[go: up one dir, main page]
action.skip
Megaport Documentation
MACsec
Copy for LLM ▼
Copy Page Content Open in ChatGPT Open in Claude Open in VS Code View Markdown
PDF

Using MACsec with Megaport

MACsecMedia Access Control security (MACsec) is a security protocol that encrypts data traffic between Ethernet-connected devices. The MACsec protocol is defined by IEEE standard 802.1ae. When MACsec is enabled, a bi-directional secure link is established after an exchange and verification of security keys between the two connected devices. A combination of data integrity checks and encryption is used to safeguard the transmitted data.
 encrypts traffic at the Ethernet layer between devices connected by a layer 2 path, and is often implemented in hardware. The use of dedicated hardware means that MACsec can maintain wire-speed performance while providing strong security. This makes it suitable for environments that require high throughput, such as data centers and high-performance computing networks.

Using tagged or untagged VXCs

MACsec-encrypted traffic can be carried transparently over untagged VXCs, or over tagged VXCs when the VLAN is not encrypted.
Some equipment does not support unencrypted VLANs. Check whether the equipment you use supports unencrypted VLANs, also known as 802.1QIEEE 802.1Q is the networking standard that supports virtual LANs (VLANs) on an Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying procedures to be used by bridges and switches in handling such frames. Also informally known as dot1q.
 clear tag mode, before using MACsec-encrypted traffic over tagged VXCs.

Note

Most Cloud Service Providers (CSP) support MACsec from 10 Gbps or above (10 Gbps or 100 Gbps). Check with your Cloud Service Provider. Megaport supports both 10 Gbps and 100 Gbps options.

You can use a MACsec connection between two of your own devices using Megaport services.

Prerequisites

To create a MACsec-encrypted link between two of your own devices, you need:

  • MACsec capable customer equipment, for example, a switch or router, at each end.
  • Two Megaport Ports.
    • One in a location where you can create a physical cross connect to your first MACsec capable device.
    • One in a location where you can create a physical cross connect to your second MACsec capable device.

To create a customer-to-customer encrypted connection

  1. From your first MACsec capable device, create a physical link to the first Port.
  2. From your second MACsec capable device, create a physical link to the second Port
  3. Create a tagged or untagged VXC to connect your first Port to your second Port. For more information, see Using tagged or untagged VXCs.
  4. Configure MACsec on your devices, on the interfaces connected to Megaport.

The connection will be MACsec-encrypted between your devices.

MACsec customer to customer diagram. This image shows the structure of a MACsec encryption connection from the customer with a MACsec capable switch through a physical connection to a Megaport Port. This is connected to another Megaport Port via a Virtual Cross Connect (VXC). The second Megaport Port is connected via a physical connection to the customer's second MACsec capable switch.

You can use a MACsec connection between your device and a CSP using Megaport services.

Prerequisites

To create a MACsec-encrypted link from customer to cloud, you need:

  • MACsec capable customer equipment, for example, a switch or router.
  • Two Megaport Ports.
    • One in a location where you can create a physical cross connect to your MACsec capable router.
    • One in a location where you can create a physical cross connect to the cloud onramp.
  • A dedicated connection service from your cloud provider. For example, AWS Dedicated Direct Connect, or ExpressRoute Direct.

To create a customer-to-cloud encrypted connection

  1. From your MACsec capable device, create a physical cross connect to the first Megaport Port.
  2. Create a physical link from the second Port to the CSP onramp, which is ExpressRoute in this case. You will need to contact your Megaport account team for this step.
  3. Create a tagged or untagged VXC to connect your first Port to your second Port. For more information, see Using tagged or untagged VXCs.
  4. Configure MACsec on the CSP service and on your device.

The connection will be MACsec-encrypted from the MACsec capable router through to the ExpressRoute Direct Circuit.

MACsec customer to customer diagram. This image shows the structure of a MACsec encryption connection from the customer with a MACsec capable switch through a physical connection to a Megaport Port. This is connected to another Megaport Port via a Virtual Cross Connect (VXC). The second Megaport Port is connected via a physical connection to an ExpressRoute Direct connection.

You can use a MACsec connection between cloud providers using Megaport services.

Prerequisites

Before creating a MACsec-encrypted link from cloud to cloud, you need:

  • Dedicated connection services from your cloud providers. For example, AWS Direct Connect or ExpressRoute Direct.
  • Two Megaport Ports.
    • One in a location where you can create a physical cross connect to your first cloud connection.
    • One in a location where you can create a physical cross connect to your second cloud connection.

To create a cloud-to-cloud encrypted connection

This example describes a MACsec connection from AWS Direct Connect to Azure ExpressRoute.

  1. Create a physical connection from your dedicated AWS Direct Connect to your first Megaport Port. You will need to contact your Megaport account team for this step.

  2. Create a physical connection from your second Megaport Port to your Azure ExpressRoute Direct. You will need to contact your Megaport account team for this step.

  3. Create a tagged or untagged VXC to connect your Ports.
    For more information, see Using tagged or untagged VXCs.

The MACsec-encrypted connection will persist from the dedicated Direct Connect through to the ExpressRoute Direct Circuit.

MACsec cloud to cloud diagram. This image shows the structure of a MACsec encryption connection from a dedicated AWS Direct Connect through a physical connection to a Megaport Port. This is connected to another Megaport Port via a Virtual Cross Connect (VXC). The second Megaport Port is connected via a physical connection to an ExpressRoute Direct connection.

Helpful references