Configures a previously created connectivity-association (CA) object that holds MAC Security (MACsec) key authentication data. For a particular CA, you can change the pre-shared key and enable/disable authentication on one or more ports.
| connectivity-association | Secures connectivity provided between MACsec stations. |
| ca_name | Selects CA object to configure. |
| pre-shared-key | Selects static MACsec key consisting of both a CKN and CAK: |
| ckn |
Selects changing the CA key name. This public (non-secret) key name allows each of the MKA participants to select which connectivity association key (CAK) to use to process a received MACsec key agreement (MKA) protocol packets (MKPDU). |
| ckn |
Sets the CA key name. Length allowed is 1–32 characters, entered as ASCII or an octet string preceded with 0x. |
| cak |
Sets the connectivity association key (CAK). If you are using 256-bit cipher suite, then the CAK must be 32 octets. The 128-bit cipher suite can use either a 16- or 32-octet CAK. This is a long-lived secret key used to derive short-lived lower-layer keys (ICK, KEK, and SAK) that are used for key distribution and data encryption. |
| cak | Sets the non-encrypted CAK value. Must be entered as an octet string (for example: “0x859e72f0…”). A 128-bit (16 octet) CAK requires 32 hexadecimal digits, and a 256-bit (32 octet) CAK requires 64 hexadecimal digits. These values are secret and should be generated off switch with a suitable pseudorandom number generator. |
| encrypted | Designates that secret key value is in encrypted format. |
| encrypted_cak | Sets the value for the secret key. The encrypted CAK value is generated by the show configuration macsec command for previously configured CAKs. |
| ports | Specifies configuring ports. |
| port_list | Lists which ports to configure. |
| enable | Enable the MKA connectivity association on the selected port list. |
| disable | Disables the MKA connectivity association on the selected port list. |
N/A.
You can only enable/disable CAs on ports that support MACsec.
If execution of this command results in MACsec being enabled on more than 48 ports for a given 5320 or 5420 series switch, then the command will fail.
Note
The CAK shown here is an example. Use your own random number for maximum security.configure macsec connectivity-association testca pre-shared-key ckn “the red key” cak “0x01020304050607080910111213141516”
# configure macsec connectivity-association testca ports 13 enable
# configure macsec connectivity-association testca ports 13 disable
This command was first available in ExtremeXOS 30.1.
Support for 256-cipher suite was added in ExtremeXOS 30.2.
This command is available on the following platforms.
Note
The MACsec feature requires the installation of the MAC Security feature pack license.| Platform | Ports |
|---|---|
| ExtremeSwitching 5320 | All ports of all models except stacking ports. |
| ExtremeSwitching 5420 | All ports of all models except stacking ports. |
| ExtremeSwitching 5520 | All ports, except 5520-VIM-4X and 5520-24X 10G ports |
| ExtremeSwitching 5720 | All ports of all models except stacking ports. |