{"id":18678174,"url":"https://github.com/srl-labs/sros-anysec-lab","last_synced_at":"2026-03-07T06:02:27.335Z","repository":{"id":183935225,"uuid":"670716299","full_name":"srl-labs/sros-anysec-lab","owner":"srl-labs","description":"This lab provides a simple Anysec Demo based on CLAB and Nokia SROS FP5 vSIMs.","archived":false,"fork":false,"pushed_at":"2024-04-07T21:42:57.000Z","size":4382,"stargazers_count":14,"open_issues_count":3,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-12-30T06:59:33.615Z","etag":null,"topics":["clab-topo"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/srl-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-25T17:07:22.000Z","updated_at":"2025-09-15T23:12:13.000Z","dependencies_parsed_at":null,"dependency_job_id":"8ac80128-66db-45f7-8c03-e0dcd74a0bdf","html_url":"https://github.com/srl-labs/sros-anysec-lab","commit_stats":null,"previous_names":["tiago-amado/sros_clab_fp5_anysec","srl-labs/sros-anysec-lab"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/srl-labs/sros-anysec-lab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srl-labs%2Fsros-anysec-lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srl-labs%2Fsros-anysec-lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srl-labs%2Fsros-anysec-lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srl-labs%2Fsros-anysec-lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/srl-labs","download_url":"https://codeload.github.com/srl-labs/sros-anysec-lab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srl-labs%2Fsros-anysec-lab/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30208801,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-07T05:23:27.321Z","status":"ssl_error","status_checked_at":"2026-03-07T05:00:17.256Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["clab-topo"],"created_at":"2024-11-07T09:36:16.381Z","updated_at":"2026-03-07T06:02:27.265Z","avatar_url":"https://github.com/srl-labs.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"\r\n# CLAB SROS FP5 AnySec Demo\r\n\r\nANYSec is a Nokia technology that provides low-latency and line-rate native encryption for any transport (IP, MPLS, segment routing, Ethernet or VLAN), on any service, at any time and for any load conditions without impacting performance.\r\n\r\nThis lab provides an Anysec demo based on Nokia SROS FP5 (https://www.nokia.com/networks/technologies/fp5/) vSIMs running at CLAB (https://containerlab.dev/).\r\n\r\n\r\n\r\n\r\n## Anysec Overview\r\nAnysec is a Nokia network encryption solution available with the new FP5 models in SROS 23.10R1. \r\nIt is low-latency line-rate encryption, scalable, flexible and ensures a quantum-safe network encryption solution for the industry.\r\nIt is a simple concept, based on MacSec standards as the foundation and introduces the flexibility to offset the authentication and encription to allow L2, L2.5 and L3 encryption.\r\n\r\n\r\n\r\n## Clone the git lab to your server\r\n\r\nTo deploy these labs, you must clone these labs to your server with \"git clone\".