set macsec port mka

Use this command to enable or disable the MACsec Key Agreement (MKA) protocol for this port access entity.

Syntax

set macsec port mka {enable | disable} port-string

Parameters

enable | disable Enables or disables the MKA protocol for all ports or the specified ports. MKA is globally disabled by default.
port-string (Optional) Specifies the port(s) to reinitialize or reauthenticate.

Defaults

If a portā€or ports are not specified, the command applies to all ports.

Mode

All command modes.

Usage

The MACsec Key Agreement Protocol (MKA) is used to discover remote peers attached to the same LAN, to confirm mutual possession of a CAK (as configured via PSK), and to securely distribute the secret keys (SAKs) used by MACsec for symmetric key cryptography.

When MKA is enabled port access is immediately enforced per MACsec Access Control configuration (that is, set macsec nid unauthAllowed), with the default behavior being port down and all traffic is dropped. Once MKA successfully authenticates the remote peer (using PSK credentials), elects a Key Server, and distributes a SAK, port state transitions to up and all traffic is encrypted.

When MKA is disabled the port access control is removed and unencrypted traffic resumes.

Example

This example shows how to enable the MKA protocol on all ports:

System(rw)->set macsec port mka enable

This example shows how to enable the MKA protocol on port "ge.1.10":

System(rw)->set macsec port mka enable ge.1.10