Device-oriented MACsec configuration example
Network requirements
As shown in Figure 138, Device A is the MACsec key server.
To secure data transmission between the two devices by MACsec, perform the following tasks on Device A and Device B, respectively:
Set the MACsec confidentiality offset to 30 bytes.
Enable MACsec replay protection, and set the replay protection window size to 100.
Set the MACsec validation mode to strict.
Configure the CAK name (CKN) and the CAK as E9AC and 09DB3EF1, respectively.
Figure 138: Network diagram
Configuration procedure
Configure Device A:
# Enter system view.
<DeviceA> system-view
# Enter GigabitEthernet 1/0/1 interface view.
[DeviceA] interface gigabitethernet 1/0/1
# Enable MACsec desire on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] macsec desire
# Set the MKA key server priority to 5.
[DeviceA-GigabitEthernet1/0/1] mka priority 5
# Configure the CKN as E9AC and the CAK as 09DB3EF1 in plain text.
[DeviceA-GigabitEthernet1/0/1] mka psk ckn E9AC cak simple 09DB3EF1
# Set the MACsec confidentiality offset to 30 bytes.
[DeviceA-GigabitEthernet1/0/1] macsec confidentiality-offset 30
# Enable MACsec replay protection.
[DeviceA-GigabitEthernet1/0/1] macsec replay-protection enable
# Set the MACsec replay protection window size to 100.
[DeviceA-GigabitEthernet1/0/1] macsec replay-protection window-size 100
# Set the MACsec validation mode to strict.
[DeviceA-GigabitEthernet1/0/1] macsec validation mode strict
# Enable MKA on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] mka enable [DeviceA-GigabitEthernet1/0/1] quit
Configure Device B:
# Enter system view.
<DeviceB> system-view
# Enter GigabitEthernet 1/0/1 interface view.
[DeviceB] interface gigabitethernet 1/0/1
# Enable MACsec desire on GigabitEthernet 1/0/1.
[DeviceB-GigabitEthernet1/0/1] macsec desire
# Set the MKA key server priority to 10.
[DeviceB-GigabitEthernet1/0/1] mka priority 10
# Configure the CKN as E9AC and the CAK as 09DB3EF1 in plain text.
[DeviceB-GigabitEthernet1/0/1] mka psk ckn E9AC cak simple 09DB3EF1
# Set the MACsec confidentiality offset to 30 bytes.
[DeviceB-GigabitEthernet1/0/1] macsec confidentiality-offset 30
# Enable MACsec replay protection.
[DeviceB-GigabitEthernet1/0/1] macsec replay-protection enable
# Set the MACsec replay protection window size to 100.
[DeviceB-GigabitEthernet1/0/1] macsec replay-protection window-size 100
# Set the MACsec validation mode to strict.
[DeviceB-GigabitEthernet1/0/1] macsec validation mode strict
# Enable MKA on GigabitEthernet 1/0/1.
[DeviceB-GigabitEthernet1/0/1] mka enable [DeviceB-GigabitEthernet1/0/1] quit
Verifying the configuration
# Display MACsec information on GigabitEthernet 1/0/1 of Device A.
[DeviceA] display macsec interface gigabitethernet 1/0/1 verbose
Interface GigabitEthernet1/0/1
Protect frames : Yes
Replay protection : Enabled
Replay window size : 100 frames
Confidentiality offset : 30 bytes
Validation mode : Strict
Included SCI : No
SCI conflict : No
Cipher suite : GCM-AES-128
Transmit secure channel:
SCI : 00E00100000A0006
Elapsed time: 00h:05m:00s
Current SA : AN 0 PN 1
Receive secure channels:
SCI : 00E0020000000106
Elapsed time: 00h:03m:18s
Current SA : AN 0 LPN 1
Previous SA : AN N/A LPN N/A
# Display MKA session information on GigabitEthernet 1/0/1 of Device A.
[DeviceA] display mka session interface gigabitethernet 1/0/1 verbose
Interface GigabitEthernet1/0/1
Tx-SCI : 00E00100000A0006
Priority : 5
Capability: 3
CKN for participant: E9AC
Key server : Yes
MI (MN) : 85E004AF49934720AC5131D3 (182)
Live peers : 1
Potential peers : 0
Principal actor : Yes
MKA session status : Secured
Confidentiality offset: 30 bytes
Current SAK status : Rx & Tx
Current SAK AN : 0
Current SAK KI (KN) : 85E004AF49934720AC5131D300000003 (3)
Previous SAK status : N/A
Previous SAK AN : N/A
Previous SAK KI (KN) : N/A
Live peer list:
MI MN Priority Capability Rx-SCI
12A1677D59DD211AE86A0128 182 10 3 00E0020000000106
# Display MACsec information on GigabitEthernet 1/0/1 of Device B.
[DeviceB] display macsec interface gigabitethernet 1/0/1 verbose
Interface GigabitEthernet1/0/1
Protect frames : Yes
Replay protection : Enabled
Replay window size : 100 frames
Confidentiality offset : 30 bytes
Validation mode : Strict
Included SCI : No
SCI conflict : No
Cipher suite : GCM-AES-128
Transmit secure channel:
SCI : 00E0020000000106
Elapsed time: 00h:05m:36s
Current SA : AN 0 PN 1
Receive secure channels:
SCI : 00E00100000A0006
Elapsed time: 00h:03m:21s
Current SA : AN 0 LPN 1
Previous SA : AN N/A LPN N/A
# Display MKA session information on GigabitEthernet 1/0/1 of Device B.
[DeviceB] display mka session interface gigabitethernet 1/0/1 verbose
Interface GigabitEthernet1/0/1
Tx-SCI : 00E0020000000106
Priority : 10
Capability: 3
CKN for participant: E9AC
Key server : No
MI (MN) : 12A1677D59DD211AE86A0128 (1219)
Live peers : 1
Potential peers : 0
Principal actor : Yes
MKA session status : Secured
Confidentiality offset: 30 bytes
Current SAK status : Rx & Tx
Current SAK AN : 0
Current SAK KI (KN) : 85E004AF49934720AC5131D300000003 (3)
Previous SAK status : N/A
Previous SAK AN : N/A
Previous SAK KI (KN) : N/A
Live peer list:
MI MN Priority Capability Rx-SCI
85E004AF49934720AC5131D3 1216 5 3 00E00100000A0006