macsec commands

configure 
macsec 
apply-groups reference
apply-groups-exclude reference
connectivity-association string 
admin-state keyword
anysec boolean
apply-groups reference
apply-groups-exclude reference
cipher-suite keyword
clear-tag-mode keyword
delay-protection boolean
description string
encryption-offset number
macsec-encrypt boolean
replay-protection boolean
replay-window-size number
static-cak 
active-psk number
apply-groups reference
apply-groups-exclude reference
mka-hello-interval keyword
mka-key-server-priority number
pre-shared-key number 
apply-groups reference
apply-groups-exclude reference
cak encrypted-leaf-hex-without-prefix
cak-name cak-name
encryption-type keyword
mac-policy number 
apply-groups reference
apply-groups-exclude reference
destination-mac-address mac-address 

macsec command descriptions

macsec

Synopsis Enter the macsec context
Context configure macsec
Treemacsec
Introduced16.0.R1

Platforms

All

connectivity-association [ca-name] string

Synopsis Enter the connectivity-association list instance
Contextconfigure macsec connectivity-association string
Treeconnectivity-association
Introduced16.0.R1

Platforms

All

anysec boolean
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisMark the CA for use by ANYsec encryption only
Contextconfigure macsec connectivity-association string anysec boolean
Treeanysec

Description

When configured to true, the system configures the Connectivity Association (CA) for exclusive use with ANYsec encyrption.

The following MACsec commands cannot be configured while ANYsec is configured.

  • configure macsec connectivity-association clear-tag-mode

  • configure macsec connectivity-association delay-protection

  • configure macsec connectivity-association encryption-offset

  • configure macsec connectivity-association macsec-encrypt

  • configure macsec connectivity-association replay-window-size

  • configure macsec mac-policy

When configured to false, the system removes the CA.

Defaultfalse
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

cipher-suite keyword
Synopsis Data path encryption algorithm
Context configure macsec connectivity-association string cipher-suite keyword
Treecipher-suite
Optionsgcm-aes-128, gcm-aes-256, gcm-aes-xpn-128, gcm-aes-xpn-256
Defaultgcm-aes-128
Introduced 16.0.R1

Platforms

All

clear-tag-mode keyword
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisClear tag mode for clear text before the SecTAG
Contextconfigure macsec connectivity-association string clear-tag-mode keyword
Treeclear-tag-mode
Optionsnone, single-tag, dual-tag
Defaultnone
Introduced16.0.R1

Platforms

All

delay-protection boolean
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnable delay protection
Contextconfigure macsec connectivity-association string delay-protection boolean
Treedelay-protection
Defaultfalse
Introduced20.10.R1

Platforms

All

macsec-encrypt boolean
Synopsis Encrypt and authenticate all PDUs
Context configure macsec connectivity-association string macsec-encrypt boolean
Treemacsec-encrypt

Description

When configured to true, all PDUs are encrypted and authenticated.

When configured to false, all PDUs are transmitted in clear text, however, they are still authenticated and have the trailing ICV.

Defaulttrue
Introduced16.0.R1

Platforms

All

replay-protection boolean
Synopsis Discard packet when not within the replay window size
Contextconfigure macsec connectivity-association string replay-protection boolean
Treereplay-protection

Description

When configured to true, replay protection is enabled and packets are discarded when they are not within the replay window size. 

With replay protection, the sequence of the ID number of received packets is checked. If a packet arrives out of sequence and the difference between the packet IDs exceeds the replay protection window size, the packet is counted by the receiving port and discarded. For example if the replay protection window size is configured to five and a packet with an ID of 1006 arrives on the receiving link immediately following the packet assigned an ID of 1000, the packet with ID 1006 is counted and discarded because it is outside the parameter of the window size.

Replay protection is particularly useful for addressing man-in-the-middle attacks. A packet that is replayed by a man-in-the-middle attacker on the Ethernet link that arrives on the receiving link out of sequence will be detected and dropped instead of forwarded through the network.

