MACsec cannot be established between two S5720 when there are L2 switches between them

Created Jun 26, 2018 13:46:27Latest reply Dec 24, 2018 09:26:48 489 1 0 0
             Issue Description:

           Version Information:S5720SI-V200R010C00SPC600

           Fault symptom : In order to better explain the issue I will provide a topology that can show this scenario :

efcd76d4282f4cb68e079a16d6d6b0fd 

            Let’s suppose that between our two S5720 switches there are only L2 switches which allows all the packets. Even so, the                MACsec cannot be established. When the two-end Switches are directly connected the MACsec connection it’s succesful. 

         Root Cause:

MACsec (Media Access Control Security) is based on 802.1AE and 802.1X protocol on the LAN security communication method.

The EAP protocol packet in the MACsec session negotiation process is a BPDU packet.

IEEE Std 802.1X-2010 Clause 11 describes the MAC format of the EAP protocol packets, as shown in the following figure:

92a1b287e66344de8411059d067ed414

From the packet captures the stp bpdu packet destination MAC was different from the 0180-c200-0003 which is required for the negotiation of MACsec.

 5660cf76ee0f41c7819965ac7f43617f

From the capture we only can see the packets sent by switch1 . The dumb switch didn’t forward them . The packet  was lost in the dumb switch . 
Our switch sends by default the packet at each 2s. If the dumb switch would forward the packet there should be another packet between 1-4 .

2e892018e38e4b9db8b2b48413638902

transparent.gif  Solution

MACsec negotiation needs the BPDU packets in this process and we suspected that the dumb switch droped the BPDU packets as a default behavior when there is no configuration.
That’s why, it’s required to configure the l2protocol-tunnel  to transport the packets.

For BPDUs, the destination MAC is  0180-c200-0003

2f2f843d994242648a02d7203ca9ebc8

First solution and recommended one:

c83d29e3c850416d8da88e119d656a1b

In system-view apply this command on both switches :

l2protocol-tunnel user-defined-protocol test1 protocol-mac 0180-c200-0003  group-mac 0100-0008-0008

on interface view apply those commands

interface GigabitEthernet0/0/34
port link-type access
port default vlan 10
l2protocol-tunnel user-defined-protocol test1 enable

 

Second solution if l2protocol-tunnel cannot be configured on the directly connected to end-switches : 
12679958e9964d349093b9a65ce705c7

After connecting the G0/0/3 to the dumb switch and applied l2tp configuration on G0/0/2 which is connected to G0/0/1( L3 interface) then the MACsec connection could be established but this scenario is not recommended and needs to be tested with precautions.

 

  • x
  • convention:

xiaomumu  Novice   Created Dec 24, 2018 09:26:48 Helpful(0) Helpful(0)


Very helpful
  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top