MACsec Configuration

show macsec profile show macsec profile \[command] show macsec profile \[purpose] display macsec tunnel policy information for the current configuration \[view] system view \[use cases] sonic# show macsec profile macsec profile test priority 30 cipher suite gcm aes xpn 128 primary cak 01234567890123456789012345678900 primary ckn 01234567890123456789012345678900 policy security replay protect false replay window 0 rekey period 1s send sci true show macsec interface show macsec interface \[command] show macsec interface \[purpose] display the binding relationship between macsec policies and physical interfaces \[view] system view \[use cases] sonic# show macsec interface interface profile ethernet1 test4 ethernet15 test4 ethernet10 test5 rekey period 1s send sci true show macsec status show macsec status \[command] show macsec status \[purpose] show macsec connection status \[view] system view \[use cases] sonic# show macsec status + + + + \| interface | session status | current sak an | +=============+==================+==================+ \| ethernet2 | established | 1 | + + + + show counters macsec show counters macsec \[command] show counters macsec \[ethernet interface id ] \[purpose] show macsec connection statistics \[view] system view \[use cases] sonic# show counters macsec + + + + \| sa key | counter id | counter value | +==============================+======================+=================+ \| ethernet2 60eb5a01774a0001 1 | cur out pkt seq num | 1 | \| | bytes encrypted | 0 | \| | bytes protected | 0 | \| | out pkts encrypted | 0 | \| | out pkts protected | 0 | + + + + \| ethernet2 60eb5a01774c0001 1 | cur in pkt seq num | 1 | \| | in pkts delayed | 0 | \| | in pkts invalid | 0 | \| | in pkts late | 0 | \| | in pkts not using sa | 0 | \| | in pkts not valid | 0 | \| | in pkts ok | 0 | \| | in pkts unchecked | 0 | \| | in pkts unused sa | 0 | \| | bytes decrypted | 0 | \| | bytes validated | 0 | + + + + macsec enable macsec enable \[command] macsec enable \[purpose] enable macsec functionality \[view] system view \[use cases] sonic# macsec enable sonic(config)# macsec profile macsec profile \[command] macsec profile profile name no macsec profile profile name \[purpose] create a macsec tunnel forwarding policy \[parameter] parameter description profile name macsec tunnel policy name \[view] system configuration view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# macsec bind macsec bind \[command] macsec bind profile name no macsec bind \[purpose] interface binding macsec tunnel policy \[parameter] parameter description profile name macsec tunnel policy name \[important notes] only the first 16 physical interfaces support macsec tunnel binding \[view] interface configuration view \[use cases] sonic# configure sonic(config)# interface ethernet 1 sonic(config if 1)# macsec bind test sonic(config if 1)# mka cipher suite {gcm aes 128|gcm aes 256|gcm aes xpn 128|gcm aes xpn 256} mka cipher suite {gcm aes 128|gcm aes 256|gcm aes xpn 128|gcm aes xpn 256} \[command] mka cipher suite {gcm aes 128|gcm aes 256|gcm aes xpn 128|gcm aes xpn 256} \[purpose] configure macsec tunnel encryption algorithm \[parameter] parameter description gcm aes 128 key length 128 bits, pn (packet number) length 32 bits gcm aes 256 key length 256 bits, pn (packet number) length 32 bits gcm aes xpn 128 key length 128 bits, xpn (extended packet number) length 64 bits gcm aes xpn 256 key length 256 bits, xpn (extended packet number) length 64 bits \[notes] when the pn (packet number) of the macsec tunnel encryption algorithm is 32 bits, this macsec tunnel can support forwarding approximately 4 2 billion packets therefore, when the tunnel encryption algorithm is gcm aes 128/gcm aes 256, the rekey period parameter must be configured to perform periodic key updates \[view] macsec policy configuration viewystem view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka cipher suite gcm aes 128 sonic(config macsec test)# mka policy {integrity only|security} mka policy {integrity only|security} \[command] mka policy {integrity only|security} \[purpose] configure macsec tunnel data transmission mode \[parameter] parameter description integrity only verification mode, data packets are not encrypted and only data integrity verification is performed security encryption security mode, data packets are encrypted and data integrity verification is performed \[view] macsec policy configuration viewystem view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka policy integrity only sonic(config macsec test)# mka priority mka priority \[command] mka priority 0 255 \[purpose] configure the priority of the mka negotiation server \[view] macsec policy configuration viewystem view \[notes] the default priority for mka is 255 the smaller the priority parameter, the higher the priority the mka server is the party responsible for controlling and distributing encryption keys (sak) in the mka protocol \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka priority 100 sonic(config macsec test)# mka psk ckn cak mka psk ckn cak \[command] mka psk ckn password name cak password no mka psk \[purpose] configure the key name and key for the macsec tunnel \[parameter] parameter description ckn password name key name, used to identify an encryption domain, format prefix free hexadecimal number; length 32 bits cak password shared key, used in the mka protocol to authenticate device identity, format prefix less hexadecimal number; length 32 bits for gcm aes 128/gcm aes xpn 128 encryption, 64 bits for gcm aes 256/gcm aes xpn 256 encryption \[notes] the ckn and cak parameters at both ends of the macsec tunnel must be configured consistently in order to successfully establish the macsec tunnel \[view] macsec policy configuration viewystem view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka psk ckn 01234567890123456789012345678900 cak 01234567890123456789012345678900 sonic(config macsec test)# mka rekey period mka rekey period \[command] mka rekey period rekey period \[purpose] configure the key replacement cycle for macsec tunnels \[parameter] parameter description rekey period key replacement cycle, unit seconds setting this parameter to 0 indicates that no key replacement cycle will be performed the default value is 0 \[view] macsec policy configuration viewystem view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka rekey period 10 sonic(config macsec test)# mka replay protection {enable|window size} mka replay protection {enable|window size} \[command] mka replay protection {enable|window size} no mka replay protection enable \[purpose] enable/configure macsec replay detection functionality \[parameter] parameter description window size allows out of order pn (packet number) ranges configurable range for non xpn data encryption algorithms 0 4294967295 configurable range for xpn data encryption algorithms 0 1073741824 \[view] macsec policy configuration viewystem view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka replay protection enable sonic(config macsec test)# mka replay protection window size 1000 sonic(config macsec test)# mka send sci enable mka send sci enable \[command] mka send sci enable no mka send sci enable \[purpose] enable the send sci function of the macsec policy \[notes] the device defaults to enabling send sci when send sci is disabled, macsec forwarded datagrams no longer carry mac and port information whether the send sci function is enabled does not affect the establishment of macsec tunnels between our devices \[view] macsec policy configuration viewystem view \[use cases] sonic(config)# macsec profile test sonic(config macsec test)# mka send sci enable sonic(config macsec test)#