The following sections describes the procedure for configuring BPDU Transparency with MACsec feature.
Configuring L2VPN
Xconnect
Configure IPv4 address
on an interface connecting to the core.
Router# configure
Router(config)# interface tengige 0/1/0/8/2.1
Router(config-subif)# no shut
Router(config-subif)# ipv4 address 192.0.2.1/24
Configure an IPv4
loopback interface.
Router# configure
Router(config)# interface loopback 0
Router(config)# ipv4 address 10.0.0.1/32
Configure OSPF as IGP.
Router# configure
Router(config)# router ospf 100 area 0
Router(config-ospf-ar)# interface Tengige 0/1/0/8/3
Router(config-ospf-ar-if)# exit
Router(config-ospf-ar)# interface loopback 1
Configure MPLS LDP
for the physical core interface.
Router(config-ospf-ar)# mpls ldp
Router(config-ldp)# interface TenGigE 0/1/8/3
Configure IPv4
address on an interface that connects to the core.
Router# configure
Router(config)# router bgp 100
Router(config-bgp)# bgp router-id 10.10.10.1
Router(config-bgp)# address-family ipv4 unicast
Router(config-bgp-af)# exit
Router(config-bgp)# address-family l2vpn vpls-vpws
Router(config-bgp-af)# exit
Router(config-bgp)# neighbor 172.16.0.1
Router(config-bgp-nbr)# remote-as 2002
Router(config-bgp-nbr)# update-source loopback 2
Router(config-bgp-nbr)# address-family l2vpn vpls-vpws
Router(config-bgp-nbr-af)# next-hop-self
Configure the AC as
Layer 2 transport to forward packets to the remote pseudowire.
Router# configure
Router(config)# interface TenGigE 0/1/0/8/2.1 l2tranport
Router(config-if)# encap dot1q 1
Configure L2VPN
Xconnect with a neighbour which is a pseudowire.
Router# configure
Router(config)# l2vpn
Router(config-l2vpn)# xconnect group g1
Router(config-l2vpn-xc)# p2p g1
Router(config-l2vpn-xc-p2p)# interface TenGigE 0/1/0/2.1
Router(config-l2vpn-xc-p2p)# neighbor 172.16.0.1 pw-id 1
Router(config-l2vpn-xc-p2p-pw)#
Configure MACsec on CE device
Router# configure
Router(config)# key chain KC1 macsec
Router(config-kc1-MacSec)# key 5010
Router(config-kc1-MacSec-5010)# key-string password 04795B232C766A6C513A5C4E37582F220F0871781167033124465525017A0C7101 cryptographic-algorithm aes-128-cmac
Router(config-kc1-MacSec-5010)# lifetime 11:08:00 Aug 08 2017 infinite
Router(config-kc1-MacSec-5010)# commit
!
Router# configure
Router(config)# interface HundredGigE 0/0/0/3
Router(config-if)# macsec psk-keychain KC1
Router(config-if)# commit
Verification
The show outputs
given in the following section display the details of the configuration of the
BPDU transparency with MACsec feature, and the status of their configuration.
/* Verify if IGP on the core is up. */
Router# show ospf neighbor
Group Wed Aug 16 20:32:33.665 UTC
Indicates MADJ interface
# Indicates Neighbor awaiting BFD session up
Neighbors for OSPF 100
Neighbor ID Pri State Dead Time Address Interface
172.16.0.1 1 FULL/DR 00:00:30 10.1.1.2 TenGigE0/1/0/8/0
Neighbor is up for 06:05:27Total neighbor count: 1
/* Verify if the MPLS core is up. */
Router# show mpls ldp neighbor
Wed Aug 16 20:32:38.851 UTC
Peer LDP Identifier: 172.16.0.1:0
TCP connection: 172.16.0.1:64932 - 172.31.255.254:646
Graceful Restart: No
Session Holdtime: 180 sec
State: Oper; Msgs sent/rcvd: 487/523; Downstream-Unsolicited
Up time: 06:05:24
LDP Discovery Sources:
IPv4: (2)
TenGigE0/1/0/8/0
Targeted Hello (172.31.255.254 -> 172.16.0.1, active)
IPv6: (0)
Addresses bound to this peer:
IPv4: (8)
10.0.0.1 10.0.0.2 10.0.0.200 172.16.0.1
192.168.0.1 172.31.255.255 172.16.0.2 10.255.255.254
IPv6: (0)
/* Verify if the BGP neighbor is up. */
Router# show bgp neighbor 10.10.10.1
Wed Aug 16 20:32:52.578 UTC
BGP neighbor is 10.10.10.1
Remote AS 15169, local AS 15169, internal link
Remote router ID 172.31.255.255
BGP state = Established, up for 06:03:40
NSR State: None
Last read 00:00:34, Last read before reset 00:00:00
Hold time is 180, keepalive interval is 60 seconds
Configured hold time: 180, keepalive: 60, min acceptable hold time: 3
Last write 00:00:34, attempted 19, written 19
Second last write 00:01:34, attempted 19, written 19
Last write before reset 00:00:00, attempted 0, written 0
*****************
Connections established 1; dropped 0
/* Verify if the BGP neighbor’s next-hop information is valid. */
Router# show cef 10.10.10.1
Wed Aug 16 20:33:18.949 UTC
10.10.10.1/32, version 16, internal 0x1000001 0x0 (ptr 0x8e0ef628) [1], 0x0 (0x8e287bc0),
0xa20 (0x8e9253e0)
Updated Aug 16 14:27:15.149
local adjacency 172.16.0.1
Prefix Len 32, traffic index 0, precedence n/a, priority 3
via 172.16.0.1/32, TenGigE0/1/0/8/0, 5 dependencies, weight 0, class 0 [flags 0x0]
path-idx 0 NHID 0x0 [0x8eb60568 0x8eb60e70]
next hop 172.16.0.1/32
local adjacency
local label 64001 labels imposed {ImplNull}
/* Verify if L2VPN Xconnect is up. */
Router# show l2vpn xconnect
Wed Aug 16 20:47:01.053 UTC
Legend: ST = State, UP = Up, DN = Down, AD = Admin Down, UR = Unresolved,
SB = Standby, SR = Standby Ready, (PP) = Partially Programmed
XConnect Segment 1 Segment 2
Group Name ST Description ST Description ST
------------------------ ----------------------------- -----------------------------
b1 b1 UP BE100 UP 10.10.10.1 1 UP
----------------------------------------------------------------------------------------
/* Note: If L2VPN is down even though the MPLS LDP neighbor is up, check if the AC is down.
To do this, use the show l2vpn xconnect detail command. */
/* Verify if L2VPN Xconnect is up */
Router# show l2vpn xconnect detail
!
!
AC: Bundle-Ether100, state is up <<<< This indicates that the AC is up.
Type Ethernet
MTU 1500; XC ID 0xa0000002; interworking none
Statistics:
packets: received 761470, sent 0
bytes: received 94326034, sent 0
PW: neighbor 10.10.10.1, PW ID 1, state is up ( established )
PW class not set, XC ID 0xc0000001
Encapsulation MPLS, protocol LDP
Source address 172.16.0.2
PW type Ethernet, control word disabled, interworking none
PW backup disable delay 0 sec
Sequencing not set
!
!