Configure a Connectivity Association
Use the following procedure to configure a connectivity association (CA) in static Connectivity Association Key (CAK) security mode with static Secure Association Keys (SAK).
Important
For static MACsec, you can configure a different connectivity association name for local and peer nodes but you must configure the same value for the connectivity association key at both ends of the link with, either even or odd mode.
For MKA MACsec, you must configure the same value for the connectivity association name and the connectivity association key for local and peer nodes. Even or odd mode does not apply to a connectivity association for MKA MACsec .
Procedure
Example
Configure a connectivity association and enable MACsec on a port:
Switch:1>enable Switch:1#configure terminal Switch:1(config)#macsec connectivity-association caname1 connectivity-association-key 1029384756abcdef key-parity even Switch:1(config)#interface gigabitethernet 1/2 Switch:1(config-if)#macsec connectivity-association caname12
Variable Definitions
The following table defines parameters for the macsec command.
Variable |
Value |
---|---|
connectivity-association WORD<5–16> |
Specifies the connectivity-association name as an alpha-numeric ASCII string up to 16 characters long. The device uses this value for the connectivity-association key name (CKN). |
connectivity-association-key WORD<10–64> |
Specifies the connectivity-association key (CAK) value as a 32-character (128-bit) or a 64 character (256-bit) hexadecimal string. Note:
Always select the 128-bit CAK value for AES-GSM-128 and the 256-bit CAK value for AES-GSM_256. |
key-parity <even | odd> Note:
This parameter only applies to static MACsec configurations. |
Specifies Tx key parity using the following values:
Note:
If you do not specify a key-parity value, the connectivity association (CA) is created in 2AN mode. This only applies to platforms that support 2AN mode. |
The following table defines parameters for the interface gigabitethernet command.
Variable |
Value |
---|---|
{slot/port[/sub-port][-slot/port[/sub-port]][,...]} |
Specifies the port that you want to associate with the CA. Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port. |