31. macsec commands
31.1. macsec command descriptions
macsec
Synopsis
Enter the macsec context
Tree
Introduced
16.0.R1
Platforms
All
connectivity-association [ca-name] string
Synopsis
Enter the connectivity-association list instance
Context
Introduced
16.0.R1
Platforms
All
[ca-name] string
Synopsis
Connectivity association name
Context
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
16.0.R1
Platforms
All
admin-state keyword
Synopsis
Administrative state of the connectivity association
Context
configure macsec connectivity-association string admin-state keyword
Tree
Default
disable
Options
enable, disable
Introduced
16.0.R1
Platforms
All
cipher-suite keyword
Synopsis
Data path encryption algorithm
Context
configure macsec connectivity-association string cipher-suite keyword
Tree
Default
gcm-aes-128
Options
gcm-aes-128, gcm-aes-256, gcm-aes-xpn-128, gcm-aes-xpn-256
Introduced
16.0.R1
Platforms
All
clear-tag-mode keyword
 | Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Clear tag mode for clear text before the SecTAG
Context
configure macsec connectivity-association string clear-tag-mode keyword
Tree
Default
none
Options
none, single-tag, dual-tag
Introduced
16.0.R1
Platforms
All
delay-protection boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enable delay protection
Context
configure macsec connectivity-association string delay-protection boolean
Tree
Default
false
Introduced
20.10.R1
Platforms
All
description string
Synopsis
Text description
Context
configure macsec connectivity-association string description string
Tree
String Length
1 to 80
Introduced
16.0.R1
Platforms
All
encryption-offset number
Synopsis
Confidentiality (encryption) offset
Context
configure macsec connectivity-association string encryption-offset number
Tree
Range
0 | 30 | 50
Default
0
Introduced
16.0.R1
Platforms
All
macsec-encrypt boolean
Synopsis
Encrypt and authenticate all PDUs
Context
configure macsec connectivity-association string macsec-encrypt boolean
Tree
Description
When configured to true, all PDUs are encrypted and authenticated.
When configured to false, all PDUs are transmitted in clear text, however, they are still authenticated and have the trailing ICV.
Default
true
Introduced
16.0.R1
Platforms
All
replay-protection boolean
Synopsis
Discard packet when not within the replay window size
Context
configure macsec connectivity-association string replay-protection boolean
Tree
Description
When configured to true, replay protection is enabled and packets are discarded when they are not within the replay window size.
With relay protection, the sequence of the ID number of received packets is checked. If a packet arrives out of sequence and the difference between the packet IDs exceeds the replay protection window size, the packet is counted by the receiving port and discarded. For example if the replay protection window size is configured to five and a packet with an ID of 1006 arrives on the receiving link immediately following the packet assigned an ID of 1000, the packet with ID 1006 is counted and discarded because it is outside the parameter of the window size.
Replay protection is particularly useful for addressing man-in-the-middle attacks. A packet that is replayed by a man-in-the-middle attacker on the Ethernet link that arrives on the receiving link out of sequence will be detected and dropped instead of forwarded through the network.
Replay protection should not be enabled in cases where packets are expected to arrive out of order.
When configured to false, replay protection is not enabled.
Default
false
Introduced
16.0.R1
Platforms
All
replay-window-size number
Synopsis
Replay protection window size
Context
configure macsec connectivity-association string replay-window-size number
Tree
Range
0 to 4294967294
Default
0
Introduced
16.0.R1
Platforms
All
static-cak
Synopsis
Enter the static-cak context
Context
Tree
Description
Commands in this context configure the Connectivity Association Key (CAK) to manage the MACsec Key Agreement (MKA).
Introduced
16.0.R1
Platforms
All
active-psk number
Synopsis
Active pre-shared-key (PSK)
Context
configure macsec connectivity-association string static-cak active-psk number
Tree
Description
This command specifies the active transmitting PSK. If two PSKs are configured, the arriving MACsec MKA can be decrypted via CAKs using either PSK; however, only the active PSK is used for TX encryption of MKA PDUs.
