Configure Connectivity Associations

Use the following procedure to configure connectivity associations (CA) using EDM.

Note

Note

  • You can configure MACsec on physical ports only. However, the physical ports can belong to an MLT trunk group that includes: Split MultiLink Trunking (SMLT), distributed MultiLink Trunking (DMLT), or Link aggregate group (LAG).

  • MACsec encryption and decryption algorithms follow either the AES-GCM-128 or the AES-GCM-256 standard, depending on the configured MAC-sec cipher suite. The default is the AES-GCM-128 standard.

Procedure

  1. In the navigation pane, expand Configuration > Edit.
  2. Select Chassis.
  3. Select the MACSec tab.
  4. Select Insert.
    1. In AssociationName, type the connectivity-association name.
    2. In AssociationKey, type the value of the connectivity-association key.
      Note

      Note

      The connectivity-association key appears as an MD5-hashed text in the MAC security table.

    3. In AssociationTxKeyParity, select an option for Tx key parity.
      Note

      Note

      Tx key parity configuration applies only to static MACsec configurations.

    4. Select Insert to save the configuration.
  5. Select Apply.

MACSec Field Descriptions

Use the data in the following table to use the MACSec tab.

Name

Description

AssociationName

Specifies a name for each connectivity association configured on the device.

Tip:

Configure the Connectivity Association key name (CKN) in multiples of 4 characters to avoid MKA interoperability issues between VOSS switches and EXOS switches. For example, Macsecma (8 chararcters) or Macsecmka123 (12 characters) are valid, but Macsec (6 characters) is not valid.

AssociationKey

Specifies a pre-shared, connectivity association key associated with each connectivity association configured on the device.

AssociationPortMembers

Specifies the set of ports for which this connectivity association is associated.

AssociationTxKeyParity

Specifies Tx key parity using the following values:
  • None — key parity is not specified

    Note:

    The none value only applies to platforms that support 2AN mode. If you do not specify a key parity value, the system defaults to 2AN mode.

  • Even — generates even-numbered keys

  • Odd — generates odd-numbered keys