Skip to content
Indus LeveL
macsec centos7 networking security vmware

How to Configure MACSEC On Three Nodes CentOS VMs Network

Step-by-step guide to configuring point-to-point security using Media Access Control security (MACsec) on CentOS 7 VMs.

2 min read
Cover image for MACsec configuration guide

On Ethernet networks, point-to-point security is provided by Media Access Control security (MACsec). MACsec is defined by IEEE standard 802.1AE. End-to-end network security can be achieved by combining MACsec with other security protocols like IP Security (IPsec) and Secure Sockets Layer (SSL). We will go through configuring the setup.

Generate Keys

Execute the following command on any host to create keys.

Create a 16-byte hexadecimal CAK:

CAK=$(dd if=/dev/urandom count=16 bs=1 2> /dev/null | hexdump -e '1/2 "%04x"')
echo $CAK

Output:

0123456789abcdef0123456789abcdef

Create a 32-byte hexadecimal CKN:

CKN=$(dd if=/dev/urandom count=32 bs=1 2> /dev/null | hexdump -e '1/2 "%04x"')
echo $CKN

Output:

0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

Configure Hosts

Execute the following single command on all hosts you want to connect over a MACsec network (replace the keys with your generated ones if different):

nmcli connection add type macsec con-name macsec0 ifname macsec0 connection.autoconnect yes macsec.parent enp192 macsec.mode psk macsec.mka-cak 0123456789abcdef0123456789abcdef macsec.mka-ckn 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

Configure Host 1

Configure the IPv4 settings on host 1:

nmcli connection modify macsec0 ipv4.method manual ipv4.addresses '192.168.7.44/24' ipv4.gateway '192.168.7.1' ipv4.dns '8.8.8.8'
nmcli connection up macsec0

Configure Host 2

Configure the IPv4 settings on host 2:

nmcli connection modify macsec0 ipv4.method manual ipv4.addresses '192.168.7.45/24' ipv4.gateway '192.168.7.1' ipv4.dns '8.8.8.8'
nmcli connection up macsec0

Configure Host 3

Configure the IPv4 settings on host 3:

nmcli connection modify macsec0 ipv4.method manual ipv4.addresses '192.168.7.46/24' ipv4.gateway '192.168.7.1' ipv4.dns '8.8.8.8'
nmcli connection up macsec0

View Status

To view the status of the MACsec connection:

ip macsec show

Traffic Encryption Test

To test the traffic encryption, I captured the traffic on the hypervisor level.

Listed the vswitch port on which macsec is enabled and non-macsec devices are configured:

net-stats -l

Output:

PortNum Type SubType SwitchName MACAddress ClientName
100663448 5 9 vSwitch1 00:0c:29:17:e7:89 haproxy-server01-wazeem
100663458 5 9 vSwitch1 00:0c:29:b2:e4:1b macsec2
100663459 5 9 vSwitch1 00:0c:29:19:fa:59 macsec3
100663460 5 9 vSwitch1 00:0c:29:26:a3:fc macsec1

Captured tcpdump from a machine without macsec enabled:

pktcap-uw --switchport 100663448 -o /vmfs/volumes/OSDATA-612963ab-b693a7b2-799b-0010e0cd0f5a/unsecure.pcap

Captured tcpdump from a machine with macsec enabled:

pktcap-uw --switchport 100663460 -o /vmfs/volumes/OSDATA-612963ab-b693a7b2-799b-0010e0cd0f5a/secure.pcap

Data Without MACsec

Data is visible on hypervisor level without macsec:

Data visible without MACsec

Data With MACsec

Whereas data is not readable on hypervisor level with macsec enabled:

Data encrypted with MACsec

Back to Blog
Share:

Follow along

Stay in the loop — new articles, thoughts, and updates.