Range
1 to 2
Default
1
Introduced
16.0.R1
Platforms
All
mka-hello-interval keyword
Synopsis
MKA hello interval
Context
configure macsec connectivity-association string static-cak mka-hello-interval keyword
Tree
Description
This command configures the interval at which MKA hello packets are sent or received for the connectivity association.
Default
2
Options
1, 2, 3, 4, 5, 6, 500ms
Introduced
19.5.R1
Platforms
All
mka-key-server-priority number
Synopsis
Key server priority used by the MKA protocol
Context
configure macsec connectivity-association string static-cak mka-key-server-priority number
Description
This command specifies the key server priority used by the MACsec Key Agreement (MKA) protocol to select the key server when MACsec is enabled using static connectivity association key (CAK) security mode.
Range
0 to 255
Default
16
Introduced
16.0.R1
Platforms
All
pre-shared-key [psk-id] number
Synopsis
Enter the pre-shared-key list instance
Context
configure macsec connectivity-association string static-cak pre-shared-key number
Tree
Description
Commands in this context configure pre-shared key attributes to enable MACsec using static connectivity association key (CAK) security mode.
A pre-shared key includes a connectivity association key name (CKN) and a connectivity association key (CAK). The pre-shared key, the CKN and the CAK, must match on both ends of a link.
A pre-shared key is configured on both devices at each end of a point-to-point link to enable MACsec via static CAK security mode. The MACsec Key Agreement (MKA) protocol is enabled after the successful MKA liveliness negotiation.
The encryption type is used to encrypt the SAK and authenticate the MKA packet. The symmetric encryption key SAK (Security Association Key) must be encrypted (wrapped) via the MKA protocols. The AES key is derived from the pre-shared-key.
Max. Elements
2
Introduced
16.0.R1
Platforms
All
[psk-id] number
Synopsis
Pre-shared-key (PSK) ID
Context
configure macsec connectivity-association string static-cak pre-shared-key number
Range
1 to 2
Notes
This element is part of a list key.
Introduced
16.0.R1
Platforms
All
cak string
Synopsis
Connectivity association key (CAK) for the PSK
Context
configure macsec connectivity-association string static-cak pre-shared-key number cak string
Tree
Description
This command specifies the connectivity association key (CAK) for the pre-shared key. Two values are derived from the CAK:
- Key Encryption Key (KEK), used to encrypt the MKA and SAK (symmetric key used for data path PDUs) distributed between all members
- Integrity Check Value (ICV), used to authenticate the MKA and SAK PDUs distributed between all members
String Length
1 to 71
Introduced
16.0.R1
Platforms
All
cak-name string
Synopsis
Connectivity association key name (CKN) for the PSK
Context
configure macsec connectivity-association string static-cak pre-shared-key number cak-name string
Tree
Description
This command specifies the connectivity association key name (CKN) for the pre-shared key. The CKN is appended to the MKA for identification of the appropriate CAK by the peer.
String Length
1 to 64
Introduced
16.0.R1
Platforms
All
encryption-type keyword
Synopsis
Encryption for authentication of the MKA packet
Context
configure macsec connectivity-association string static-cak pre-shared-key number encryption-type keyword
Tree
Options
aes-128-cmac, aes-256-cmac
Notes
This element is mandatory.
Introduced
16.0.R1
Platforms
All
mac-policy [mac-policy-id] number
Synopsis
Enter the mac-policy list instance
Context
configure macsec mac-policy number
Tree
Introduced
16.0.R5
Platforms
All
[mac-policy-id] number
Synopsis
MAC address policy ID
Context
configure macsec mac-policy number
Max. Range
0 to 4294967295
Notes
This element is part of a list key.
Introduced
16.0.R5
Platforms
All
destination-mac-address [dest-mac-addr] string
Synopsis
Add a list entry for destination-mac-address
Context
configure macsec mac-policy number destination-mac-address string
Max. Elements
5
Introduced
16.0.R5
Platforms
All
[dest-mac-addr] string
Synopsis
Destination MAC address added to the MAC policy
Context
configure macsec mac-policy number destination-mac-address string
Notes
This element is part of a list key.
Introduced
16.0.R5
Platforms
All