Configuring MAC Security with Pre-shared Keys Authentication

To configure MAC Security (MACsec) with pre-shared keys (PSKs) authentication on a switch port:
  1. Install a MACsec license key (if one is not already installed) by using the following command:

    enable license {software} [key ]

  2. For ExtremeSwitching X450-G2, X460-G2, X670-G2, X440-G2, X620, X590, X690, X695 series switches, attach an LRM/MACsec adapter.
    Note

    Note

    ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht, and X465 switches natively support MACsec and do not require an adapter.
  3. For ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht, and X465 switches, enable MACsec mode on the desired ports by using the following command:
    configure macsec hw-mode ports port_list [macsec-mode | half-duplex-mode]
    Note

    Note

    You must save, and the reboot, for this command to take effect.
  4. Create a connectivity-association (CA) object that holds MACSec authentication data (secure connection association key (CAK) and secure connection association key name (CKN) pair, which makes up the PSK on each port enabled for MKA by using the following command:

    create macsec connectivity-association ca_name pre-shared-key ckn ckn cak [encrypted encrypted_cak | cak]

  5. Optionally, modify MACsec replay protection packet window, which allows for dropping of out-of-order packets received on a port by using the following command:

    configure macsec replay-protect [window_size_in_packets | disable] ports port_list

    The replay protection feature provides for the dropping of out-of-order packets received on a port. The window size is set to 0 by default, meaning any packet received out-of-order is dropped. Setting the window size to non-zero sets the range of sequence numbers that are tolerated, to allow receipt of packets that have been misordered by the network. If replay protection is disabled, packet sequence numbers are not checked and out-of-order packets are not dropped.

  6. Optionally, configure a port's priority for becoming a key server by using the following command:

    configure macsec mka actor-priority actor_priority ports port_list

  7. Optionally, configure the include-SCI flag (to ensure interoperability with third-party devices that do not decode encrypted MACsec packets when the SCI is not present) using the following command:

    configure macsec include-sci [enable | disable] ports port_list

  8. Optionally, change the MACsec cipher suite by using the following command:

    configure macsec cipher-suite [gcm-aes-128 | gcm-aes-256] ports port_list

    Note

    Note

    The GCM-AES-256 cipher is only supported on ports with the LRM/MACsec Adapter, and on ExtremeSwitching X465 series switches ports on MACsec-capable VIMs without the LRM/MACsec Adapter.
  9. Enable MACsec authentication on the desired ports by using the following command:

    configure macsec connectivity-association ca_name [pre-shared-key {ckn ckn} {cak [encrypted encrypted_cak] | cak} | ports [port_list] [enable | disable]]

    Use the ca_name set up in Step 4, use the enable option, and designate the port(s).

Important

Important

After enabling MACsec, if you change the actor priority, replay protection window, mka life-time, or include-SCI flag, you must run the configure macsec initialize ports port_list afterward. Otherwise, the change is not accepted.

To delete a previously created CA object, use the following command:

delete macsec connectivity-association ca_name

To clear MACsec counters, use the following command:

clear macsec counters {ports [port_list]}

To reset the MACsec Key Agreement protocol state machine on one or more ports, use the following command:

configure macsec initialize ports port_list

Issuing this command resets the MKA state machine, which in turn deletes any secured channels and their secure association keys (SAKs). This command is also used to apply MACsec configuration changes (mka actor-priority, include-sci, replay-protect) to an already enabled port. All traffic is blocked until MKA renegotiates a new set of keys and those keys are installed. For more information, see IEEE802.1X-2010 Clause 12.9.3 Initialization.

Displaying MACsec Information

To display a system-wide view of MACsec, use the following command:

show macsec

To display a global summary of MACsec capabilities and status for all or a specified CA, use the following command:

show macsec { connectivity-association {ca_name}

To display per-port MKA and MACsec data in tabular format, use the following command:

show macsec ports port-list usage

To display a table of all configurable parameters, use the following command:

show macsec ports port-list configuration

To display configuration, status, and statistics for both MKA and MACsec, use the following command:

show macsec ports port-list detail

To display the number of ports that have MACsec enabled and the maximum number of ports allowed per slot, use the following command:

show macsec usage

To display the transmitted and dropped packets for each MACsec engine, use the following command:

show ports macsec-engines [qosmonitor | congestion] {no-refresh | refresh}

Displaying LRM/MACsec Adapter Information

To display that a LRM/MACsec adapter is connected to a port, use either of the following commands:

show ports {mgmt | port_list | tag tag} configuration {no-refresh | refresh}

show port {mgmt |port_list | tag tag} information {detail} using the detail option.