MACsec Configuration
MACsec Configuration
Section titled “MACsec Configuration”show macsec profile
Section titled “show macsec profile”[Command]
show macsec profile
[Purpose]
Display MACsec tunnel policy information for the current configuration.
[View]
System view
[Use Cases]
sonic# show macsec profileMacsec Profile: testPriority: 30Cipher Suite : GCM-AES-XPN-128Primary CAK : 01234567890123456789012345678900Primary CKN : 01234567890123456789012345678900Policy : securityReplay Protect : falseReplay Window : 0Rekey Period : 1sSend Sci : trueshow macsec interface
Section titled “show macsec interface”[Command]
show macsec interface
[Purpose]
Display the binding relationship between MACsec policies and physical interfaces.
[View]
System view
[Use Cases]
sonic# show macsec interfaceinterface profileEthernet1 test4Ethernet15 test4Ethernet10 test5Rekey Period : 1sSend Sci : truemacsec enable
Section titled “macsec enable”[Command]
macsec enable
[Purpose]
Enable MACsec functionality.
[View]
System view
[Use Cases]
sonic# macsec enablesonic(config)#macsec profile
Section titled “macsec profile”[Command]
macsec profile profile_name
no macsec profile profile_name
[Purpose]
Create a MACsec tunnel forwarding policy.
[Parameter]
| Parameter | Description |
|---|---|
| profile_name | MACsec tunnel policy name |
[View]
System configuration view
[Use Cases]
sonic(config)# macsec profile testsonic(config-macsec-test)#macsec bind
Section titled “macsec bind”[Command]
macsec bind profile_name
no macsec bind
[Purpose]
Interface binding MACsec tunnel policy.
[Parameter]
| Parameter | Description |
|---|---|
| profile_name | MACsec tunnel policy name |
[Important Notes]
Only the first 16 physical interfaces support MACsec tunnel binding.
[View]
Interface Configuration View
[Use Cases]
sonic# configuresonic(config)# interface ethernet 1sonic(config-if-1)# macsec bind testsonic(config-if-1)#mka cipher_suite {GCM-AES-128|GCM-AES-256|GCM-AES-XPN-128|GCM-AES-XPN-256}
Section titled “mka cipher_suite {GCM-AES-128|GCM-AES-256|GCM-AES-XPN-128|GCM-AES-XPN-256}”[Command]
mka cipher_suite {GCM-AES-128|GCM-AES-256|GCM-AES-XPN-128|GCM-AES-XPN-256}
[Purpose]
Configure MACsec tunnel encryption algorithm.
[Parameter]
| Parameter | Description |
|---|---|
| GCM-AES-128 | Key length 128 bits, PN (Packet Number) length: 32 bits. |
| GCM-AES-256 | Key length 256 bits, PN (Packet Number) length: 32 bits. |
| GCM-AES-XPN-128 | Key length 128 bits, XPN (eXtended Packet Number) length: 64 bits. |
| GCM-AES-XPN-256 | Key length 256 bits, XPN (eXtended Packet Number) length: 64 bits. |
[Use cases] When the PN (Packet Number) of the MACsec tunnel encryption algorithm is 32 bits, this MACsec tunnel can support forwarding approximately 4.2 billion packets. Therefore, when the tunnel encryption algorithm is GCM-AES-128/GCM-AES-256, the rekey_period parameter must be configured to perform periodic key updates.
[View]
MACsec Policy Configuration Viewystem view
[Use Cases]
sonic(config)# macsec profile testsonic(config-macsec-test)# mka cipher_suite GCM-AES-128sonic(config-macsec-test)#mka policy {integrity_only|security}
Section titled “mka policy {integrity_only|security}”[Command]
mka policy {integrity_only|security}
[Purpose]
Configure MACsec tunnel data transmission mode.
[Parameter]
| Parameter | Description |
|---|---|
| integrity_only | Verification mode, data packets are not encrypted and only data integrity verification is performed. |
| security | Encryption security mode, data packets are encrypted and data integrity verification is performed. |
[View]
MACsec Policy Configuration Viewystem view
[Use Cases]
sonic(config)# macsec profile testsonic(config-macsec-test)# mka policy integrity_onlysonic(config-macsec-test)#mka priority
Section titled “mka priority”[Command]
mka priority 0-255
[Purpose]
Configure the priority of the mka negotiation server.
[View]
MACsec Policy Configuration Viewystem view
[Notes]
The default priority for mka is 255. The smaller the priority parameter, the higher the priority. The mka server is the party responsible for controlling and distributing encryption keys (SAK) in the MKA protocol.
[Use Cases]
sonic(config)# macsec profile testsonic(config-macsec-test)# mka priority 100sonic(config-macsec-test)#mka psk ckn cak
Section titled “mka psk ckn cak”[Command]
mka psk ckn password-name cak password
no mka psk
[Purpose]
Configure the key name and key for the MACsec tunnel.
[Parameter]
| Parameter | Description |
|---|---|
| ckn password-name | Key name, used to identify an encryption domain, format: prefix-free hexadecimal number; length: 32 bits. |
| cak password | Shared key, used in the MKA protocol to authenticate device identity, format: prefix-less hexadecimal number; length: 32 bits for GCM-AES-128/GCM-AES-XPN-128 encryption, 64 bits for GCM-AES-256/GCM-AES-XPN-256 encryption. |
[Notes]
The CKN and CAK parameters at both ends of the MACsec tunnel must be configured consistently in order to successfully establish the MACsec tunnel.
[View]
MACsec Policy Configuration Viewystem view
[Use Cases]
sonic(config)# macsec profile testsonic(config-macsec-test)# mka psk ckn 01234567890123456789012345678900 cak 01234567890123456789012345678900sonic(config-macsec-test)#mka rekey_period
Section titled “mka rekey_period”[Command]
mka rekey_period rekey_period
[Purpose]
Configure the key replacement cycle for MACsec tunnels.
[Parameter]
| Parameter | Description |
|---|---|
| rekey_period | Key replacement cycle, unit: seconds. Setting this parameter to 0 indicates that no key replacement cycle will be performed. The default value is 0. |
[View]
MACsec Policy Configuration Viewystem view
[Use Cases]
sonic(config)# macsec profile testsonic(config-macsec-test)# mka rekey_period 10sonic(config-macsec-test)#mka replay_protection {enable|window_size}
Section titled “mka replay_protection {enable|window_size}”[Command]
mka replay_protection {enable|window_size}
no mka replay_protection enable
[Purpose]
Enable/configure MACsec replay detection functionality
[Parameter]
| Parameter | Description |
|---|---|
| window_size | Allows out-of-order PN (Packet Number) ranges. Configurable range for non-XPN data encryption algorithms: 0-4294967295. Configurable range for XPN data encryption algorithms: 0-1073741824. |
[View]
MACsec Policy Configuration Viewystem view
[Use Cases]
sonic(config)# macsec profile testsonic(config-macsec-test)# mka replay_protection enablesonic(config-macsec-test)# mka replay_protection window_size 1000sonic(config-macsec-test)#mka send_sci enable
Section titled “mka send_sci enable”[Command]
mka send_sci enable
no mka send_sci enable
[Purpose]
Enable the send_sci function of the MACsec policy.
[Notes]
The device defaults to enabling send_sci. When send_sci is disabled, MACsec-forwarded datagrams no longer carry MAC and port information.
Whether the send_sci function is enabled does not affect the establishment of MACsec tunnels between our devices.
[View]
MACsec Policy Configuration Viewystem view
[Use Cases]
sonic(config)# macsec profile testsonic(config-macsec-test)# mka send_sci enablesonic(config-macsec-test)#