{"id":914,"date":"2025-12-05T07:48:49","date_gmt":"2025-12-05T06:48:49","guid":{"rendered":"https:\/\/whoami.lausitz-event.info\/?p=914"},"modified":"2025-12-05T08:18:55","modified_gmt":"2025-12-05T07:18:55","slug":"verschluesselung-auf-osi-schicht-2-macsec-mit-cisco-nexus","status":"publish","type":"post","link":"https:\/\/whoami.lausitz-event.info\/?p=914","title":{"rendered":"Verschl\u00fcsselung auf OSI Schicht 2 – MACsec mit Cisco Nexus"},"content":{"rendered":"\n\n

MACsec wird in Umgebungen kritischer Infrastruktur verwendet, um Daten auf Schicht 2 zwischen Ethernet Links zu verschl\u00fcsseln. Selbst wenn der Angreifer Daten mittels eines SPAN Ports abf\u00e4ngt, kann er diese nicht lesen. MACsec sorgt au\u00dferdem daf\u00fcr das Daten w\u00e4hrend der \u00dcbertragung nicht unbemerkt ver\u00e4ndert werden k\u00f6nnen.<\/p>\n\n\n\n\n\n

Wie funktioniert das genau?<\/p>\n\n\n\n\n\n

    \n
  1. Schl\u00fcsselaustausch:<\/strong> MACsec verwendet immer einen symmetrischen Schl\u00fcssel, um den Datenverkehr zu verschl\u00fcsseln. Dieser wird zwischen den Ger\u00e4ten \u00fcber das sogenannte MKA-Protokoll (MACsec Key Agreement) ausgetauscht. Das MKA ist f\u00fcr den sicheren Austausch und die Verwaltung der Schl\u00fcssel zust\u00e4ndig.<\/li>\n\n\n\n
  2. Verschl\u00fcsselung:<\/strong> Wenn zwei Ger\u00e4te miteinander kommunizieren, werden alle Frames , die zwischen ihnen gesendet werden, verschl\u00fcsselt.<\/li>\n\n\n\n
  3. Authentifizierung:<\/strong> MACsec stellt sicher, das der Datenverkehr auch wirklich von dem Ger\u00e4t kommt, das es vorgibt zu sein. Daf\u00fcr wird eine Authentifizierung durchgef\u00fchrt.<\/li>\n\n\n\n
  4. Sicherheit:<\/strong> MACsec sch\u00fctzt vor Angriffen wie z.B. \"Man in the middle\", da ein Angreifer den Verkehr nicht entschl\u00fcsseln oder manipulieren kann, ohne den Schl\u00fcssel zu besitzen.<\/li>\n<\/ol>\n\n\n\n\n\n

    Konfiguration Switch 1 (Key Server):<\/p>\n\n\n\n\n\n

    conf t\n\nfeature macsec\n\nmacsec policy MyMACsecPolicy\n  encryption aes-256-cbc\n  integrity sha256\n  key-server   # Switch 1 ist der Key Server\n\ninterface Ethernet1\/1\n  macsec enable\n  macsec policy MyMACsecPolicy\n  macsec replay-protection 10000\n  no shutdown<\/code><\/pre>\n\n\n\n\n\n
    Konfiguration Switch 2 (Key Client):<\/p>\n\n\n\n\n\n
    conf t\n\nfeature macsec\n\nmacsec policy MyMACsecPolicy\n  encryption aes-256-cbc\n  integrity sha256\n\ninterface Ethernet1\/1\n  macsec enable\n  macsec policy MyMACsecPolicy\n  macsec replay-protection 10000\n  no shutdown<\/code><\/pre>\n\n\n\n\n\n
    Nun zu den Nachteilen, oder besser Einschr\u00e4nkungen, von MACsec.<\/p>\n\n\n\n\n\n
      \n
    1. Begrenzte Reichweite:<\/strong> MACsec sch\u00fctzt nur den Datenverkehr zwischen zwei direkt verbundenen Ger\u00e4ten. Es sch\u00fctzt nicht den Verkehr \u00fcber Layer3 oder \u00fcber das Internet.<\/li>\n\n\n\n
    2. Overhead und Leistungsbeeintr\u00e4chtigung:<\/strong> Die Verschl\u00fcsselung von Frames f\u00fchrt zu einem gewissen Performance-Overhead. Das hei\u00dft das dieses zu einer erh\u00f6hten CPU und Speicherbelastung f\u00fchrt. Das kann die Netzwerk Performance beeinflussen.<\/li>\n\n\n\n
    3. Lizenzkosten:<\/strong> Die Aktivierung des MACsec Features erfordert eine eigene Lizenz und damit verbundene Mehrkosten.<\/li>\n\n\n\n
    4. Kompatibilit\u00e4tsprobleme:<\/strong> MACsec erfordert, dass alle Ger\u00e4te entlang des MACsec Pfades auch MACsec unterst\u00fctzen. Bei Inkompatibilit\u00e4ten kann es zu Verbindungsabbr\u00fcchen oder anderen Fehlern f\u00fchren.<\/li>\n\n\n\n
    5. Multicastverkehr:<\/strong> MACsec unterst\u00fctzt Multicast Verkehr nur eingeschr\u00e4nkt. Das kann zu Problemen f\u00fchren, falls du in deinem Netz viele Multicast Anwendungen oder Broadcast Verkehr in deinem Netzwerk hast.<\/li>\n<\/ol>\n\n\n\n\n\n
      <\/p>\n\n\n","protected":false},"excerpt":{"rendered":"
      MACsec wird in Umgebungen kritischer Infrastruktur verwendet, um Daten auf Schicht 2 zwischen Ethernet Links zu verschl\u00fcsseln. Selbst wenn der Angreifer Daten mittels eines SPAN Ports abf\u00e4ngt, kann er diese nicht lesen. MACsec sorgt au\u00dferdem daf\u00fcr das Daten w\u00e4hrend der \u00dcbertragung nicht unbemerkt ver\u00e4ndert werden k\u00f6nnen. Wie funktioniert das genau? Konfiguration Switch 1 (Key Server): […]<\/p>","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[15,3,23,11],"tags":[],"class_list":["post-914","post","type-post","status-publish","format-standard","hentry","category-cisco","category-it","category-netzwerk","category-security"],"_links":{"self":[{"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=\/wp\/v2\/posts\/914","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=914"}],"version-history":[{"count":5,"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=\/wp\/v2\/posts\/914\/revisions"}],"predecessor-version":[{"id":921,"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=\/wp\/v2\/posts\/914\/revisions\/921"}],"wp:attachment":[{"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=914"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=914"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=914"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}