Note
ExtremeSwitching Universal switches natively support MACsec and do not require an adapter.create macsec connectivity-association ca_name pre-shared-key ckn ckn cak [encrypted encrypted_cak | cak]
configure macsec replay-protect [window_size_in_packets | disable] ports port_list
The replay protection feature provides for the dropping of out-of-order packets received on a port. The window size is set to 0 by default, meaning any packet received out-of-order is dropped. Setting the window size to non-zero sets the range of sequence numbers that are tolerated, to allow receipt of packets that have been misordered by the network. If replay protection is disabled, packet sequence numbers are not checked and out-of-order packets are not dropped.
configure macsec mka actor-priority actor_priority ports port_list
configure macsec include-sci [enable | disable] ports port_list
configure macsec cipher-suite [gcm-aes-128 | gcm-aes-256] ports port_list
Note
Universal Switches support both GCM-AES-128 and GCM-AES-256 cipher natively on all ports except for Universal ports U1 and U2.configure macsec connectivity-association ca_name [pre-shared-key {ckn ckn} {cak [encrypted encrypted_cak] | cak} | ports [port_list] [enable | disable]]
Use the ca_name set up in Step 2, use the enable option, and designate the port(s).
Important
After enabling MACsec, if you change the actor priority, replay protection window, mka life-time, or include-SCI flag, you must run the configure macsec initialize ports port_list afterward. Otherwise, the change is not accepted.To delete a previously created CA object, use the following command:
delete macsec connectivity-association ca_name
To clear MACsec counters, use the following command:
clear macsec counters {ports [port_list]}
To reset the MACsec Key Agreement protocol state machine on one or more ports, use the following command:
configure macsec initialize ports port_list
Issuing this command resets the MKA state machine, which in turn deletes any secured channels and their secure association keys (SAKs). This command is also used to apply MACsec configuration changes (mka actor-priority, include-sci, replay-protect, mka life-time) to an already enabled port. All traffic is blocked until MKA renegotiates a new set of keys and those keys are installed. For more information, see IEEE802.1X-2010 Clause 12.9.3 Initialization.
To display a system-wide view of MACsec, use the following command:
show macsec
To display a global summary of MACsec capabilities and status for all or a specified CA, use the following command:
show macsec { connectivity-association {ca_name}
To display per-port MKA and MACsec data in tabular format, use the following command:
show macsec ports port-list usage
To display a table of all configurable parameters, use the following command:
show macsec ports port-list configuration
To display configuration, status, and statistics for both MKA and MACsec, use the following command:
show macsec ports port-list detail
To display the number of ports that have MACsec enabled and the maximum number of ports allowed per slot, use the following command:
show macsec usage
To display the transmitted and dropped packets for each MACsec engine, use the following command:
show ports macsec-engines [qosmonitor | congestion] {no-refresh | refresh}
To display that a LRM/MACsec adapter is connected to a port, use either of the following commands:
show ports {mgmt | port_list | tag tag} configuration {no-refresh | refresh}
show port {mgmt |port_list | tag tag} information {detail} using the detail option.