Replay protection should not be enabled in cases where packets are expected to arrive out of order.

When configured to false, replay protection is not enabled.

Defaultfalse
Introduced16.0.R1

Platforms

All

static-cak
Synopsis Enter the static-cak context
Context configure macsec connectivity-association string static-cak
Treestatic-cak

Description

Commands in this context configure the Connectivity Association Key (CAK) to manage the MACsec Key Agreement (MKA).

Introduced16.0.R1

Platforms

All

active-psk number
Synopsis Active pre-shared-key (PSK)
Context configure macsec connectivity-association string static-cak active-psk number
Treeactive-psk

Description

This command specifies the active transmitting PSK. If two PSKs are configured, the arriving MACsec MKA can be decrypted via CAKs using either PSK; however, only the active PSK is used for TX encryption of MKA PDUs.

Range1 to 2
Default1
Introduced 16.0.R1

Platforms

All

mka-key-server-priority number
Synopsis Key server priority used by the MKA protocol
Contextconfigure macsec connectivity-association string static-cak mka-key-server-priority number
Treemka-key-server-priority

Description

This command specifies the key server priority used by the MACsec Key Agreement (MKA) protocol to select the key server when MACsec is enabled using static connectivity association key (CAK) security mode.

Range0 to 255
Default16
Introduced 16.0.R1

Platforms

All

pre-shared-key [psk-id] number
Synopsis Enter the pre-shared-key list instance
Contextconfigure macsec connectivity-association string static-cak pre-shared-key number
Treepre-shared-key

Description

Commands in this context configure pre-shared key attributes to enable MACsec using static connectivity association key (CAK) security mode.

A pre-shared key includes a connectivity association key name (CKN) and a connectivity association key (CAK). The pre-shared key, the CKN and the CAK, must match on both ends of a link.

A pre-shared key is configured on both devices at each end of a point-to-point link to enable MACsec via static CAK security mode. The MACsec Key Agreement (MKA) protocol is enabled after the successful MKA liveliness negotiation.

The encryption type is used to encrypt the SAK and authenticate the MKA packet. The symmetric encryption key SAK (Security Association Key) must be encrypted (wrapped) via the MKA protocols. The AES key is derived from the pre-shared-key.

Max. instances2
Introduced16.0.R1

Platforms

All

cak encrypted-leaf-hex-without-prefix
Synopsis Connectivity association key (CAK) for the PSK
Contextconfigure macsec connectivity-association string static-cak pre-shared-key number cak encrypted-leaf-hex-without-prefix
Treecak

Description

This command specifies the connectivity association key (CAK) for the pre-shared key. Two values are derived from the CAK:

  • Key Encryption Key (KEK), used to encrypt the MKA and SAK (symmetric key used for data path PDUs) distributed between all members

  • Integrity Check Value (ICV), used to authenticate the MKA and SAK PDUs distributed between all members

String length1 to 71
Introduced16.0.R1

Platforms

All

cak-name cak-name
Synopsis Connectivity association key name (CKN) for the PSK
Contextconfigure macsec connectivity-association string static-cak pre-shared-key number cak-name cak-name
Treecak-name

Description

This command specifies the connectivity association key name (CKN) for the pre-shared key. The CKN is appended to the MKA for identification of the appropriate CAK by the peer.

String length1 to 64
Introduced16.0.R1

Platforms

All

mac-policy [mac-policy-id] number

Synopsis Enter the mac-policy list instance
Contextconfigure macsec mac-policy number
Treemac-policy
Introduced16.0.R5

Platforms

All

[mac-policy-id] number
Synopsis MAC address policy ID
Context configure macsec mac-policy number
Treemac-policy
Max. range0 to 4294967295

Notes

This element is part of a list key.

Introduced16.0.R5

Platforms

All

destination-mac-address [dest-mac-addr] mac-address
Synopsis Add a list entry for destination-mac-address
Contextconfigure macsec mac-policy number destination-mac-address mac-address
Treedestination-mac-address
Max. instances5
Introduced16.0.R5

Platforms

All