This feature provides secure communication between two infrastructure devices using the MAC Security (MACsec) protocol, as defined by IEEE802.1X-2010 Port Based Network Access Control and IEEE802.1AE-2006 Media Access Control (MAC) Security. Peer authentication is achieved using pre-shared-keys (PSK), which are configured on each device using CLI commands. Interoperability with other MACsec-capable devices is provided
Platform | Ports | LRM/MACsec Adapter Required? |
---|---|---|
Summit X460-G2-24p-24hp, X460-G2-24t-24ht switches | Half-duplex, 1G ports (25–48) | No |
All other SFP/SFP+ ports * | Yes | |
Summit X450-G2, X460-G2, X670-G2, and ExtremeSwitching X440-G2, X620, and X690 series switches | SFP/SFP+ ports * | Yes |
Note: * For Summit X460-G2 series switches, the VIM-2X option does
not support the LRM/MACsec Adapter.
|
Note
The MACsec feature requires the installation of the MAC Security feature pack license.Note
When an LRM/MACsec Adapter is powered on, ExtremeXOS may update its firmware if a newer version is available. The following message appears. Do not reboot.LRM/MACsec Adapter new firmware update on port <port>. This may take a few minutes. Please do not reboot the Switch or Adapter. -> Downloading new firmware: 100% -> Verifying new firmware: 100% LRM/MACsec Adapter new firmware update on port <port> complete.
Note
MACsec between customer edges over L2VPN is supported on untagged access ports.clear macsec counters {ports [port_list]}
create macsec connectivity-association ca_name pre-shared-key ckn ckn cak {encrypted} cak
delete macsec connectivity-association ca_name
configure macsec connectivity-association ca_name [pre-shared-key {ckn ckn} cak {encrypted} cak | ports [port_list] [enable | disable]]
configure macsec mka actor-priority actor_priority ports port_list
configure macsec replay-protect [window_size_in_packets | disable] ports port_list
configure macsec include-sci [enable | disable] ports port_list
configure macsec hw-mode ports port_list [macsec-mode | half-duplex-mode]
configure macsec initialize ports port_list
show macsec
show macsec { connectivity-association {ca_name}
show macsec ports port-list
show macsec ports port-list configuration
show macsec ports port-list detail
The following show commands now show MACsec information:
show ports
show ports information
The following show commands now show that a LRM/MACsec adapter is connected to a port:
show ports {mgmt | port_list | tag tag} configuration {no-refresh | refresh}
show port {mgmt |port_list | tag tag} information {detail}
The following table shows tested MACsec interoperability with Extreme and third-party devices.
ExtrmeXOS Switch | Hardware | Software |
---|---|---|
X460G2-24p-24hp | Virtual Machine | RHEL version 7 |
Virtual Machine | CentOS Version 7.5.1804 | |
Extreme switch TOR 7100g - 71G21K2L2-24P24 | EOS 08.41.01.0004 | |
Juniper EX4200 | JUNOS 14.1X53-D15.2 |