MacSec, VACLs, PACLs :
- VLAN Access Control Lists (VLAN MAP)
- Port based Access Control Lists
- MACsec L2 Hop by Hop encryption
### VLAN Access Control Lists (VLAN MAP)
SW2(config)#ip access-list extended UNWANTED-IP-PORT
SW2(config-ext-nacl)#permit tcp 10.1.2.0 0.0.0.255 any eq 456
SW2(config-ext-nacl)#permit udp 10.1.2.0 0.0.0.255 any eq 678
SW2(config-ext-nacl)#exit
SW2(config)#mac access-list extended UNWANTED-MAC
SW2(config-ext-macl)#permit host 0000.1234.5678 any
SW2(config-ext-macl)#exit
SW2(config)#ip access-list extended ALLOWED-TRAFFIC
SW2(config-ext-nacl)#permit ip any any
SW2(config-ext-nacl)#exit
SW2(config)#vlan access-map VACL 10
SW2(config-access-map)#match ip address UNWANTED-IP-PORT
SW2(config-access-map)#action drop
SW2(config-access-map)#exit
SW2(config)#vlan access-map VACL 20
SW2(config-access-map)#match ip address UNWANTED-MAC
SW2(config-access-map)#action drop
SW2(config-access-map)#exit
SW2(config)#vlan access-map VACL 30
SW2(config-access-map)#match ip address ALLOWED-TRAFFIC
SW2(config-access-map)#action forward
SW2(config-access-map)#exit
SW2(config)#vlan filter VACL vlan 55
### Port based Access Control Lists
! Create access list
SW2(config)#ip access-list extended NO-PING-TO-11
SW2(config-ext-nacl)#deny icmp any host 10.123.0.11
SW2(config-ext-nacl)#permit ip any any
! Check Ping
root@kali:~# ping 10.123.0.11
it´s works!
! Apply this access control list on interface
SW2(config)#in fas 0/7
SW2(config-if)#ip access-group NO-PING-TO-11 in
! Check Ping again
root@kali:~# ping 10.123.0.11
not works!
### MACsec (Encription)
SW2(config)#in fastEthernet 0/24
SW2(config-if)#cts manual
SW2(config-if-cts-manual)#sap pmk ABCD
SW2(config-if-cts-manual)#do show run in fas0/24
interface FastEthernet0/24
description LINK_TO_SW1
switchport trunk encapsulation dot1q
switchport mode trunk
cts manual
sap pmk 00000000000000000000000000000000000000000000000000000000ABCD
end
* You have to configure the other side same like this
* Note: For More info use
SW2#show cts interface
* Note: MACsec is open standard
* Note: CTS = Cisco trustsec
* Note: SAP = Security Associate Protocol
* Note: PMK = Pairwise Master Key
