Configure a Connectivity Association

Use the following procedure to configure a connectivity association (CA) in static Connectivity Association Key (CAK) security mode with static Secure Association Keys (SAK).

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure a CA:
    macsec connectivity association WORD <5-16> connectivity-association-key WORD<10-32> [key-parity even|odd]
    Note

    Note

    If you do not specify a key-parity value, the CA is created in 2AN mode.

    This applies only to platforms that support 2AN mode.

    Note

    Note

    The parameter [key-parity even|odd] applies only to static MACsec configurations.

  3. Enter GigabitEthernet Interface Configuration mode:

    enable

    configure terminal

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  4. Associate a port with a CA:

    macsec connectivity-association WORD<5–16>

Example

Configure a connectivity association and enable MACsec on a port:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#macsec connectivity-association caname1 connectivity-association-key 1029384756abcdef key-parity even
Switch:1(config)#interface gigabitethernet 1/2
Switch:1(config-if)#macsec connectivity-association caname12

Variable Definitions

The following table defines parameters for the macsec command.

Variable

Value

connectivity-association WORD<5–16>

Specifies a connectivity-association name.

Tip:

Configure the Connectivity Association key name (CKN) in multiples of 4 characters to avoid MKA interoperability issues between VOSS switches and EXOS switches. For example, Macsecma (8 chararcters) or Macsecmka123 (12 characters) are valid, but Macsec (6 characters) is not valid.

connectivity-association-key WORD<10–32>

Specifies the value of the connectivity-association key (CAK). This value should be a 32-character hexadecimal string.

key-parity <even | odd>
Specifies Tx key parity using the following values:

  • even — generates even-numbered keys for Tx

  • odd — generates odd-numbered keys for Tx

Note:

If you do not specify a key-parity value, the connectivity association (CA) is created in 2AN mode.

This parameter applies only to platforms that support 4AN mode.

The following table defines parameters for the interface gigabitethernet command.

Variable

Value

{slot/port[/sub-port][-slot/port[/sub-port]][,...]}

Specifies the port that you want to associate with the CA.

Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.
9036830-00 Rev AD