configure macsec connectivity-association
Description
Configures a previously created connectivity-association (CA) object that holds MAC Security (MACsec) key authentication data. For a particular CA, you can change the pre-shared key and enable/disable authentication on one or more ports.
Syntax Description
| connectivity-association | Secures connectivity provided between MACsec stations. |
| ca_name | Selects CA object to configure. |
| pre-shared-key | Selects static MACsec key consisting of both a CKN and CAK: |
| ckn |
Selects changing the CA key name. This public (non-secret) key name allows each of the MKA participants to select which connectivity association key (CAK) to use to process a received MACsec key agreement (MKA) protocol packets (MKPDU). |
| ckn |
Sets the CA key name. Length allowed is 1–32 characters, entered as ASCII or an octet string preceded with 0x. |
| cak |
Sets the connectivity association key (CAK). If you are using 256-bit cipher suite, then the CAK must be 32 octets. The 128-bit cipher suite can use either a 16- or 32-octet CAK. This is a long-lived secret key used to derive short-lived lower-layer keys (ICK, KEK, and SAK) that are used for key distribution and data encryption. |
| cak | Sets the non-encrypted CAK value. Must be entered as an octet string (for example: “0x859e72f0…”). A 128-bit (16 octet) CAK requires 32 hexadecimal digits, and a 256-bit (32 octet) CAK requires 64 hexadecimal digits. These values are secret and should be generated off switch with a suitable pseudorandom number generator. |
| encrypted | Designates that secret key value is in encrypted format. |
| encrypted_cak | Sets the value for the secret key. The encrypted CAK value is generated by the show configuration macsec command for previously configured CAKs. |
| ports | Specifies configuring ports. |
| port_list | Lists which ports to configure. |
| enable | Enable the MKA connectivity association on the selected port list. |
| disable | Disables the MKA connectivity association on the selected port list. |
Default
N/A.
Usage Guidelines
You can only enable/disable CAs on ports that support MACsec.
If execution of this command results in MACsec being enabled on more than 48 ports for a given 5320 or 5420 series switch, then the command will fail.
Example
Note
The CAK shown here is an example. Use your own random number for maximum security.configure macsec connectivity-association testca pre-shared-key ckn “the red key” cak “0x01020304050607080910111213141516”
# configure macsec connectivity-association testca ports 13 enable
# configure macsec connectivity-association testca ports 13 disable
History
This command was first available in ExtremeXOS 30.1.
Support for 256-cipher suite was added in ExtremeXOS 30.2.
Platform Availability
This command is available on the following platforms.
Note
The MACsec feature requires the installation of the MAC Security feature pack license.| Platform | Ports |
|---|---|
| ExtremeSwitching 5320 | All ports of all models except stacking ports. |
| ExtremeSwitching 5420 | All ports of all models except stacking ports. |
| ExtremeSwitching 5520 | All ports, except 5520-VIM-4X and 5520-24X 10G ports |
| ExtremeSwitching 5720 | All ports of all models except stacking ports. |