enable license {software} [key ]
Note
ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht, and X465 switches natively support MACsec and do not require an adapter.Note
You must save, and the reboot, for this command to take effect.create macsec connectivity-association ca_name pre-shared-key ckn ckn cak [encrypted encrypted_cak | cak]
configure macsec replay-protect [window_size_in_packets | disable] ports port_list
The replay protection feature provides for the dropping of out-of-order packets received on a port. The window size is set to 0 by default, meaning any packet received out-of-order is dropped. Setting the window size to non-zero sets the range of sequence numbers that are tolerated, to allow receipt of packets that have been misordered by the network. If replay protection is disabled, packet sequence numbers are not checked and out-of-order packets are not dropped.
configure macsec mka actor-priority actor_priority ports port_list
configure macsec include-sci [enable | disable] ports port_list
configure macsec cipher-suite [gcm-aes-128 | gcm-aes-256] ports port_list
Note
Summit Series switches, except the ExtremeSwitching X465 switch, need an external LRM/MACsec Adapter to support GCM-AES-256 cipher.configure macsec connectivity-association ca_name [pre-shared-key {ckn ckn} {cak [encrypted encrypted_cak] | cak} | ports [port_list] [enable | disable]]
Use the ca_name set up in Step 4, use the enable option, and designate the port(s).
Important
After enabling MACsec, if you change the actor priority, replay protection window, mka life-time, or include-SCI flag, you must run the configure macsec initialize ports port_list afterward. Otherwise, the change is not accepted.To delete a previously created CA object, use the following command:
delete macsec connectivity-association ca_name
To clear MACsec counters, use the following command:
clear macsec counters {ports [port_list]}
To reset the MACsec Key Agreement protocol state machine on one or more ports, use the following command:
configure macsec initialize ports port_list
Issuing this command resets the MKA state machine, which in turn deletes any secured channels and their secure association keys (SAKs). This command is also used to apply MACsec configuration changes (mka actor-priority, include-sci, replay-protect, mka life-time) to an already enabled port. All traffic is blocked until MKA renegotiates a new set of keys and those keys are installed. For more information, see IEEE802.1X-2010 Clause 12.9.3 Initialization.
To display a system-wide view of MACsec, use the following command:
show macsec
To display a global summary of MACsec capabilities and status for all or a specified CA, use the following command:
show macsec { connectivity-association {ca_name}
To display per-port MKA and MACsec data in tabular format, use the following command:
show macsec ports port-list usage
To display a table of all configurable parameters, use the following command:
show macsec ports port-list configuration
To display configuration, status, and statistics for both MKA and MACsec, use the following command:
show macsec ports port-list detail
To display the number of ports that have MACsec enabled and the maximum number of ports allowed per slot, use the following command:
show macsec usage
To display the transmitted and dropped packets for each MACsec engine, use the following command:
show ports macsec-engines [qosmonitor | congestion] {no-refresh | refresh}
To display that a LRM/MACsec adapter is connected to a port, use either of the following commands:
show ports {mgmt | port_list | tag tag} configuration {no-refresh | refresh}
show port {mgmt |port_list | tag tag} information {detail} using the detail option.