Configures a previously created connectivity-association (CA) object that holds MAC Security (MACsec) key authentication data. For a particular CA, you can change the pre-shared key and enable/disable authentication on one or more ports.
connectivity-association | Secures connectivity provided between MACsec stations. |
ca_name | Selects CA object to configure. |
pre-shared-key | Selects static MACsec key consisting of both a CKN and CAK: |
ckn |
Selects changing the CA key name. This public (non-secret) key name allows each of the MKA participants to select which connectivity association key (CAK) to use to process a received MACsec key agreement (MKA) protocol packets (MKPDU). |
ckn |
Sets the CA key name. Length allowed is 1–32 characters, entered as ASCII or an octet string preceded with 0x. |
cak | Sets the connectivity association key (CAK). 16 octets. This is a long-lived secret key used to derive short-lived lower-layer keys (ICK, KEK, and SAK) which are used for key distribution and data encryption. . |
encrypted | Designates that secret key value is in encrypted format. |
encrypted_cak | Sets the value for the secret key. Needs to be in the format of an encrypted string or octet string of length 16 preceded with "0x". |
cak | Sets the non-encrypted CAK value. May be entered as an octet string (for example: “0x859e72f0…”) or as an encrypted key |
ports | Specifies configuring ports. |
port_list | Lists which ports to configure. |
enable | Enable the MKA connectivity association on the selected port list. |
disable | Disables the MKA connectivity association on the selected port list. |
N/A.
You can only enable/disable CAs on ports that support MACsec.
Note
The CAK shown here is an example. Use your own random number for maximum security.configure macsec connectivity-association testca pre-shared-key ckn “the red key” cak “0x01020304050607080910111213141516”
# configure macsec connectivity-association testca ports 13 enable
# configure macsec connectivity-association testca ports 13 disable
This command was first available in ExtremeXOS 30.1.
This command is available on the following platforms.
Note
The MACsec feature requires the installation of the MAC Security feature pack license.Platform | Ports | LRM/MACsec Adapter Required? |
---|---|---|
Summit X460-G2-24p-24hp, X460-G2-24t-24ht switches | Half-duplex, 1G ports (25–48) | No |
All other SFP/SFP+ ports * | Yes | |
Summit X450-G2, X460-G2, X670-G2, and ExtremeSwitching X440-G2, X620, and X690 series switches | SFP/SFP+ ports * | Yes |
Note: * For Summit X460-G2 series switches, the VIM-2X option does
not support the LRM/MACsec Adapter.
|