MACsec Configuration

show macsec profile show macsec profile \[command] show macsec profile \[purpose] display macsec tunnel policy information for the current configuration \[view] system view \[use cases] sonic# show macsec profile macsec profile test priority 30 cipher suite gcm aes xpn 128 primary cak 01234567890123456789012345678900 primary ckn 01234567890123456789012345678900 policy security replay protect false replay window 0 rekey period 1s send sci true show macsec interface show macsec interface \[command] show macsec interface \[purpose] display the binding relationship between macsec policies and physical interfaces \[view] system view \[use cases] sonic# show macsec interface interface profile ethernet1 test4 ethernet15 test4 ethernet10 test5 rekey period 1s send sci true show macsec status show macsec status \[command] show macsec status \[purpose] show macsec connection status \[view] system view \[use cases] sonic# show macsec status + + + + \| interface | session status | current sak an | +=============+==================+==================+ \| ethernet2 | established | 1 | + + + + show counters macsec show counters macsec \[command] show counters macsec \[ethernet interface id ] \[purpose] show macsec connection statistics \[view] system view \[use cases] sonic# show counters macsec + + + + \| sa key | counter id | counter value | +==============================+======================+=================+ \| ethernet2 60eb5a01774a0001 1 | cur out pkt seq num | 1 | \| | bytes encrypted | 0 | \| | bytes protected | 0 | \| | out pkts encrypted | 0 | \| | out pkts protected | 0 | + + + + \| ethernet2 60eb5a01774c0001 1 | cur in pkt seq num | 1 | \| | in pkts delayed | 0 | \| | in pkts invalid | 0 | \| | in pkts late | 0 | \| | in pkts not using sa | 0 | \| | in pkts not valid | 0 | \| | in pkts ok | 0 | \| | in pkts unchecked | 0 | \| | in pkts unused sa | 0 | \| | bytes decrypted | 0 | \| | bytes validated | 0 | + + + + macsec enable macsec enable \[command] macsec enable \[purpose] enable macsec functionality \[view] system view \[use cases] sonic# macsec enable sonic(config)# macsec profile macsec profile \[command] macsec profile profile name no macsec profile profile name \[purpose] create a macsec tunnel forwarding policy \[parameter] true 174,488#2166ae #4283c7 unhandled content type #2166ae #4283c7 unhandled content type unhandled content type unhandled content type \[view] system configuration view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# macsec bind macsec bind \[command] macsec bind profile name no macsec bind \[purpose] interface binding macsec tunnel policy \[parameter] true 163,499#2166ae #4283c7 unhandled content type #2166ae #4283c7 unhandled content type unhandled content type unhandled content type \[important notes] only the first 16 physical interfaces support macsec tunnel binding \[view] interface configuration view \[use cases] sonic# configure sonic(config)# interface ethernet 1 sonic(config if 1)# macsec bind test sonic(config if 1)# mka cipher suite {gcm aes 128|gcm aes 256|gcm aes xpn 128|gcm aes xpn 256} mka cipher suite {gcm aes 128|gcm aes 256|gcm aes xpn 128|gcm aes xpn 256} \[command] mka cipher suite {gcm aes 128|gcm aes 256|gcm aes xpn 128|gcm aes xpn 256} \[purpose] configure macsec tunnel encryption algorithm \[parameter] true 196,466#2166ae #4283c7 unhandled content type #2166ae #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[notes] when the pn (packet number) of the macsec tunnel encryption algorithm is 32 bits, this macsec tunnel can support forwarding approximately 4 2 billion packets therefore, when the tunnel encryption algorithm is gcm aes 128/gcm aes 256, the rekey period parameter must be configured to perform periodic key updates \[view] macsec policy configuration viewystem view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka cipher suite gcm aes 128 sonic(config macsec test)# mka policy {integrity only|security} mka policy {integrity only|security} \[command] mka policy {integrity only|security} \[purpose] configure macsec tunnel data transmission mode \[parameter] true 157,505#2166ae #4283c7 unhandled content type #2166ae #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[view] macsec policy configuration viewystem view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka policy integrity only sonic(config macsec test)# mka priority mka priority \[command] mka priority 0 255 \[purpose] configure the priority of the mka negotiation server \[view] macsec policy configuration viewystem view \[notes] the default priority for mka is 255 the smaller the priority parameter, the higher the priority the mka server is the party responsible for controlling and distributing encryption keys (sak) in the mka protocol \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka priority 100 sonic(config macsec test)# mka psk ckn cak mka psk ckn cak \[command] mka psk ckn password name cak password no mka psk \[purpose] configure the key name and key for the macsec tunnel \[parameter] true 183,479#2166ae #4283c7 unhandled content type #2166ae #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[notes] the ckn and cak parameters at both ends of the macsec tunnel must be configured consistently in order to successfully establish the macsec tunnel \[view] macsec policy configuration viewystem view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka psk ckn 01234567890123456789012345678900 cak 01234567890123456789012345678900 sonic(config macsec test)# mka rekey period mka rekey period \[command] mka rekey period rekey period \[purpose] configure the key replacement cycle for macsec tunnels \[parameter] true 137,525#2166ae #4283c7 unhandled content type #2166ae #4283c7 unhandled content type unhandled content type unhandled content type \[view] macsec policy configuration viewystem view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka rekey period 10 sonic(config macsec test)# mka replay protection {enable|window size} mka replay protection {enable|window size} \[command] mka replay protection {enable|window size} no mka replay protection enable \[purpose] enable/configure macsec replay detection functionality \[parameter] true 118,544#2166ae #4283c7 unhandled content type #2166ae #4283c7 unhandled content type unhandled content type unhandled content type \[view] macsec policy configuration viewystem view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka replay protection enable sonic(config macsec test)# mka replay protection window size 1000 sonic(config macsec test)# mka send sci enable mka send sci enable \[command] mka send sci enable no mka send sci enable \[purpose] enable the send sci function of the macsec policy \[notes] the device defaults to enabling send sci when send sci is disabled, macsec forwarded datagrams no longer carry mac and port information whether the send sci function is enabled does not affect the establishment of macsec tunnels between our devices \[view] macsec policy configuration viewystem view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka send sci enable sonic(config macsec test)#