Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

create macsec connectivity-associationNEW!

create macsec connectivity-association ca_name pre-shared-key ckn ckn cak [encrypted encrypted_cak | cak]

Description

Creates a named connectivity-association (CA) object that holds MAC Security (MACsec) key authentication data.

Syntax Description

connectivity-association Secures connectivity provided between MACsec stations.
ca_name Defines CA object name.
pre-shared-key Selects static MACsec key consisting of both a CKN and CAK:
ckn

Selects CA key name.

This public (non-secret) key name allows each of the MKA participants to select which connectivity association k ey (CAK) to use to process a received MACsec key agreement (MKA) protocol packets (MKPDU).
ckn

Sets the CA key name. Length allowed is 1–32 characters, entered as ASCII or an octet string preceded with 0x.
cak

Sets the connectivity association key (CAK). 16 octets.

This is a long-lived secret key used to derive short-lived lower-layer keys (ICK, KEK, and SAK) which are used for key distribution and data encryption.

.
encrypted Designates that secret key value is in encrypted format.
encrypted_cak Sets the value for the secret key. Needs to be in the format of an encrypted string or octet string of length 16 preceded with "0x".
cak Sets the non-encrypted CAK value. May be entered as an octet string (for example: “0x859e72f0…”) or as an encrypted key

Default

N/A.

Example

The following example creates the CA object "testca" with a CKN of "the blue sky" and CAK of “0x01020304050607080910111213141516”:
Note

Note

The CAK shown here is an example. Use your own random number for maximum security.
# create macsec connectivity-association testca pre-shared-key ckn “the blue key” cak “0x01020304050607080910111213141516”

History

This command was first available in ExtremeXOS 30.1.

Platform Availability

This command is available on the following platforms.

Note

Note

The MACsec feature requires the installation of the MAC Security feature pack license.
Platform Ports LRM/MACsec Adapter Required?
Summit X460-G2-24p-24hp, X460-G2-24t-24ht switches Half-duplex, 1G ports (25–48) No
All other SFP/SFP+ ports * Yes
Summit X450-G2, X460-G2, X670-G2, and ExtremeSwitching X440-G2, X620, and X690 series switches SFP/SFP+ ports * Yes
Note: * For Summit X460-G2 series switches, the VIM-2X option does not support the LRM/MACsec Adapter.
Published January 2019prev | next

Email this topicEmail this topic

Print this pagePrint this page