Associate a Port with a Connectivity Association
Use the following procedure to associate a port with a connectivity association (CA) using EDM. You can optionally configure a MACsec encryption cipher suite on the port.
Note
You can configure MACsec on physical ports only. However, the physical ports can belong to an MLT trunk group that includes: Split MultiLink Trunking (SMLT), distributed MultiLink Trunking (DMLT), or Link aggregate group (LAG).
Note
MACsec encryption and decryption algorithms follow either the AES-GCM-128 or the AES-GCM-256 standard, depending on the configured MAC-sec cipher suite. The default is the AES-GCM-128 standard.
Procedure
- On the Device Physical View tab, select on one or more ports to associate with the connectivity association.
- In the navigation pane, expand .
- Select General.
- Select the MACsec tab.
- In CAName, type the connectivity-association name.
- In OffsetValue, select the value of confidentiality offset to be achieved.
- Select EncryptionEnable to enable encryption for the frames transmitted on the port.
- Optional: In CipherSuite, select the MACsec encryption cipher suite.
- Select MACsec Enable to enable MACsec on the port.
- Select Apply.
MACsec Field Descriptions
Use the data in the following table to configure the MACsec tab.
Name |
Description |
---|---|
CAName |
Specifies the name of the connectivity association attached to the port or interface. |
OffsetValue |
Offsets MACsec encryption in an IPv4 TCP/UDP header or IPv6 TCP/UDP header. The confidentiality offset provides a way to start encryption after a few bytes following the Ethernet header. The confidentiality offset facilitates traffic flow inspection and classification on intermediate devices by not encrypting the Network Layer header for IPv4 or IPv6. For instance, if you configure the offset to 30, the IPv4 header and the TCP/UDP header are not encrypted. If you configure the offset to 50, the IPv6 header and the TCP/UDP header is not encrypted. |
EncryptionEnable |
Specifies the encryption status per port. Use this field to enable or disable encryption for each MACsec capable port. |
CipherSuite |
Configures the cipher suite for encrypting traffic with MACsec. The following cipher suites are supported:
The default is the AES-GCM-128 standard. |
MACsec Enable |
Enables or disables MACsec on the port. |