\r\n\r\n```bash\r\n# change to your working directory\r\ncd /home/user/\r\n# Clone the lab to your server\r\ngit clone https://github.com/srl-labs/sros-anysec-lab.git\r\n```\r\n\r\n\r\n## SROS Image and License file\r\n\r\n### SROS Image\r\n\r\nThe SROS vSIMs image file used is 23.10R1, and is available under Nokia's internal registry. \r\nIf you don't have access to it, then you must get the SROS image and manually import them to CLAB following the instructions here: https://containerlab.dev/manual/vrnetlab/#vrnetlab\r\n\r\nThe stepts are:\r\n```bash\r\n# Clone vrnetlab\r\ngit clone https://github.com/hellt/vrnetlab \u0026\u0026 cd vrnetlab\r\n\r\n# Download qcow2 vSIM image from Nokia support portal (https://customer.nokia.com/support/s) or get one from your Nokia contact. \r\n\r\n# Change name to “sros-vm-\u003cVERSION\u003e.qcow2”\r\n\r\n# Upload it to ‘vrnetlab/sros’ directory (e.g. /home/vrnetlab/sros)\r\n\r\n# Run ‘make docker-image’ to start the build process\r\n\r\n# Verify existing docker images\r\n\r\ndocker images | grep -E \"srlinux|vr-sros\"\r\n```\r\n\r\nNote: After import the image, edit the yml file with the correct location.\r\n```bash\r\n# replace this \r\n      image: registry.srlinux.dev/pub/vr-sros:23.10.R1\r\n# with this:\r\n      image: vrnetlab/vr-sros:23.10.R1\r\n```\r\n\r\n### License file\r\n\r\nSROS vSIMs require a valid license. You need to get a valid license from Nokia and place it in the \"/r23_license.key\" file.\r\n```bash\r\n# Copy/paste the license to the \"r23_license.key\" file\r\ncd SROS_CLAB_FP5_Anysec/\r\nvi r23_license.key\r\n# press \"i\" key for insert mode =\u003e paste the license =\u003e ctl+x to save and exit \r\n```\r\n\r\n\r\n\r\n## Anysec setup\r\n\r\nThe setup contains four SROS FP5 routers with 23.10R1, howhever only two of them have Anysec configured:\r\n\r\n•\tSR-1 =\u003e Anysec enabled\r\n\r\n•\tSR-1Se =\u003e Anysec enabled\r\n\r\n•\tSR-7s (FP5 only)\r\n\r\n•\tSR-14s (FP5 only)\r\n\r\n\r\n\r\n\r\n\r\nThe physical setup is the following (for the tests you may shut the interface as ilustrated):\r\n\r\n\r\n\r\n\u003cp align=\"center\"\u003e\r\n  \u003cimg width=\"900\" height=\"500\" src=\"https://github.com/tiago-amado/SROS_CLAB_FP5_Anysec/blob/main/pics/physical-setup.jpg?raw=true\"\u003e\r\n\u003c/p\u003e\r\n\r\nThe setup has:\r\n\r\n•\tAnysec between R1 and R2 (not supported in SR-2s and SR-7s/14s in this release )\r\n\r\n•\tISIS 0 with SR-ISIS\r\n\r\n•\tiBGP\r\n\r\n•\tServices: VLL 1001 and VPRN 1003\r\n\r\n\r\n\r\n\r\n\r\nThe logical setup for the VPRN 1003 is the following (Tests with ICMP between PEs):\r\n\r\n\r\n\r\n\u003cp align=\"center\"\u003e\r\n  \u003cimg width=\"900\" height=\"500\" src=\"https://github.com/tiago-amado/SROS_CLAB_FP5_Anysec/blob/main/pics/vprn.jpg?raw=true\"\u003e\r\n\u003c/p\u003e\r\n\r\n\r\nThe logical setup for the VLL 1001 is the following (Tests with ICMP or iPerf between clients):\r\n\r\n\r\n\r\n\u003cp align=\"center\"\u003e\r\n  \u003cimg width=\"900\" height=\"500\" src=\"https://github.com/tiago-amado/SROS_CLAB_FP5_Anysec/blob/main/pics/vll.jpg?raw=true\"\u003e\r\n\u003c/p\u003e\r\n\r\n\r\n\r\n## Deploy the lab setup\r\n\r\nUse the comand below to deploy the lab:\r\n\r\nNote: If you imported the SROS image to docker then first edit the yml file with the correct image location as explained above.