macsec
config
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command enables the context for MACsec configuration. The MACsec MKA profile can be configured in this context.
connectivity-association ca-name [create]
no connectivity-association ca-name
config>macsec
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command configures a connectivity association (CA). MACsec CAs are applied to a port dot1x configuration to enable MACsec on that port.
The no form of this command removes the CA.
Specifies the name of the CA using a string of up to 32 characters.
Specifies a mandatory keyword when creating an entry.
cipher-suite cipher-suite
no cipher-suite
config>macsec>connectivity-association
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command configures encryption of datapath PDUs. When all parties in the CA have the security association key (SAK), they use the algorithm specified by the cipher-suite parameter, in conjunction with the SAK, to encrypt the datapath PDUs.
The no form of this command disables encryption of datapath PDUs.
cipher-suite gcm-aes-128
Specifies the algorithm to use for control plane encryption.
clear-tag-mode clear-tag-mode
no clear-tag-mode
config>macsec>connectivity-association
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command puts 802.1Q tags in clear before SecTAG. The following modes are available: single-tag and dual-tag.
The following table describes the encrypted dot1q and QinQ packet format when clear-tag-mode (single-tag or dual-tag) is configured.
|
Unencrypted format |
Clear-tag-mode |
Pre-encryption (Tx) |
Pre-decryption (Rx) |
|---|---|---|---|
|
Single tag (dot1q) |
single-tag |
DA, SA, TPID, VID, Etype |
DA, SA, TPID, VID, SecTag |
|
Single tag (dot1q) |
dual-tag |
DA, SA, TPID, VID, Etype |
DA, SA, TPID, VID, SecTag |
|
Double tag (q-in-q) |
single-tag |
DA, SA, TPID1, VID1, IPID2, VID2, Etype |
DA, SA, TPID1, VID1, SecTag |
|
Double tag (QinQ) |
dual-tag |
DA, SA, TPID1, VID1, IPID2, VID2, Etype |
DA, SA, TPID1, VID1, IPID2, VID2, SecTag |
The no form of this command puts all dot1q tags after SecTAG and encrypts the tags.
no clear-tag-mode
Specifies the clear tag mode.
description description-string
no description
config>macsec>connectivity-association
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command enters a description for the CA.
The no form of this command removes the CA description.
Specifies a brief description of the CA using a string of up to 80 characters.
encryption-offset encryption-offset
no encryption-offset
config>macsec>connectivity-association
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command specifies the offset of the encryption in MACsec packets.
The encryption offset is distributed by the MKA to all parties and is signaled via MACsec capabilities.
The following table describes the basic settings.
|
Setting |
Description |
|---|---|
|
0 |
MACsec is not implemented |
|
1 |
Integrity without confidentiality |
|
2 |
The following are supported:
|
3 1 |
The following are supported:
|
The no form of this command rejects all arriving traffic regardless of whether it is MACsec-secured.
encryption-offset 0
Specifies the encryption offset.
[no] macsec-encrypt
config>macsec>connectivity-association
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command enables encryption and authentication (ICV payload) for all PDUs.
The no form of this command specifies that all PDUs are transmitted in cleartext form but still authenticated and have the trailing ICV.
macsec-encrypt
[no] replay-protection
config>macsec>connectivity-association
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command configures the size of the replay protection window.
This command must be configured to force packet discard when the system detects a packet that is not within the parameters configured for the replay-window-size command.
When this command is enabled, the sequence of the ID number of the received packets is checked. If the packet arrives out of sequence, and the difference between the packet numbers exceeds the replay window size, the packet is counted by the receiving port and then discarded. For example, if the replay protection window size is set to 5 and a packet assigned the ID of 1006 arrives on the receiving link immediately after the packet assigned the ID of 1000, the packet that is assigned the ID of 1006 is counted and discarded because it falls outside the parameters of the replay-window-size command.
Replay protection is especially useful for fighting man-in-the-middle attacks. A packet that is replayed by a man-in-the-middle attacker on the Ethernet link arrives on the receiving link out of sequence, so replay protection helps ensure the replayed packet is dropped instead of forwarded through the network.
Replay protection should not be enabled in cases where packets are expected to arrive out of order.
replay-protection
replay-window-size number-of-packets
no replay-window-size
config>macsec>connectivity-association
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command specifies the size of the replay protection window.
This command must be configured to enable the replay-protection command.
When the number-of-packets parameter is set to 0, all packets that arrive out of order are dropped.
The no form of this command reverts to the default value.
replay-window-size 0
Specifies the window that the packets can arrive out of order.
[no] shutdown
config>macsec>connectivity-association
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command shuts down the CA profile. All ports using this profile do not transmit PDUs because this command shuts down MACsec for this profile.
The no form of this command enables the CA profile.
shutdown
[no] static-cak
config>macsec>connectivity-association
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
Commands in this context configure a Connectivity Association Key (CAK). A CAK is responsible for managing the MACsec key agreement (MKA).
active-psk active-pre-shared-key
no active-psk
config>macsec>conn-assoc>static-cak
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command specifies which preshared key is the active transmitting preshared key. If there are two preshared keys configured, the arriving MACsec MKA can be decrypted using CAKs of both preshared keys; however, only the active PSK is used for Tx encryption of MKA PDUs.
active-psk 1
Specifies the value of the preshared key.
mka-key-server-priority priority
no mka-key-server-priority
config>macsec>conn-associ>static-cak
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command specifies the key server priority used by the MKA protocol to select the key server when MACsec is enabled using the static CAK security mode.
The no form of this command disables this command.
mka-key-server-priority 16
Specifies the priority of the server.
pre-shared-key pre-shared-key-index [encryption-type encryption-type] [create]
no pre-shared-key pre-shared-key-index
config>macsec>conn-assoc>static-cak
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command specifies the preshared key used to enable MACsec using the static CAK security mode. This command also specifies the encryption algorithm used for encrypting the SAK.
A preshared key includes a connectivity association key name (CKN) and a CAK. The preshared key (the CKN and CAK) must match on both ends of a link.
A preshared key is configured on both devices at each end of a point-to-point link to enable MACsec using static CAK security mode. The MKA protocol is enabled after the successful MKA liveliness negotiation.
The encryption-type parameter is used to encrypt SAK and authentication of the MKA packet. The symmetric encryption key SAK needs to be encrypted (wrapped) using the encryption algorithm specified with the encryption-type parameter. The AES key is derived using the preshared key.
The no form of this command removes the index.
Specifies the index of this preshared key.
Specifies the type of encryption.
Specifies a mandatory keyword when creating an entry.
cak hex-string [hash | hash2]
no cak
config>macsec>conn-assoc>static-cak>pre-shared-key
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command configures the CAK for a preshared key. The following values are derived from the CAK:
KEK (Key Encryption Key)
KEK is used to encrypt the MKA and SAK (symmetric key used for datapath PDUs) to be distributed between all members.
ICK (Integrity Check Value)
ICK is used to authenticate the MKA and SAK PDUs to be distributed between all members.
The no form of this command removes the CAK hexidecimal string value.
Specifies the value of the CAK using up to 64 hexadecimal characters, 32 hexadecimal characters for a 128-bit key, and 64 hexadecimal characters for a 256-bit key.
Specifies the hash scheme.
Specifies the hash scheme.
ckn hex-string
no ckn
config>macsec>conn-assoc>static-cak>pre-shared-key
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command specifies the connectivity association key name (CKN) for a preshared key.
The CKN is appended to the MKA for identification of the CAK by the peer.
The no form of this command removes the CKN.
Specifies the value of the CKN.