Configure a Connectivity Association

Use the following procedure to configure a connectivity association (CA) in static Connectivity Association Key (CAK) security mode with static Secure Association Keys (SAK).

Important

Important

For static MACsec, you can configure a different connectivity association name for local and peer nodes but you must configure the same value for the connectivity association key at both ends of the link with, either even or odd mode.

For MKA MACsec, you must configure the same value for the connectivity association name and the connectivity association key for local and peer nodes. Even or odd mode does not apply to a connectivity association for MKA MACsec .

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure a CA:
    macsec connectivity association WORD <5-16> connectivity-association-key WORD<10-64> [key-parity even|odd]
    Note

    Note

    If you do not specify a key-parity value, the CA is created in 2AN mode.

    This applies only to platforms that support 2AN mode.

  3. Enter GigabitEthernet Interface Configuration mode:

    enable

    configure terminal

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  4. Associate a port with a CA:

    macsec connectivity-association WORD<5–16>

Example

Configure a connectivity association and enable MACsec on a port:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#macsec connectivity-association caname1 connectivity-association-key 1029384756abcdef key-parity even
Switch:1(config)#interface gigabitethernet 1/2
Switch:1(config-if)#macsec connectivity-association caname12

Variable Definitions

The following table defines parameters for the macsec command.

Variable

Value

connectivity-association WORD<5–16>

Specifies the connectivity-association name as an alpha-numeric ASCII string up to 16 characters long. The device uses this value for the connectivity-association key name (CKN).

connectivity-association-key WORD<10–64>

Specifies the connectivity-association key (CAK) value as a 32-character (128-bit) or a 64 character (256-bit) hexadecimal string.

Note:

Always select the 128-bit CAK value for AES-GSM-128 and the 256-bit CAK value for AES-GSM_256.

key-parity <even | odd>

Note:

This parameter only applies to static MACsec configurations.

Specifies Tx key parity using the following values:
  • even — generates even-numbered keys for Tx

  • odd — generates odd-numbered keys for Tx

Note:

If you do not specify a key-parity value, the connectivity association (CA) is created in 2AN mode. This only applies to platforms that support 2AN mode.

The following table defines parameters for the interface gigabitethernet command.

Variable

Value

{slot/port[/sub-port][-slot/port[/sub-port]][,...]}

Specifies the port that you want to associate with the CA.

Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.