\r\n\r\n```bash\r\n# deploy a lab\r\ncd SROS_CLAB_FP5_Anysec/\r\nclab deploy --topo anysec.yml\r\n```\r\n\r\n\r\n\r\n## Accessing the network elements\r\n\r\nOnce the lab has been deployed, the different SROS nodes can be accessed via SSH through their management IP address, given in the summary displayed after the execution of the deploy command. \r\nIt is also possible to reach those nodes directly via their hostname, defined in the topology file. \r\n\r\n```bash\r\n# List the containers\r\nclab inspect -a\r\n# reach a SROS node via SSH\r\nssh admin@clab-anysec-SR-1x-92S\r\n# reach Linux clients via docker\r\ndocker exec -it client1 bash\r\n```\r\n\r\n\r\n## Wireshark\r\n\r\nFor details about Packet capture \u0026 Wireshark at containerlab refer to:\r\nhttps://containerlab.dev/manual/wireshark/#capturing-with-tcpdumpwireshark\r\n\r\n\r\nYou may found a pcap file with Anysec packets in the files above in this project. \r\nYou may perform your own capture as explained below.\r\n\r\nFollows an example on how to list the interfaces (links) of a given container and perform a packet capture:\r\n```bash\r\n# list the containers running in the server\r\nclab inspect -a \r\n# list the interfaces (links) of a given container\r\nip netns exec r1 ip link\r\n# Start a capture and display packets in the session\r\nip netns exec r1 tcpdump -nni eth1\r\n# Start a capture and store the packets in the file\r\nip netns exec r1 tcpdump -nni eth1 -w capture_file.pcap\r\n```\r\n\r\n\r\nBesides displaying the packets to the session or store in a file, its possible to open then remotely using SSH.\r\n\r\nWindows users should use WSL and invoke the command similar to the following:\r\n```bash\r\nssh $containerlab_host_address \"ip netns exec $lab_node_name tcpdump -U -nni $if_name -w -\" | /mnt/c/Program\\ Files/Wireshark/wireshark.exe -k -i -\r\nExample:\r\nssh root@10.82.182.179 \"ip netns exec r1 tcpdump -U -nni eth1 -w -\" | /mnt/c/Program\\ Files/Wireshark/wireshark.exe -k -i -\r\n```\r\n\r\n### Install WSL \r\nOpen PowerShell or Windows Command Prompt in administrator mode by right-clicking and selecting \"Run as administrator\", enter the wsl --install command, then restart your machine.\r\n\r\nSee derails here: https://learn.microsoft.com/en-us/windows/wsl/install\r\n\r\n\r\n\r\n## SROS Streaming Telemetry and Automation\r\n\r\nThis lab was enhanced with Streaming Telemetry by adding gNIMc, Prometheus and Grafana.\r\n\r\nFor details please refer to: \r\nhttps://github.com/srl-labs/srl-sros-telemetry-lab\r\n\r\nIt includes automation for the tests using gNMIC scripts invoked through PHP under the Web Server. There are 2 tests:\r\n\r\n1 - disable/enable the top link to see ANYSec packets flowing through the bottom nodes.\r\n\r\n2 - disable/enable ANYSec to see packets being sent in clear or encrypted on demand\r\n\r\nTo execute these tests there are 8 scripts (4 PHP and 4 gnmic). Each of the 4 buttons execute one PHP script, that in turn invoque one gnmic script.\r\n\r\n\r\n### Telemetry and automation stack\r\n\r\nThe following stack of software solutions has been chosen for this lab:\r\n\r\n| Role                | Software                               | Port               | Link                               | Credentials        |\r\n| ------------------- | -------------------------------------- |------------------- | ---------------------------------- |------------------- |\r\n| Telemetry collector | [gnmic](https://gnmic.openconfig.net)  | 57400              |                                    |                    |\r\n| Time-Series DB      | [prometheus](https://prometheus.io)    | 9090               | http://localhost:9090/graph        |                    |\r\n| Visualization       | [grafana](https://grafana.com)         | 3000               | http://localhost:3000              | admin/admin        |\r\n| Web Server/gnmic    | [xampp](https://www.apachefriends.org/)| 9080               | http://localhost:9080/             |                    |\r\n\r\n\r\n\r\nThe following picture picture ilustrates the Telemetry and Automation stack:\r\n\r\n\r\n\r\n\u003cp align=\"center\"\u003e\r\n  \u003cimg width=\"900\" height=\"500\" src=\"https://github.com/tiago-amado/SROS_CLAB_FP5_Anysec/blob/main/pics/telemetry_automation.jpg?raw=true\"\u003e\r\n\u003c/p\u003e\r\n\r\n\r\n\r\n\r\n### Access details\r\n\r\nIf you are accessing from a remote host, then replace localhost by the CLAB Server IP address\r\n* Grafana: \u003chttp://localhost:3000\u003e. Built-in user credentials: `admin/admin`\r\n* Prometheus: \u003chttp://localhost:9090/graph\u003e\r\n* xampp Demo Page: \u003chttp://localhost:9080/\u003e   ### Alternative option to the Grafana Buttons\r\n\r\nNote: Xampp server contains PHP scripts that execute gnmic scripts to deploy the node configs. The grafana control panel dashboard buttons invoque these scripts but will not work when accessing remotely. The requests are generated by the end user browser directly to the URL in the button.\r\nYou may update the button URL to match your CLAB server's IP@:port (\u003cServer-IP\u003e:9080) or use the xampp Demo Page instead. \r\nAnother option is to establish a SSH to the CLAB Server with tunneling from localhost:9080 towards the Web Server 172.10.10.24:80. \r\n\r\n\r\n## Verify the setup\r\n\r\nVerify that you're able to access all nodes (PEs and clients) and the platforms (Grafana, Prometheus and Demo Page).\r\nStart a Tcpdump/wireshark capture and start ICMP traffic between client1 and 2 (uses VLL 1001) using the traffic.sh script.\r\n\r\n```bash\r\n### Ping from Client 1 to Client 2\r\ndjango@orchestra:~/sros-anysec-lab$ ./traffic.sh start-icmp 1-2\r\nstarting traffic between clients 1 and 2\r\nPING 2002::172:17:0:2(2002::172:17:0:2) 1450 data bytes\r\n1458 bytes from 2002::172:17:0:2: icmp_seq=1 ttl=64 time=4.41 ms\r\n1458 bytes from 2002::172:17:0:2: icmp_seq=2 ttl=64 time=2.31 ms\r\n1458 bytes from 2002::172:17:0:2: icmp_seq=3 ttl=64 time=2.26 ms\r\n1458 bytes from 2002::172:17:0:2: icmp_seq=4 ttl=64 time=3.61 ms\r\n^C\r\n```\r\n\r\n\r\nNote: Under normal operation, ping will use SR-ISIS directly from R1 to R2.\r\nYou may shut the link between these nodes to force the use of SR-ISIS that goes through R4 and R3.\r\nYou may also disable Anysec to view packets in clear.\r\n\r\n\r\n\r\n### Wireshark ANYSec Decoding\r\n\r\n\r\n\r\nWireshark does not have native support for decoding ANYSec MACsec (802.1AE) headers. \r\nNokia has an internal version with a protocol dissector for ANYSec MACsec / 802.1a headers.\r\nThis is the output comparison between the public wireshark and the Nokia's version:\r\n\r\n\r\n![pic1](https://github.com/tiago-amado/SROS_CLAB_FP5_Anysec/blob/main/pics/Anysec_Wireshark.jpg)\r\n\r\n\r\nWith the public Wireshark, the ANYSec header is shown as part of the payload.