Example: sgt over macsec vlan encapsulation¶
r1
hostname r1
vrf def v1
rd 1:1
exit
crypto ipsec ips
group 02
cipher des
hash md5
key tester
exit
policy-map p1
seq 10 act drop
match sgt 123
seq 20 act trans
exit
int eth1
macsec ips
exit
int eth1.123
sgt ena
vrf for v1
ipv4 addr 1.1.1.1 255.255.255.0
ipv6 addr 1234::1 ffff::
service-policy-in p1
exit
ipv4 route v1 0.0.0.0 0.0.0.0 1.1.1.2
ipv6 route v1 :: :: 1234::2
r2
hostname r2
vrf def v1
rd 1:1
exit
crypto ipsec ips
group 02
cipher des
hash md5
key tester
exit
int eth1
macsec ips
exit
int eth1.123
sgt ena
vrf for v1
ipv4 addr 1.1.1.2 255.255.255.0
ipv6 addr 1234::2 ffff::
exit
int eth2
sgt ena
vrf for v1
ipv4 addr 2.2.2.1 255.255.255.0
ipv6 addr 4321::1 ffff::
exit
r3
hostname r3
vrf def v1
rd 1:1
exit
policy-map p1
seq 10 act trans
match length 300-500
set sgt 123
seq 20 act trans
set sgt 122
exit
int eth1
sgt ena
vrf for v1
ipv4 addr 2.2.2.2 255.255.255.0
ipv6 addr 4321::2 ffff::
service-policy-out p1
exit
ipv4 route v1 0.0.0.0 0.0.0.0 2.2.2.1
ipv6 route v1 :: :: 4321::1
r1 tping 100 30 2.2.2.2 vrf v1 siz 200
r3 tping 100 30 1.1.1.1 vrf v1 siz 200
r1 tping 100 30 4321::2 vrf v1 siz 200
r3 tping 100 30 1234::1 vrf v1 siz 200
r1 tping 0 30 2.2.2.2 vrf v1 siz 400
r3 tping 0 30 1.1.1.1 vrf v1 siz 400
r1 tping 0 30 4321::2 vrf v1 siz 400
r3 tping 0 30 1234::1 vrf v1 siz 400
r1 tping 100 30 2.2.2.2 vrf v1 siz 600
r3 tping 100 30 1.1.1.1 vrf v1 siz 600
r1 tping 100 30 4321::2 vrf v1 siz 600
r3 tping 100 30 1234::1 vrf v1 siz 600
- Install ContainerLab as described here
- Fetch crypt-sgt17 file
- Launch ContainerLab
crypt-sgt17.ymltopology:
containerlab deploy --topo crypt-sgt17.yml
crypt-sgt17.yml topology:
containerlab destroy --topo crypt-sgt17.yml