Infrastructure MACsec > MACsec configuration commands

 

 next

MACsec configuration commands

For supporting the MACsec configuration, configure the following:

  • MACsec Policy creation and configuration

  • Apply MACsec policy on ports

  • Configure the MKA parameters on ports

Create, modify or delete a MACsec policy

Syntax

[no] macsec policy <policy-name>

Configures the MAC Security (MACsec) protocol.

macsec

MAC Security (MACsec).

policy

Apply a MACsec policy.

policy-name

MACsec policy name up to 32 characters long.

Validation rules

MACsec policy validation rules

Validation Error/Warning/Prompt

While creating or editing a policy:

Maximum policy name length is 32

The policy name exceeds the maximum permissible limit of %s characters.

(where the %s is the Max length of the Policy Name, which is 32.)

Checks on the Policy Name string:

Character validity (Alpha-numeric and hyphen. Must start and end with alphanumeric only).

Invalid policy name. The policy name may contain alphanumeric characters and hyphen, and must begin and end with a alphanumeric character.

Check for maximum number of policies (48).

Cannot create a new policy because the total number of policies on this device has reached the maximum limit of %s.

(where %s, is the maximum number of policies, currently 48)

While removing the policy:

A policy cannot be deleted if applied on any port at the time of removal

Policy %s is currently in use on one or more ports and cannot be deleted.

(where %s is the name of the policy).

The policy name does not exist.

MACsec policy %s does not exist.

While modifying a policy:

When a policy is applied on an interface, the mode, CKN and CAK cannot be modified.

Cannot modify mode, CAK or CKN when the policy is in use on one or more ports.

Configuring mode of MACsec policy

Configure the mode of this MACsec policy. The mode determines how the CA Key Name (CKN) and CA Key (CAK) are obtained.

Syntax

[no] mode pre-shared-key ckn <CKN> cak <CAK>

Configure the MACsec policy to use pre-shared key mode. In the pre-shared key mode, the CA Key Name (CKN) and the CA Key (CAK) are set manually.

Configure the CA Key Name (CKN) of this MACsec policy. A CKN must be specified before the policy can be applied. Enter the CKN as a string of hexadecimal digits up to 32 characters long. If the CKN configured is less than 32 digits, it will be padded up to 32 hexadecimal digits with 0s. A CAK must be specified before the policy can be applied. Enter the CAK as a string of hexadecimal digits up to 64 characters long. If the CAK is less than 64 digits, it will be padded up to 64 hexadecimal digits with 0s.

mode

Configure the mode of this MACsec policy.

pre-shared-key

Configure the MACsec policy to use pre-shared key mode.

cak

Configure the CA Key (cak) of this MACsec policy.

Mode pre-shared-key ckn 37c9c2c45ddd cak.

ckn

Configure the CA Key Name (CKN) of this MACsec policy.

The CKN as a string of hexadecimal digits up to 32 characters long.

The CAK as a string of hexadecimal digits up to 64 characters long.

Mode pre-shared-key ckn 37c9c2c45ddd cak 2c45ddd012 <tab>

Encrypted-credentials mode

As CAK is a key and needs to be protected, when in encrypt-credentials mode the value gets encrypted and stored in the configuration.

Syntax
[no] mode pre-shared-key ckn <CKN> encrypted-cak <ENC-CAK>

Configure the CA Key (CAK) of this MACsec policy in encrypted form. A CAK must be specified before the policy can be applied. The value is an encrypted string previously read from a compatible Networking device.

mode

Configure the mode of this MACsec policy.

CAK

Configure the CA Key (CAK) of this MACsec policy.

CKN

Configure the CA Key Name (CKN) of this MACsec policy.

encrypted-cak

Configure the CA Key (CAK) of the MACsec policy, specificed as a base64 encoded AES-256 encrypted string.

Validation rules

Validation

Error/Warning/Prompt

Length check on CKN: Up to 32 digits long hex string

CKN should have even number of digits.

"Invalid CKN. The CKN should be an even number of hexadecimal digits no longer than %s digits."

Eg: Invalid CKN. The CKN should be an even number of hexadecimal digits no longer than 32 digits.

Length check on CAK: Up to 64 digits long hex string

CAK should have even number of digits

"Invalid CAK. The CAK should be an even number of hexadecimal digits no longer than %s digits."

Eg: Invalid CAK. The CAK should be an even number of hexadecimal digits no longer than 64 digits.

Length check for encrypted CAK: Either 44 or 88 characters long ASCII string.

“Invalid encrypted key.”

Validity check on the encrypted CAK: Decrypt and apply the CAK rules:

“Length check on CAK: Up to 64 digits long hex string

CAK should have even number of digits”

“Invalid encrypted key.”

MACsec policy: configuring confidentiality (policy context)

Syntax

[no] confidentiality

Enable confidentiality in this MACsec policy. When confidentiality is enabled, data packets are encrypted and verified. When confidentiality is disabled, data packets are not encrypted, but they are still verified. By default, confidentiality is enabled.

confidentiality

Enable confidentiality in this MACsec policy.

Validation rules

Validation

Error/Warning/Prompt

When in FIPS(Enhanced Security) mode, confidentiality change from ICV only (no confidentiality) to confidentiality is not allowed, if the policy is already in use on any port.

“Cannot enable confidentiality in Enhanced Security mode, when the policy is already in use on a port.”

Configuring replay protection

Syntax

[no] replay-protection <replaywindowsize>

Configure the Replay Protection feature on this MACsec policy. When Replay Protection is enabled, the receiving port checks the IP number of all received packets. If a packet arrives out of sequence and the difference between the packet numbers exceeds the Replay Protection window size, the packet is dropped. By setting the replay window size to 0, it is mandated that all packets arrive in order. The default value of Replay Protection is enabled and the default value of the Replay Protection window size is 0.

replay-protection

Enable Replay Protection in this MACsec policy.

0-1024

Configure the Replay Protection window size value.

Validation rules

Validation

Error/Warning/Prompt

Replay-protection window range validation. 0-1024

Invalid value %s. The Replay Protection window size ranges from %s to %s.

Eg:

Invalid value 2000. The Replay Protection window size ranges from 0 to 1024.

Configuring include-sci-tag

Syntax

[no] include-sci-tag

Include Secure Channel Identifier (SCI) tag information in the Security TAG (SecTAG) field. By default, the SCI tag is included.

include-sci-tag

Include Secure Channel Identifier (SCI) tag information in the Security TAG (SecTAG) field.

Apply policy on a port-list

Syntax

[no] macsec apply policy <policy-name> ethernet PORT-LIST

Apply a MACsec policy to a list of ports.

apply

Apply a MACsec policy to a list of ports.

policy

Configure a MACsec policy.

policy-name

The MACsec policy to apply.

ethernet PORT-LIST

The port on which to apply the MACsec policy.

Validation rules

[NOTE: ]

NOTE: When a validation check fails on any port in the port-list, the CLI command aborts and returns error message. No configuration changes take place on any of the ports in the port-list.

Validation

Error/Warning/Prompt

Check whether the policy with the

Policy %s does not exist.

PolicyName exists, and whether it can be applied on any port.

Cannot apply the MACsec policy on ports, because the policy is not complete.

Another policy is already applied on this port.

Cannot apply the MACsec policy on port %s, because another MACsec policy is already configured on this port.

Trunk (lacp, trunk, dt-trunk, dt-lacp)

Cannot configure the MACsec policy on port %s when it is part of a trunk.

(where %s is the port name.)

MKA configuration on a port-list

Syntax

[no] aaa port-access mka key-server-priority PRIORITY transmit-interval INTERVAL ethernet PORT-LIST
[no] aaa port-access <authenticator ...|supplicant ...web-based ...|mac-based ...|mka ...>

Configure the MACsec Key Agreement (MKA) protocol parameters.

Configure 802.1X (Port Based Network Access), MAC address based network access, or web authentication based network access or the MACsec Key Agreement (MKA) protocol on the device.

[NOTE: ]

NOTE: See the help for the commands aaa port-access authenticator, aaa port-access supplicant, aaa port-access mac-based, aaa port-access web-based for further details on authenticator, supplicant, MAC address based, and web authentication based network access configuration.

Syntax

aaa port-access mka key-server-priority transmit-interval <INTERVAL> [ethernet] PORT-LIST

Configure the MKA key server Priority. The key server priority is used by MKA protocol in selecting a key server. The participant with the lower server priority is selected as the key server. The default value is 16.