\r\n\r\n\r\n\r\n\r\n### Anysec Stack\r\n\r\n\r\nThe ANYSec introduces the MACSec Header and the Encryption SID (ES) label between the SR-ISIS transport and VPRN service labels. The VPRN service label is encrypted.\r\nThe picture below provides an example of the ANYSec label stack between R1 and R2.\r\n\r\n\r\n![pic1](https://github.com/tiago-amado/SROS_CLAB_FP5_Anysec/blob/main/pics/Anysec_Stack.jpg?raw=true)\r\n\r\n\r\n\r\n\r\n### Capture multiple interfaces \r\n\r\n\r\nTCPDUMP on a single interface shows label stack correctly (Ethernet+VLAN+MPLS+ANYSec)\r\nTCPDUMP on a multiple interfaces shows a distinct stack: Linux cooked capture v2 + additional MPLS Label (instead of Ethernet + VLAN)\r\n\r\n\r\n![pic1](https://github.com/tiago-amado/SROS_CLAB_FP5_Anysec/blob/main/pics/Anysec_Tcpdump.jpg?raw=true)\r\n\r\n\r\n\r\n\r\n\r\n## Outputs\r\n\r\nUse the following commands under R1 or R2 to retrieve outputs from Anysec operation:\r\n\r\n\r\n```bash\r\nshow macsec connectivity-association \"CA_Test_MACSec\" detail \r\nshow anysec tunnel-encryption detail \r\nshow router 1003 route-table 2.2.2.2/32 extensive \r\nshow router tunnel-table detail \r\nshow router mpls-labels summary \r\nshow router \"1003\" route-table \r\nshow router bgp routes 2.2.2.2/32 vpn-ipv4 hunt   \r\n```\r\n\r\n\r\n\r\n## Tests\r\n\r\nThe tests bellow can be executed in multiple ways: grafana, demo page, gnmic scripts or node CLI.\r\n\r\n\r\n### Test 1 - Shut/No shut the link between R1 and R2 \r\n\r\nUpon shut/no shut verify Anysec is still working but using a new SR-ISIS tunnel\r\n```bash\r\nshow router \"1003\" route-table\r\nshow router 1003 route-table 2.2.2.2/32 extensive\r\nshow router 1003 route-table 2.2.2.2/32 extensive\r\nshow router bgp routes 2.2.2.2/32 vpn-ipv4 hunt   \r\n```\r\n\r\n\r\n\r\n\r\n\u003cp align=\"center\"\u003e\r\n  \u003cimg width=\"900\" height=\"500\" src=\"https://github.com/tiago-amado/SROS_CLAB_FP5_Anysec/blob/main/pics/LINK-DOWN.jpg?raw=true\"\u003e\r\n\u003c/p\u003e\r\n\r\n### Test 2 - Disable Anysec at R1 and R2 \r\n\r\nUpon Disable Anysec verify ping is still working but unecripted\r\nRe-enable Anysec and verify traffic is encrypted again\r\n\r\n\r\n\r\n\r\n\u003cp align=\"center\"\u003e\r\n  \u003cimg width=\"900\" height=\"500\" src=\"https://github.com/tiago-amado/SROS_CLAB_FP5_Anysec/blob/main/pics/ANYSEC-DISABLE.jpg?raw=true\"\u003e\r\n\u003c/p\u003e\r\n\r\n\r\n\r\n\r\n\r\n## Demo Video\r\n\r\nThe Demo Video shows the Grafana Dashboard, the wireshark and the CLI with ICMP. Two tests are performed: disable/enable the top link and disable/enable ANYSec.\r\n\r\n\r\n[![Watch the video](http://img.youtube.com/vi/Ka6-zXaPYGI/maxresdefault.jpg)](https://youtu.be/Ka6-zXaPYGI)\r\n\r\n\r\n\r\n\r\n\r\n\r\n## Conclusion\r\n\r\nDoes Anysec work with CLAB vSIMs?\r\n\r\nYes for functional tests, but obviously not for performance/latency.\r\nCLAB and vSIMs can be used to test and validate the configurations. \r\nSetup is fully functional with anysec stats increase and packets are encrypted as seen in the TCPDUMP capture.\r\nAnysec is still a limited feature with no support yet for modular Chassis. \r\nMore to come in the upcoming releases!\r\n\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsrl-labs%2Fsros-anysec-lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsrl-labs%2Fsros-anysec-lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsrl-labs%2Fsros-anysec-lab/lists"}