- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: MACSec over Wireless Bridge
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2021 12:01 PM
06-14-2021 12:01 PM
Team,
About MACSec over wireless Bridge. The setup looks like this and we will be using Aruba 2930F on both ends. On top of this also is it will be a Point-Multipoint Wireless Bridge Setup.
We could not find a reference in Aruba Switches regarding the config and there is also no documents saying that this setup is even possible.
Here is the setup
| MacSec SW1 |---{Wireless Bridge}>>>>><<<<<<{Wireless Bridge}---| MacSec SW2 |
Is this possbile for Aruba? Can you share please the config on how we can engage this requirement
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2021 09:15 PM
06-14-2021 09:15 PM
Re: MACSec over Wireless Bridge
Hi,
You can refer below link for Access SecurityGuide:
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00042657en_us
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2021 12:45 AM - edited 06-15-2021 12:46 AM
06-15-2021 12:45 AM - edited 06-15-2021 12:46 AM
SolutionHi @Dennis_Aruba !
It's kind of unusual request as MACsec is used for Ethernet traffic security and 802.11 protocols have their own security mechanisms - WPA, WPA2, WPA3 etc. So first, MACsec over WDS is redundant and second, it can be hit and miss depending on the actual AP hardware and software. I couldn't find any document describing this corner case with Aruba APs, but for switches you need to use the guide @akg7 provided, the "Infrastructure MACsec" section is what you need. Switches themselves don't need to know anything about WDS bridge, so from their perspective that bridge is just a direct link and no additional configuration is required. But without test I can't guarantee the WDS bridge between APs will allow MACsec traffic. From my side I forsee possible issues with EAPOL-MKA exchange as many WDS implementations do not bridge EAPOL packets. And without EAPOL-MKA successful exchange switches won't be able to establish MKA session.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2021 06:41 AM
06-15-2021 06:41 AM
Re: MACSec over Wireless Bridge
thank yuou for the response.
You are correct. it seems the only way to found out is to try this setup. We have been looking in the internet but we couldn't find any reference. We have few setups alredy with MacSec but they are all wired and so far we have no issues on that area.
We intended MacSec over wireless bridge as an added layer in Security. Because the 3rd party networks that will ride on to our corporate network is quite isolated and we do not have much of a way in monitoring them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2021 07:19 AM
06-16-2021 07:19 AM
Re: MACSec over Wireless Bridge
thank you. We'll check the link and see what more we can do..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2021 08:36 AM
06-16-2021 08:36 AM
Re: MACSec over Wireless Bridge
Hello,
Discarding the Wireless Part. Are there ways for aruba switches (particulary 2930) to support MacSec Point-to-Multipoint. ? Was reviewing the HP Macsec guide it provide solution only for static trunking and probably it is good only for P2P setup.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2021 09:49 AM
06-16-2021 09:49 AM
Re: MACSec over Wireless Bridge
Typically infrastructure MACsec is used in P2P links where you have only two participants since we speak about switches here, not hubs. Unfortunately you are right and documentation for these switches doesn't state clearly if group CAKs are supported and can you use 3 and more switches with one shared CAK on one link. I think it may have issues with replay protection... For example ArubaOS-CX guides clearly says "Provides Layer 2 hop-by-hop encryption on point-to-point Ethernet links.", and I doubt 2930 to have more extended feature than those. And also typically when a vendor supports group CAK there is a configuration abstraction for multiple key storage, like a keychain. There is no such in 2930...
But as with WDS - only a test can reveal the truth as this is really a corner case.