MAC Security (MACsec) with Pre-shared Key (PSK) Authentication

This feature provides secure communication between two infrastructure devices using the MAC Security (MACsec) protocol, as defined by IEEE802.1X-2010 Port Based Network Access Control and IEEE802.1AE-2006 Media Access Control (MAC) Security. Peer authentication is achieved using pre-shared-keys (PSK), which are configured on each device using CLI commands. Interoperability with other MACsec-capable devices is provided

Supported Platforms

Platform	Ports	LRM/MACsec Adapter Required?
Summit X460-G2-24p-24hp, X460-G2-24t-24ht switches	Half-duplex, 1G ports (25–48)	No
Summit X460-G2-24p-24hp, X460-G2-24t-24ht switches	All other SFP/SFP+ ports *	Yes
Summit X450-G2, X460-G2, X670-G2, and ExtremeSwitching X440-G2, X620, and X690 series switches	SFP/SFP+ ports *	Yes
Note: * For Summit X460-G2 series switches, the VIM-2X option does not support the LRM/MACsec Adapter.

Note

The MACsec feature requires the installation of the MAC Security feature pack license.

Note

When an LRM/MACsec Adapter is powered on, ExtremeXOS may update its firmware if a newer version is available. The following message appears. Do not reboot.

LRM/MACsec Adapter new firmware update on port <port>. This may take a few minutes. Please do not reboot the Switch or Adapter.
-> Downloading new firmware: 100%
-> Verifying new firmware: 100%
LRM/MACsec Adapter new firmware update on port <port> complete.

Limitations

This initial release of MACsec only implements point-to-point LANs within a secured network as described in Clause 7.4 MACsec to support Infrastructure LANs of the much broader standard outlined in IEEE802.1X-2010 Port-Based Access Control. All other sections and clauses are not supported.
Note
MACsec between customer edges over L2VPN is supported on untagged access ports.
MACsec is only configurable using CLI commands. There is no SNMP access to the two MACsec MIBs defined by IEEE: IEEE8021X-PAE-MIB and IEEE8021-SECY-MIB.
MACsec is not supported on ports with stacking enabled.
MACsec is not supported on Extended Edge Switching ports.

New CLI Commands

clear macsec counters {ports [port_list]}

create macsec connectivity-association ca_name pre-shared-key ckn ckn cak {encrypted} cak

delete macsec connectivity-association ca_name

configure macsec connectivity-association ca_name [pre-shared-key {ckn ckn} cak {encrypted} cak | ports [port_list] [enable | disable]]

configure macsec mka actor-priority actor_priority ports port_list

configure macsec replay-protect [window_size_in_packets | disable] ports port_list

configure macsec include-sci [enable | disable] ports port_list

configure macsec hw-mode ports port_list [macsec-mode | half-duplex-mode]

configure macsec initialize ports port_list

show macsec

show macsec { connectivity-association {ca_name}

show macsec ports port-list

show macsec ports port-list configuration

show macsec ports port-list detail

Changed CLI Commands

The following show commands now show MACsec information:

show ports

show ports information

The following show commands now show that a LRM/MACsec adapter is connected to a port:

show ports {mgmt | port_list | tag tag} configuration {no-refresh | refresh}

show port {mgmt |port_list | tag tag} information {detail}

MACsec Interoperability with Extreme/Third-Party Devices

The following table shows tested MACsec interoperability with Extreme and third-party devices.

ExtrmeXOS Switch	Hardware	Software
X460G2-24p-24hp	Virtual Machine	RHEL version 7
	Virtual Machine	CentOS Version 7.5.1804
	Extreme switch TOR 7100g - 71G21K2L2-24P24	EOS 08.41.01.0004
	Juniper EX4200	JUNOS 14.1X53-D15.2

Published January 2019prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback