FastConnect cross-connects, or dedicated connections, can be configured to use MACsec (IEEE standard 802.1AE) to protect network-to-network connections on Layer 2. Additionally, Equinix Fabric EPL can be used to extend a MACsec-enabled FastConnect dedicated connection between any Equinix Fabric metros.
Prerequisites
These prerequisites are not meant to be exhaustive, but instead just highlight some basic requirements to deploy FastConnect with MACsec via Equinix Fabric. Please consult the respective Equinix and Oracle Cloud Infrastructure documentation for complete requirements.
Oracle Cloud Infrastructure
There is an available account limit room for ordering OCI cross-connects. You must ask Oracle to increase your account limits for cross-connects if you never have done so previously for a given account. By default, these limits are initially set to 0, and a request to create a cross-connect will fail.
For more information, see the FastConnect Requirements documentation:
Equinix Fabric
An active and valid Equinix Customer Billing Account in the country where you will order the Equinix Fabric Remote EPL port to connect to the MACsec-enabled FastConnect cross-connect is required.
Customer Equipment
MACsec-capable Ethernet hardware supporting FastConnect MACsec parameters as specified by Oracle’s FastConnect documentation:
Setup, Configuration and Validation
The following steps outline the procedure used to order, provision, and deploy FastConnect and Equinix Fabric EPL.
Step 1: OCI Vault
If a Vault does not exist already (or for operational reasons a FastConnect-specific Vault should hold the MACsec encryption keys) create a Vault in OCI.
For more information, see the OCI documentation.
Step 2: OCI Vault Master Encryption Key
Create a Master Encryption Key for the Vault.
For more information, see the OCI documentation.
Step 3: CAK and CKN Creation
Create two secrets to represent the Connectivity Association Key (CAK) and Connectivity association Key Name (CKN) in your Vault.
Note: The CAK and CKN must be hexadecimal strings with a length of 32 or 64 characters. The AES128-GCM and AES256-GCM Cipher Suites require a 32 and 64-character CAK, respectively. 64-character is always used for the CKN. The CAK and CKN must match on both peers.
For more information, see the OCI documentation.
Step 4: Order the MACsec-capable FastConnect Cross-Connect
In the Oracle Cloud Infrastructure console:
-
Order a new FastConnect Direct (cross-connect) at 10 Gbps in the desired Metro using the FastConnect: Colocation with Oracle connectivity model.
For more information, see the OCI documentation. -
Download the provided Letter of Authorization (LOA)
Step 5: Order Equinix Fabric EPL Ports
-
Order an Equinix Fabric Remote EPL Port
In the port ordering workflow, in the Port Details section, select A third party with a cage in an Equinix IBX option. Use the Oracle-generated LOA document to order an Equinix Fabric Remote EPL Port in the same metro where the dedicated MACsec-capable FastConnect cross-connect was ordered in Step 4.Tip: In the port ordering workflow, in the Port Details section, select A third party with a cage in an Equinix IBX option.
-
Order an Equinix Fabric Local EPL Port
Order an Equinix Fabric EPL port for termination into your local cage/cabinet patch panel where you want to deliver the MACsec-encrypted FastConnect connection.Tip: In the port ordering workflow, in the Port Details section, select My cage in an Equinix IBX option.
For more information, see Order an Equinix Fabric Port.
Step 6: Validation of Physical Connectivity and FastConnect Activation
-
Once the Equinix Fabric EPL ports have both been physically terminated and turned up by Equinix, ensure the interface state for the FastConnect connection is in an Up state in the OCI Console (as in the image below).
-
Confirm link and interface state on your edge device
-
Once you have confirmed the interface and link level states are good should you then activate the FastConnect cross-connect circuit.
For more information, see the OCI documentation.
Step 7: Remote VC between the Local and Remote Equinix Fabric EPL Ports
Build an Equinix Fabric VC at the desired speed between the local and remote Equinix Fabric EPL ports using the Connect My Assets Using E-Line connection workflow.
For more information, see Connect My Assets Using E-Line.
Important: The speed selected when provisioning Equinix Fabric VCs between EPL ports does not have to match the FastConnect physical port speed, nor does it have to match the FastConnect virtual circuit speed you plan on using. You may set and adjust the speed of the Equinix Fabric VC based on your own technical and financial requirements.
Step 8: MACsec Encryption Configuration on your Edge Device
Configure MACsec encryption on the physical interface of your edge device. Ensure your configuration matches all the required MACsec parameters imposed by Oracle (see the prerequisites section) as well as your keys match what you specified in Step 3.
The image below is an example MACsec configuration pulled from a Juniper MX240 running Junos 20.4R3.8 with an MPC3E-3D-NG MPC and MIC-MACSEC-20GE MIC installed and configured in 10 Gbps mode.
Note: MACsec must-secure is the default on the MX240:
When MACsec encryption is in a healthy state between your device and OCI, the MACsec Encryption Status will change to Up in the OCI Console as shown below.
Verify on your edge device that MACsec-specific connection statistics and indicators show a good state. The image below is an example pulled from the Juniper MX240.
Step 9: FastConnect Virtual Circuit
Build a FastConnect Virtual Circuit within the OCI Console based on your requirements. Ensure the VLAN you select for the Virtual Circuit matches and corresponds with the same VLAN you configure on your edge device in your cage/cabinet.
Note: Once MACsec traffic is decrypted the traffic from Oracle will be presented to your edge device using the same 802.1Q tag(s) configured within the OCI Console.
See the OCI Documentation.
The steps involved in creating, configuring, routing, and associating the VCN, VM and DRG to the FastConnect Virtual Circuit are outside of the scope of this document.
Detailed documentation can be found from Oracle on the FastConnect specific considerations.