configure macsec include-sci

configure macsec include-sci [enable | disable] ports port_list

Description

Configures the include-SCI flag to ensure interoperability with third-party devices that do not decode encrypted MAC Security (MACsec) packets when the SCI is not present.

Syntax Description

include-sci Provision inclusion of SCI in SecTAG field while transmitting MACsec frames.
enable Include SCI in SecTAG.
disable Do not include SCI in SecTAG (Default).
ports Specifies configuring ports.
port_list Lists which ports to configure the include-SCI flag on.

Default

Disabled by default (SCI is not included in MAC Security Tag (SecTAG)).

Usage Guidelines

The SecTAG appended to each data packet contains an optional parameter called Secure Channel Indicator (SCI). The SCI is used to identify the sending Secure Association (SA) when the connectivity-association (CA) comprises three or more peers.

Because ExtremeXOS only supports point-to-point links (which have exactly two peers), the SCI is not sent by default (which saves 8-octets per SecTAG‘d packet). Certain third-party MACsec devices, such as the CentOS‘s MACsec client and Cisco Catalyst 3650, fail to decode encrypted MACsec packets when the SCI is not present. To ensure interoperability with such devices, you can configure the Include-SCI flag. When this flag is set, the port always includes the 8-octet SCI in the SecTAG of all outgoing packets.

Important

Important

After enabling MACsec, if you change the include-SCI flag, you must run the configure macsec initialize ports port_list command afterward. Otherwise, the change is not applied.

Example

The following example enables including SCI in SecTAG field while transmitting MACsec frames on port 13:
configure macsec include-sci enable port 13
The following example disables including SCI in SecTAG field while transmitting MACsec frames on port 44:
# configure macsec include-sci disable port 44

History

This command was first available in ExtremeXOS 30.1.

Platform Availability

This command is available on the following platforms.

Note

Note

The MACsec feature requires the installation of the MAC Security feature pack license.
Platform Ports LRM/MACsec Adapter Required?
ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht switches Half-duplex, 1G ports (25–48) No
All other SFP/SFP+ ports * Yes
ExtremeSwitching X450-G2, X460-G2, X670-G2, X440-G2, X590, X620, X690, and X695 series switches SFP/SFP+ ports * Yes
ExtremeSwitching X465

X465-24W, X465-24XE: ports 1–24

X465-48T, X465-48P, X465-48W, X465i-48W: ports 1–48

X465-24MU-24W: ports 25–48

VIM5-4XE: all 4 ports

VIM5-4YE in X465-24MU, X465-24MU-24W switches: all 4 ports

VIM5-4YE in X465-24W, X465-48T, X465-48P, X465-48W, X464.24S, X465-24S, X465i-48W: first 2 ports only

No
Note: * For ExtremeSwitching X460-G2 series switches, the VIM-2X option does not support the LRM/MACsec Adapter.