Configure Connectivity Associations

Use the following procedure to configure connectivity associations (CA) using EDM.

Note

Note

  • You can configure MACsec on physical ports only. However, the physical ports can belong to an MLT trunk group that includes: Split MultiLink Trunking (SMLT), distributed MultiLink Trunking (DMLT), or Link aggregate group (LAG).

  • MACsec encryption and decryption algorithms follow either the AES-GCM-128 or the AES-GCM-256 standard, depending on the configured MAC-sec cipher suite. The default is the AES-GCM-128 standard.

Procedure

  1. In the navigation pane, expand Configuration > Edit.
  2. Select Chassis.
  3. Select the MACSec tab.
  4. Select Insert.
    1. In AssociationName, type the connectivity-association name.
    2. In AssociationKey, type the value of the connectivity-association key.
      Note

      Note

      The system displays the connectivity-association key as an MD5-hashed text in the MAC security table.

    3. In AssociationTxKeyParity, select an option for Tx key parity.
      Note

      Note

      Tx key parity configuration applies only to static MACsec configurations.

    4. Select Insert to save the configuration.
  5. Select Apply.

MACSec Field Descriptions

Use the data in the following table to use the MACSec tab.

Name

Description

AssociationName

Specifies the connectivity-association name as an alpha-numeric ASCII string up to 16 characters long. The device uses this value for the connectivity-association key name (CKN).

Tip:

Configure the CKN in multiples of 4 characters to avoid MKA interoperability issues between Fabric Engine switches and EXOS or Switch Engine switches. For example, Macsecma (8 chararcters) or Macsecmka123 (12 characters) are valid, but Macsec (6 characters) is not valid.

AssociationKey

Specifies the connectivity-association key (CAK) value as a 32-character (128-bit) or a 64 character (256-bit) hexadecimal string.

Note:

Always select the 128-bit CAK value for AES-GSM-128 and the 256-bit CAK value for AES-GSM_256.

AssociationPortMembers

Specifies the set of ports for which this connectivity association is associated.

AssociationTxKeyParity
Specifies Tx key parity using the following values:

  • None — key parity is not specified

    Note:

    The none value only applies to platforms that support 2AN mode. If you do not specify a key parity value, the system defaults to 2AN mode.

  • Even — generates even-numbered keys

  • Odd — generates odd-numbered keys
9037469-00 Rev AB