Securing VXLAN with MACsec on MikroTik RouterOS

In today’s interconnected world, securing network traffic is more critical than ever. Virtual Extensible LAN (VXLAN) extends Layer 2 networks over Layer 3 infrastructure, enabling flexible virtualization. However, without encryption, VXLAN traffic remains vulnerable to interception. Media Access Control Security (MACsec), a Layer 2 encryption protocol, offers a robust solution to protect this traffic. By combining MACsec with VXLAN on MikroTik RouterOS, you can create a secure, scalable network. This article guides you through implementing MACsec over VXLAN on MikroTik RouterOS, ensuring your data remains confidential and intact.

Understanding MACsec and VXLAN

Before diving into the configuration, let’s clarify what MACsec and VXLAN bring to the table. MACsec, defined by IEEE 802.1AE, encrypts Ethernet frames at the data link layer. It uses GCM-AES-128 encryption to secure all traffic, including DHCP, ARP, and higher-layer protocols. Unlike IPsec, which operates at Layer 3, MACsec protects Layer 2 traffic, making it ideal for LAN environments or virtualized overlays like VXLAN.

VXLAN, on the other hand, creates virtual Layer 2 networks over a Layer 3 underlay. It encapsulates Ethernet frames in UDP packets, allowing devices in different locations to communicate as if they were on the same LAN. MikroTik introduced VXLAN support in RouterOS version 7, making it a powerful tool for network virtualization.

Combining these technologies secures VXLAN traffic, ensuring data integrity and confidentiality across potentially untrusted networks. MikroTik’s RouterOS, starting with version 7, supports both MACsec and VXLAN, though with some limitations we’ll explore later.

Why Use MACsec with VXLAN?

You might wonder why this combination is necessary. After all, VXLAN already provides network segmentation. However, segmentation doesn’t equal security. VXLAN traffic traversing a public or shared network is unencrypted by default, exposing it to eavesdropping or tampering. MACsec addresses this by encrypting the Ethernet frames before they’re encapsulated in VXLAN packets.

Additionally, MACsec operates at line rate with minimal latency, unlike IPsec, which can introduce overhead due to its Layer 3 processing. For organizations requiring compliance with standards like HIPAA or financial regulations, MACsec over VXLAN ensures robust protection without sacrificing performance.

Prerequisites for Implementation

To follow this guide, you’ll need:

• MikroTik devices running RouterOS version 7 or higher, supporting both MACsec and VXLAN.
• Basic networking knowledge, including IP addressing, VLANs, and OSPF for Layer 3 connectivity.
• Physical or virtual setup with at least two MikroTik routers connected via a Layer 3 network.
• Administrative access to the routers via Winbox, WebFig, or CLI.

Ensure your devices are updated to the latest stable RouterOS version to avoid compatibility issues. Note that MikroTik’s MACsec implementation lacks dynamic key management (Dot1x) and hardware acceleration, relying on CPU-based encryption, which may limit throughput on low-end devices.

Step-by-Step Configuration

Let’s configure MACsec over VXLAN between two MikroTik routers, Host1 and Host2, connected through a switch. The goal is to create a secure Layer 2 connection over a Layer 3 network.

Step 1: Set Up the Layer 3 Underlay

VXLAN requires a routable Layer 3 network to carry its UDP-encapsulated traffic. For this, we’ll configure IP addresses and OSPF for reachability.

On Host1:

1. Assign an IP address to the Ethernet interface (e.g., ether1):
2. Configure OSPF to advertise the network:

/ip address add address=192.168.1.2/30 interface=ether1

/routing ospf instance add name=default 
/routing ospf area add name=backbone 
/routing ospf interface add interface=ether1 network-type=broadcast 
/routing ospf network add network=192.168.1.0/30 area=backbone

On Host2:

1. Assign an IP address to ether1:
2. Set up OSPF similarly:

/ip address add address=192.168.1.1/30 interface=ether1

/routing ospf instance add name=default 
/routing ospf area add name=backbone 
/routing ospf interface add interface=ether1 network-type=broadcast 
/routing ospf network add network=192.168.1.0/30 area=backbone

Verify connectivity by pinging Host2 from Host1:

/ping 192.168.1.1

Step 2: Configure VXLAN Interfaces

Next, create VXLAN interfaces to establish the virtual Layer 2 network.

