Configure a Connectivity Association
Use the following procedure to configure a connectivity association (CA) in static Connectivity Association Key (CAK) security mode with static Secure Association Keys (SAK).
Procedure
Example
Configure a connectivity association and enable MACsec on a port:
Switch:1>enable Switch:1#configure terminal Switch:1(config)#macsec connectivity-association caname1 connectivity-association-key 1029384756abcdef key-parity even Switch:1(config)#interface gigabitethernet 1/2 Switch:1(config-if)#macsec connectivity-association caname12
Variable Definitions
The following table defines parameters for the macsec command.
Variable |
Value |
---|---|
connectivity-association WORD<5–16> |
Specifies a connectivity-association name. Tip:
Configure the Connectivity Association key name (CKN) in multiples of 4 characters to avoid MKA interoperability issues between VOSS switches and EXOS switches. For example, Macsecma (8 chararcters) or Macsecmka123 (12 characters) are valid, but Macsec (6 characters) is not valid. |
connectivity-association-key WORD<10–32> |
Specifies the value of the connectivity-association key (CAK). This value should be a 32-character hexadecimal string. |
key-parity <even | odd> |
Specifies Tx key parity using the following values:
Note:
If you do not specify a key-parity value, the connectivity association (CA) is created in 2AN mode. This parameter applies only to platforms that support 4AN mode. |
The following table defines parameters for the interface gigabitethernet command.
Variable |
Value |
---|---|
{slot/port[/sub-port][-slot/port[/sub-port]][,...]} |
Specifies the port that you want to associate with the CA. Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port. |