Associate a Port with a Connectivity Association

Use the following procedure to associate a port with a connectivity association (CA) using EDM. You can optionally configure a MACsec encryption cipher suite on the port.

Note

Note

You can configure MACsec on physical ports only. However, the physical ports can belong to an MLT trunk group that includes: Split MultiLink Trunking (SMLT), distributed MultiLink Trunking (DMLT), or Link aggregate group (LAG).

Note

Note

MACsec encryption and decryption algorithms follow either the AES-GCM-128 or the AES-GCM-256 standard, depending on the configured MAC-sec cipher suite. The default is the AES-GCM-128 standard.

Procedure

  1. On the Device Physical View tab, click on one or more ports that you want to associate with the connectivity association.
  2. In the navigation pane, expand Configuration > Edit > Port.
  3. Select General.
  4. Select the MACsec tab.
  5. In CAName, type the connectivity-association name.
  6. In OffsetValue, select the value of confidentiality offset to be achieved.
  7. Select EncryptionEnable to enable encryption for the frames transmitted on the port.
  8. Select MACsec Enable to enable MACsec on the port.
  9. Optional: In CipherSuite, select the MACsec encryption cipher suite.
  10. Select Apply.

MACsec Field Descriptions

Use the data in the following table to configure the MACsec tab.

Name

Description

CAName

Specifies the name of the connectivity association attached to the port or interface.

OffsetValue

Offsets MACsec encryption in an IPv4 TCP/UDP header or IPv6 TCP/UDP header.

The confidentiality offset provides a way to start encryption after a few bytes following the Ethernet header. The confidentiality offset facilitates traffic flow inspection and classification on intermediate devices by not encrypting the Network Layer header for IPv4 or IPv6. For instance, if you configure the offset to 30, the IPv4 header and the TCP/UDP header are not encrypted. If you configure the offset to 50, the IPv6 header and the TCP/UDP header is not encrypted.

Note:

On a MACsec-enabled port with confidentiality offset configured to 50 on the 5320 Series or 5420 Series, all packets less than 67 bytes drop and discarded packets increment.

As a best practice, do not configure the confidentiality offset to 50 on the 5320 Series or 5420 Series.

Note:

On a MACsec-enabled port with data encryption enabled and confidentiality offset configured to 30 or 50 on the 5320 Series 5420 Series, InOctetsValidated counter also increments in addition to InOctetsDecrypted counters in Macsec secure channel Inbound statistics.

EncryptionEnable

Specifies the encryption status per port.

Use this field to enable or disable encryption for each MACsec capable port.

MACsec Enable

Enables or disables MACsec on the port.

CipherSuite

Configures the cipher suite for encrypting traffic with MACsec.

The following cipher suites are supported:

  • AES-GCM-128 standard, with a maximum key length of 128 bits

  • AES-GCM-256 standard, with a maximum key length of 256 bits

The default is the AES-GCM-128 standard.