On Host1:

1. Add a VXLAN interface with a unique VNI (VXLAN Network Identifier):
2. Assign the VXLAN interface to a bridge for Layer 2 connectivity:

/interface vxlan add name=vxlan1 vni=100 local-tunnel-ip=192.168.1.2 remote-tunnel-ip=192.168.1.1 port=8472
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=vxlan1

On Host2:

1. Configure the VXLAN interface:
2. Add it to a bridge:

/interface vxlan add name=vxlan1 vni=100 local-tunnel-ip=192.168.1.1 remote-tunnel-ip=192.168.1.2 port=8472
/interface bridge add name=bridge1
/interface bridge port add bridge=bridge1 interface=vxlan1

Test the VXLAN setup by adding a client interface (e.g., ether2) to the bridge on both routers and assigning IP addresses in the same subnet (e.g., 10.0.0.1/24 on Host1 and 10.0.0.2/24 on Host2). Ping between them to confirm Layer 2 connectivity.

Step 3: Enable MACsec on Ethernet Interfaces

Now, secure the physical interfaces carrying VXLAN traffic with MACsec.

On Host1:

1. Create a MACsec profile with a pre-shared key:
2. Add a MACsec interface over ether1:
3. Replace ether1 with macsec1 in the IP configuration:

/interface macsec profile add name=macsec-profile cak=12345678901234567890123456789012 ckn=12345678901234567890123456789012
/interface macsec add name=macsec1 interface=ether1 profile=macsec-profile
/ip address remove [find interface=ether1]
/ip address add address=192.168.1.2/30 interface=macsec1

On Host2:

1. Create an identical MACsec profile:
2. Add a MACsec interface:
3. Update the IP configuration:

/interface macsec profile add name=macsec-profile cak=12345678901234567890123456789012 ckn=12345678901234567890123456789012
/interface macsec add name=macsec1 interface=ether1 profile=macsec-profile
/ip address remove [find interface=ether1]
/ip address add address=192.168.1.1/30 interface=macsec1

Step 4: Verify MACsec and VXLAN Operation

Check the MACsec status to ensure the session is established:

/interface macsec print

Look for “open-encrypted” status, indicating successful key exchange and encryption.

Test the VXLAN connection again by pinging between the client IPs (10.0.0.1 and 10.0.0.2). Use a packet sniffer like Wireshark on a non-MACsec-enabled device in the path to confirm that the traffic is encrypted.

Challenges and Limitations

While this setup is powerful, it’s not without challenges. MikroTik’s MACsec implementation lacks dynamic key management, requiring manual key configuration, which can be cumbersome in large deployments. Additionally, without hardware acceleration, encryption relies on the CPU, potentially bottlenecking performance on low-end devices. For high-throughput networks, consider devices with robust processors or alternative solutions like IPsec.

Moreover, MACsec only secures the physical link between devices. If your VXLAN traffic traverses multiple hops, each segment must be MACsec-protected, which may require additional configuration on intermediate switches.

Best Practices for Deployment

To ensure a smooth implementation, follow these tips:

• Monitor CPU Usage: MACsec encryption is CPU-intensive. Use /system resource monitor to check utilization and upgrade hardware if needed.
• Secure Key Management: Store MACsec keys securely and rotate them periodically to maintain security.
• Test Thoroughly: Before deploying in production, test the setup in a lab to identify performance bottlenecks or configuration errors.
• Document Configurations: Keep detailed records of your MACsec and VXLAN settings for troubleshooting and scalability.

Real-World Applications

This setup shines in scenarios like:

• Data Center Interconnects: Securely extend Layer 2 networks between data centers over untrusted links.
• Enterprise Networks: Protect sensitive traffic in branch offices connected via VXLAN.
• Cloud Environments: Encrypt communication between virtual machines in a private cloud.

For instance, a financial institution could use this to secure trading data transmitted between offices, ensuring compliance with regulatory requirements.

Troubleshooting Common Issues

If you encounter problems, check these areas:

• MACsec Not Encrypting: Verify that the CAK and CKN match on both devices. A mismatch prevents session establishment.
• VXLAN Connectivity Fails: Ensure the Layer 3 underlay is routable and that firewall rules allow UDP port 8472.
• Performance Issues: Monitor CPU load and consider reducing encryption overhead by optimizing traffic or upgrading hardware.

To Sum Up

Implementing MACsec over VXLAN on MikroTik RouterOS offers a powerful way to secure virtualized Layer 2 networks. By encrypting Ethernet frames, MACsec ensures that your VXLAN traffic remains confidential and tamper-proof. Though MikroTik’s implementation has limitations, careful planning and robust hardware can overcome these hurdles. As cyber threats grow, securing your network with solutions like this is not just an option—it’s a necessity. The time to act is now.