Configures a previously created connectivity-association (CA) object that holds MAC Security (MACsec) key authentication data. For a particular CA, you can change the pre-shared key and enable/disable authentication on one or more ports.
connectivity-association | Secures connectivity provided between MACsec stations. |
ca_name | Selects CA object to configure. |
pre-shared-key | Selects static MACsec key consisting of both a CKN and CAK: |
ckn |
Selects changing the CA key name. This public (non-secret) key name allows each of the MKA participants to select which connectivity association key (CAK) to use to process a received MACsec key agreement (MKA) protocol packets (MKPDU). |
ckn |
Sets the CA key name. Length allowed is 1–32 characters, entered as ASCII or an octet string preceded with 0x. |
cak |
Sets the connectivity association key (CAK). If you are using 256-bit cipher suite, then the CAK must be 32 octets. The 128-bit cipher suite can use either a 16- or 32-octet CAK. This is a long-lived secret key used to derive short-lived lower-layer keys (ICK, KEK, and SAK) that are used for key distribution and data encryption. |
cak | Sets the non-encrypted CAK value. Must be entered as an octet string (for example: “0x859e72f0…”). A 128-bit (16 octet) CAK requires 32 hexadecimal digits, and a 256-bit (32 octet) CAK requires 64 hexadecimal digits. These values are secret and should be generated off switch with a suitable pseudorandom number generator. |
encrypted | Designates that secret key value is in encrypted format. |
encrypted_cak | Sets the value for the secret key. The encrypted CAK value is generated by the show configuration macsec command for previously configured CAKs. |
ports | Specifies configuring ports. |
port_list | Lists which ports to configure. |
enable | Enable the MKA connectivity association on the selected port list. |
disable | Disables the MKA connectivity association on the selected port list. |
N/A.
You can only enable/disable CAs on ports that support MACsec.
If execution of this command results in MACsec being enabled on more than 48 ports for a given 5320 or 5420 series switch, then the command will fail.
Note
The CAK shown here is an example. Use your own random number for maximum security.configure macsec connectivity-association testca pre-shared-key ckn “the red key” cak “0x01020304050607080910111213141516”
# configure macsec connectivity-association testca ports 13 enable
# configure macsec connectivity-association testca ports 13 disable
This command was first available in ExtremeXOS 30.1.
Support for 256-cipher suite was added in ExtremeXOS 30.2.
This command is available on the following platforms.
Note
The MACsec feature requires the installation of the MAC Security feature pack license.Platform | Ports | LRM/MACsec Adapter Required? |
---|---|---|
ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht switches | Half-duplex, 1G ports (25–48) | No |
All other SFP/SFP+ ports * | Yes | |
ExtremeSwitching X450-G2, X460-G2, X670-G2, X440-G2, X590, X620, X690, and X695 series switches | SFP/SFP+ ports * | Yes |
ExtremeSwitching X465 |
X465-24W, X465-24XE: ports 1–24 X465-48T, X465-48P, X465-48W, X465i-48W: ports 1–48 X465-24MU-24W: ports 25–48 VIM5-4XE: all 4 ports VIM5-4YE in X465-24MU, X465-24MU-24W switches: all 4 ports VIM5-4YE in X465-24W, X465-48T, X465-48P, X465-48W, X464.24S, X465-24S, X465i-48W: first 2 ports only |
No |
ExtremeSwitching 5320 | All ports of all models except stacking ports. | No |
ExtremeSwitching 5420 | All ports of all models except stacking ports. | No |
ExtremeSwitching 5520 | All ports, except 5520-VIM-4X and 24X 10G ports | No |
Note: * For ExtremeSwitching X460-G2
series switches, the VIM-2X option does not support the
LRM/MACsec Adapter.
|