Configuring MAC Security with Pre-shared Keys Authentication
- Install a MACsec license key (if
one is not already installed) by using the following command:
enable license {software} [key ]
- For ExtremeSwitching X450-G2,
X460-G2, X440-G2, X620, X590, X695 series switches, attach an LRM/MACsec
adapter.
Note
ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht, and X465 switches natively support MACsec and do not require an adapter. - For ExtremeSwitching
X460-G2-24p-24hp, X460-G2-24t-24ht, and X465 switches, enable MACsec
mode on the desired ports by using the following command:configure macsec hw-mode ports port_list [macsec-mode | half-duplex-mode]
Note
You must save, and the reboot, for this command to take effect. - Create a connectivity-association
(CA) object that holds MACSec authentication data (secure connection association
key (CAK) and secure connection association key name (CKN) pair, which makes up
the PSK on each port enabled for MKA by using the following command:
create macsec connectivity-association ca_name pre-shared-key ckn ckn cak [encrypted encrypted_cak | cak]
- Optionally, modify MACsec replay
protection packet window, which allows for dropping of out-of-order packets
received on a port by using the following command:
configure macsec replay-protect [window_size_in_packets | disable] ports port_list
The replay protection feature provides for the dropping of out-of-order packets received on a port. The window size is set to 0 by default, meaning any packet received out-of-order is dropped. Setting the window size to non-zero sets the range of sequence numbers that are tolerated, to allow receipt of packets that have been misordered by the network. If replay protection is disabled, packet sequence numbers are not checked and out-of-order packets are not dropped.
- Optionally, configure a port's
priority for becoming a key server by using the following command:
configure macsec mka actor-priority actor_priority ports port_list
- Optionally, configure the
include-SCI flag (to ensure interoperability with third-party devices that do
not decode encrypted MACsec packets when the SCI is not present) using the
following command:
configure macsec include-sci [enable | disable] ports port_list
- Optionally, change the MACsec
cipher suite by using the following command:
configure macsec cipher-suite [gcm-aes-128 | gcm-aes-256] ports port_list
Note
Summit Series switches, except the ExtremeSwitching X465 switch, need an external LRM/MACsec Adapter to support GCM-AES-256 cipher. - Enable MACsec authentication on
the desired ports by using the following command:
configure macsec connectivity-association ca_name [pre-shared-key {ckn ckn} {cak [encrypted encrypted_cak] | cak} | ports [port_list] [enable | disable]]
Use the ca_name set up in Step 4, use the enable option, and designate the port(s).

Important
After enabling MACsec, if you change the actor priority, replay protection window, mka life-time, or include-SCI flag, you must run the configure macsec initialize ports port_list afterward. Otherwise, the change is not accepted.To delete a previously created CA object, use the following command:
delete macsec connectivity-association ca_name
To clear MACsec counters, use the following command:
clear macsec counters {ports [port_list]}
To reset the MACsec Key Agreement protocol state machine on one or more ports, use the following command:
configure macsec initialize ports port_list
Issuing this command resets the MKA state machine, which in turn deletes any secured channels and their secure association keys (SAKs). This command is also used to apply MACsec configuration changes (mka actor-priority, include-sci, replay-protect, mka life-time) to an already enabled port. All traffic is blocked until MKA renegotiates a new set of keys and those keys are installed. For more information, see IEEE802.1X-2010 Clause 12.9.3 Initialization.
Displaying MACsec Information
To display a system-wide view of MACsec, use the following command:
show macsec
To display a global summary of MACsec capabilities and status for all or a specified CA, use the following command:
show macsec { connectivity-association {ca_name}
To display per-port MKA and MACsec data in tabular format, use the following command:
show macsec ports port-list usage
To display a table of all configurable parameters, use the following command:
show macsec ports port-list configuration
To display configuration, status, and statistics for both MKA and MACsec, use the following command:
show macsec ports port-list detail
To display the number of ports that have MACsec enabled and the maximum number of ports allowed per slot, use the following command:
show macsec usage
To display the transmitted and dropped packets for each MACsec engine, use the following command:
show ports macsec-engines [qosmonitor | congestion] {no-refresh | refresh}
Displaying LRM/MACsec Adapter Information
To display that a LRM/MACsec adapter is connected to a port, use either of the following commands:
show ports {mgmt | port_list | tag tag} configuration {no-refresh | refresh}
show port {mgmt |port_list | tag tag} information {detail} using the detail option.