 profile=default 

[admin@MikroTik-mAP2n] /interface/bridge> print detail 
Flags: X - disabled, R - running 
 0 R name="bridge2" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=D4:CA:6D:88:CD:49 protocol-mode=rstp fast-forward=no igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no 

[admin@MikroTik-mAP2n] /interface/bridge/port> print 
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
# INTERFACE  BRIDGE   HW  PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON
0 ether1     bridge2  no     1  0x80             10                  10  none   
1 wlan1      bridge2         1  0x80             10                  10  none   
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: 802.1AE MACsec Progress or Examples ?

Sat Nov 26, 2022 4:41 am

Hi golf0r.
Use 'export' rather than 'print to show configs. e.g /export file=MyFile.rsc and from the winbox / files you will see the MyFile.rsc which you can drag onto the windows desktop and open with a text editor
or use /export file=[filename] hide-sensitive command to not add in things pike passwords etc.


That said, you should make sure the Ethernet interface is NOT directly connected to a bridge, as MACSEC does not work like that. It requires the physical interface to itself, and then you would later bond the new UP'ed MACSEC1 interface to things like bridges/vlans etc.
I note your using a mAP2n, that does not have a lot of CPU so any macsec interface will be slow.

[macsec1(ETH2)]------------------[(ETH3)macsec1]
MTCNA
Grad Dip CYBER, MIT, BIT,CERT IV Electronics.
ITIL
 
User avatar
spippan
Member Candidate
Member Candidate
Posts: 134
Joined: Wed Nov 12, 2014 1:00 pm

Re: 802.1AE MACsec Progress or Examples ?

Mon Nov 28, 2022 9:59 am

Hello,
thanks for your answer, here is the whole config:
[admin@MikroTik-mAP2n] /interface> print detail 
...
 1      name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:88:CD:4A ifname="eth1" ifindex=10 id=2 link-downs=0 
...
 4      name="macsec1" type="macsec" mtu=1468 mac-address=(invalid) id=6 link-downs=0 

...

[admin@MikroTik-mAP2n] /interface/macsec> print detail 
Flags: I - inactive, X - disabled, R - running 
 0 I name="macsec1" mtu=1468 interface=ether2 status="invalid" cak=32fe28994a90b276f5b2aa7500000000 ckn=6464937365522a8b222c999e97f25b78c456d8e0 profile=default 

...

[admin@MikroTik-mAP2n] /interface/bridge/port> print 
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
# INTERFACE  BRIDGE   HW  PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON
0 ether1     bridge2  no     1  0x80             10                  10  none   
1 wlan1      bridge2         1  0x80             10                  10  none   
1. so the "invalid" state is due to the fact, that your ETHER2 (which is the parent to macsec1!) interface is not running (down)
2. you need to add the "macsec1" as a port to your bridge, which you would like to use to connect

what is the INTENDED goal here?
something like that would bridge 2 networks via L2 over a macsec link
mikrotik-forum-macsec-topic164427.png
You do not have the required permissions to view the files attached to this post.
---
127.0.0.1 is where the heart is
MTCNA // MTCWE // MTCTCE - Austria
 
golf0r
just joined
Posts: 5
Joined: Tue Jul 07, 2015 7:32 pm

Re: 802.1AE MACsec Progress or Examples ?

Tue Nov 29, 2022 7:17 pm

@killersoft:
the Ethernet interface used for MACsec is not connected to the bridge, I removed ether2 as port of the bridge.

@spippan:
when I am back home I will add macsec1 to the bridge and then try again.

My goal is to create a secure ethernet connection between my Router (CRS109-8G-1S-2HnD-IN) and a Wifi Accesspoint (mAP2nD), because the ethernet cabel goes outside of my house.

So on the Router side I would bridge the macsec interface with the internal ethernet ports and wifi and on the Accesspoint side I would bridge macsec interface only with wifi (now ether1 is also bridged until config runs)
 
User avatar
spippan
Member Candidate
Member Candidate
Posts: 134
Joined: Wed Nov 12, 2014 1:00 pm

Re: 802.1AE MACsec Progress or Examples ?

Wed Nov 30, 2022 8:18 am

So on the Router side I would bridge the macsec interface with the internal ethernet ports and wifi and on the Accesspoint side I would bridge macsec interface only with wifi (now ether1 is also bridged until config runs)
should do the trick
but do not expect any kind of good throughput. a mAP is equipped far in the lower specs area
---
127.0.0.1 is where the heart is
MTCNA // MTCWE // MTCTCE - Austria

Who is online

Users browsing this forum: Bing [Bot] and 9 guests