Syntax

aaa port-access mka key-server-priority 18

Configure the MKA transmit interval. MKA sends the periodic MKA protocol data unit (PDU) at this interval to the connected device to maintain MACsec connectivity on the link. The default value is 2 seconds.

Syntax

Configure the MACsec Key Agreement (MKA) protocol parameters.

aaa port-access mka
aaa port-access mka key-server-priority 18 transmit-interval
aaa port-access mka key-server-priority 18 transmit-interval 4
aaa port-access mka key-server-priority 18 transmit-interval 4 A1
aaa port-access mka key-server-priority
aaa port-access mka key-server-priority 5
aaa port-access mka key-server-priority 10 transmit-interval 6 a3

key-server-priority

Configure the MKA key server priority.

transmit-interval

Configure the MKA transmit interval.

0-31

Enter a Key Server priority value.

[ethernet] port-list

Enter a port number, a list of ports or 'all' for all ports.

transmit-interval

Configure the MKA transmit interval.

2-6

Enter a transmit interval value.

[ethernet] PORT-LIST

Enter a port number, a list of ports or 'all' for all ports.

Validation rules

[NOTE: ]

NOTE: When a validation check fails on any port in the Port-List, the CLI command aborts and returns error message. No configuration changes take place on any of the ports in the Port-List.

Validation

Error/Warning/Prompt

Range check for MKA server priority value [0-31].

Invalid value %s. The MKA server priority ranges from %s to %s.

Eg:

Invalid value 50. The MKA server priority ranges from 0 to 31.

Range check for MKA transmit-interval [2-6]

Invalid value %s. The MKA transmit interval ranges from %s to %s.

Eg:

Invalid value 1. The MKA transmit interval ranges from 2 to 6 seconds.

Clearing MKA statistics on ports

Syntax

clear statistics mka ethernet port-list

Reset statistics counters.

clear statistics <PORT-LIST>|global|aclv4| aclv6|policy|mka

Reset the MKA protocol statistics.

aclv4

Reset IPv4 Access Control List statistics.

aclv6

Reset IPv6 Access Control List statistics.

dldp

Reset Device Link Detection Protocol (DLDP) statistics.

global

Reset the port counters in all sessions.

mac

Reset MAC Access Control List statistics.

macsec

Reset the MACsec protocol statistics.

mka

Reset the MKA protocol statistics.

policy

Reset policy statistics.

[ethernet] PORT-LIST

Reset the port counters in the current session.

Clear statistics MKA

clear statistics mka <PORT-LIST>

[ethernet] PORT-LIST The port for which to reset statistics.

clear statistics mka A1

Reset the MKA protocol statistics.

Validation rules

Validation

Error/Warning/Prompt

Check for valid logical ports entered.

Module not present for port or invalid port: %s.

(Parser thrown error for a Port).

Check if MACsec is enabled on the port before letting it proceed to clear.

Cannot clear MKA statistics, because MACsec is not enabled on the port.

Clearing MACsec statistics on ports

Syntax

clear statistics PORT-LIST|global|aclv4 ...|aclv6 ...|policy|mka ...|macsec ...

aclv4

Reset IPv4 Access Control List statistics.

aclv6

Reset IPv6 Access Control List statistics.

dldp

Reset Device Link Detection Protocol (DLDP) statistics.

global

Reset the port counters in all sessions.

mac

Reset MAC Access Control List statistics.

macsec

Reset the MACsec protocol statistics.

mka

Reset the MKA protocol statistics.

policy

Reset policy statistics.

[ethernet] PORT-LIST

Reset the port counters in the current session.

Reset statistics counters

clear statistics macsec [ethernet] PORT-LIST

Reset statistics counters.

Reset the MACsec protocol statistics

clear statistics macsec

Reset the MACsec protocol statistics.

Reset the MACsec protocol statistics

clear statistics macsec A1

Reset the MACsec protocol statistics

Validation rules

Validation

Error/Warning/Prompt

Check for valid logical ports entered.

Module not present for port or invalid port: %s.

(Parser thrown error for a Port).

Check if MACsec is enabled on the port before letting it proceed to clear.

Cannot clear MACsec statistics, because MACsec is not enabled on the port.

prev

 

up

 next

Infrastructure MACsec 

home

 Show commands

Copyright © 2016 Hewlett Packard Enterprise Development LP