create macsec connectivity-association

create macsec connectivity-association ca_name pre-shared-key ckn ckn cak [encrypted encrypted_cak | cak]

Description

Creates a named connectivity-association (CA) object that holds MAC Security (MACsec) key authentication data.

Syntax Description

connectivity-association Secures connectivity provided between MACsec stations.
ca_name Defines CA object name.
pre-shared-key Selects static MACsec key consisting of both a CKN and CAK:
ckn

Selects CA key name.

This public (non-secret) key name allows each of the MKA participants to select which connectivity association k ey (CAK) to use to process a received MACsec key agreement (MKA) protocol packets (MKPDU).
ckn

Sets the CA key name. Length allowed is 1–32 characters, entered as ASCII or an octet string preceded with 0x.
cak

Sets the connectivity association key (CAK). If you are using 256-bit cipher suite, then the CAK must be 32 octets. The 128-bit cipher suite can use either a 16- or 32-octet CAK.

This is a long-lived secret key used to derive short-lived lower-layer keys (ICK, KEK, and SAK) which are used for key distribution and data encryption.
cak Sets the non-encrypted CAK value. Must be entered as an octet string (for example: “0x859e72f0…”). A 128-bit (16 octet) CAK requires 32 hexadecimal digits, and a 256-bit (32 octet) CAK requires 64 hexadecimal digits. These values are secret and should be generated off switch with a suitable pseudorandom number generator.
encrypted Designates that secret key value is in encrypted format.
encrypted_cak Sets the value for the secret key. The encrypted CAK value is generated by the show configuration macsec command for previously configured CAKs.

Default

N/A.

Usage Guidelines

Up to 64 unique CA profiles can be created.

Example

The following example creates the CA object "testca" with a CKN of "the blue key" and 128-bit CAK of “0x01020304050607080910111213141516”:
# create macsec connectivity-association testca pre-shared-key ckn “the blue key” cak “0x01020304050607080910111213141516”
The following example creates the CA object "testca2" with a CKN of "the red key" and 256-bit CAK of “0x0102030405060708091011121314151617181920212223242526272829303132”:
# create macsec connectivity-association testca2 pre-shared-key ckn “the red key” cak “0x0102030405060708091011121314151617181920212223242526272829303132”
# show macsec connectivity-association
MACsec CAK Bit 
CA Name Ports Length CAK Name (CKN)
 -------------------------------- --------------------
testca None 128 the blue key 
testca2 None 256 the red key
Note

Note

The CAKs shown here are examples. Use your own random number for maximum security.

History

This command was first available in ExtremeXOS 30.1.

Platform Availability

This command is available on the following platforms.

Note

Note

The MACsec feature requires the installation of the MAC Security feature pack license.
Platform Ports LRM/MACsec Adapter Required?
ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht switches Half-duplex, 1G ports (25–48) No
All other SFP/SFP+ ports * Yes
ExtremeSwitching X450-G2, X460-G2, X440-G2, X590, X620, and X695 series switches SFP/SFP+ ports * Yes
ExtremeSwitching X465

X465-24W, X465-24XE: ports 1–24

X465-48T, X465-48P, X465-48W, X465i-48W: ports 1–48

X465-24MU-24W: ports 25–48

VIM5-4XE: all 4 ports

VIM5-4YE in X465-24MU, X465-24MU-24W switches: all 4 ports

VIM5-4YE in X465-24W, X465-48T, X465-48P, X465-48W, X464.24S, X465-24S, X465i-48W: first 2 ports only

 No
Note: * For ExtremeSwitching X460-G2 series switches, the VIM-2X option does not support the LRM/MACsec Adapter.
9037487-00 Rev AB