Fast and easy MACSec in a SDA Fabric

With the current version of the DNA Center ( 2.2.3.5) there is no built in feature to globally enable MACSec within the fabric.

The good news are: there are great tools like the Template Editor available!

Let's dive right into it:

First i will cover the usual global configuration:

To use a pre-shared key we need a key chain in advance. Surprise!

The unique key identifier requires a 32 bit HEX value and the key string need a 32 bit or a 64 bit HEX value. I used a generator for this.

key chain <name> macsec
  key <hexkey32>
    cryptographic-algorithm aes-256-cmac
    key-string <hexkey64>
    
mka policy <name>
  macsec-cipher-suite gcm-aes-256  

The next configuration step is the interface configuration. But how can we do that in an automated manner? We need a way to find out what the uplink interfaces are, regardless what interfaces are used and how they named.

I use the fact, that SDA Lan Automation set a certain interface description on every Border Node interface facing a Edge Node and vice versa.

Let's check the system variables we have access to in the template editor:

By the way:

Be aware of the "show more" button :-)

Exactly what i was looking for!

In the script we will loop through all interfaces and search for the description given by the DNA automation. For all interfaces that matches this condition the MACSec configuration will be applied.

#foreach ( $INT in $__interface )
  #if($INT.description=="Fabric Physical Link")
 
  interface $INT.portName
    macsec access-control should-secure
    mka policy mkapol
    mka pre-shared-key key-chain <keyname>
    macsec network-link
    
  #end
#end

At least in my lab this solution worked without shut/no shut.

But be aware that the best practise is to first shutdown the interface and, after the MACSec configuration is applied, no shut it again.If the Edge Nodes are single homed, this will break the connection and you have to take a walk with a laptop and a console cable in your hand .

interface $INT.portName
    shutdown
    macsec access-control should-secure
    mka policy mkapol
    mka pre-shared-key key-chain <keyname>
    macsec network-link
    no shutdown

We can adopt a subtly different setup for the border nodes. This is because if both sides are configured with should-secure, the traffic will indeed be encrypted. However, this configuration does not safeguard against potential inline intrusions or similar threats.

To address this, we omit the macsec access-control should-secure setting on the border nodes. Hence follow the must-secure approach. However, we retain this setting on the edge nodes to ensure that the link is re-established after the template has been applied across all edge nodes.

Once all interfaces are back online, we can proceed to deploy the border template, thereby ensuring that all links are securely encrypted.

interface $INT.portName
    shutdown
    mka policy mkapol
    mka pre-shared-key key-chain <keyname>
    macsec network-link
    no shutdown

I want to thank Tim Glen for helping out how i can configure should-secure on the Cat9k!

https://community.cisco.com/t5/user/viewprofilepage/user-id/319624

Another thing you should be aware of is that the dna center configures the uplinks with bfd 100 ms and a three times multiplier. But in the security configuration guide of the Catalyst 9300, following recommendations are stated:

Another thing you should be aware of:

hope I could help you and gave some inspiration for you own challenges. Let me know in the comments below, if you have further questions or want me to cover another topic.