macsec commands
configure
— macsec
— apply-groups reference
— apply-groups-exclude reference
— connectivity-association string
— admin-state keyword
— anysec boolean
— apply-groups reference
— apply-groups-exclude reference
— cipher-suite keyword
— clear-tag-mode keyword
— delay-protection boolean
— description string
— encryption-offset number
— macsec-encrypt boolean
— replay-protection boolean
— replay-window-size number
— static-cak
— active-psk number
— apply-groups reference
— apply-groups-exclude reference
— mka-hello-interval keyword
— mka-key-server-priority number
— pre-shared-key number
— apply-groups reference
— apply-groups-exclude reference
— cak encrypted-leaf-hex-without-prefix
— cak-name cak-name
— encryption-type keyword
— mac-policy number
— apply-groups reference
— apply-groups-exclude reference
— destination-mac-address mac-address
macsec command descriptions
macsec
connectivity-association [ca-name] string
Synopsis | Enter the connectivity-association list instance | |
Context | configure macsec connectivity-association string | |
Tree | connectivity-association | |
Introduced | 16.0.R1 | |
Platforms | All |
[ca-name] string
Synopsis | Connectivity association name | |
Context | configure macsec connectivity-association string | |
Tree | connectivity-association | |
String length | 1 to 32 | |
Notes | This element is part of a list key. | |
Introduced | 16.0.R1 | |
Platforms | All |
admin-state keyword
Synopsis | Administrative state of the connectivity association | |
Context | configure macsec connectivity-association string admin-state keyword | |
Tree | admin-state | |
Options | ||
Default | disable | |
Introduced | 16.0.R1 | |
Platforms | All |
anysec boolean
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Mark the CA for use by ANYsec encryption only | |
Context | configure macsec connectivity-association string anysec boolean | |
Tree | anysec | |
Description | When configured to true, the system configures the Connectivity Association (CA) for exclusive use with ANYsec encyrption. The following MACsec commands cannot be configured while ANYsec is configured.
When configured to false, the system removes the CA. | |
Default | false | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
cipher-suite keyword
Synopsis | Data path encryption algorithm | |
Context | configure macsec connectivity-association string cipher-suite keyword | |
Tree | cipher-suite | |
Options | ||
Default | gcm-aes-128 | |
Introduced | 16.0.R1 | |
Platforms |
All |
clear-tag-mode keyword
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Clear tag mode for clear text before the SecTAG | |
Context | configure macsec connectivity-association string clear-tag-mode keyword | |
Tree | clear-tag-mode | |
Options | ||
Default | none | |
Introduced | 16.0.R1 | |
Platforms | All |
delay-protection boolean
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Enable delay protection | |
Context | configure macsec connectivity-association string delay-protection boolean | |
Tree | delay-protection | |
Default | false | |
Introduced | 20.10.R1 | |
Platforms | All |
description string
Synopsis | Text description | |
Context | configure macsec connectivity-association string description string | |
Tree | description | |
String length | 1 to 80 | |
Introduced | 16.0.R1 | |
Platforms | All |
encryption-offset number
Synopsis | Confidentiality (encryption) offset | |
Context | configure macsec connectivity-association string encryption-offset number | |
Tree | encryption-offset | |
Range | 0 | 30 | 50 | |
Default | 0 | |
Introduced | 16.0.R1 | |
Platforms |
All |
macsec-encrypt boolean
Synopsis | Encrypt and authenticate all PDUs | |
Context | configure macsec connectivity-association string macsec-encrypt boolean | |
Tree | macsec-encrypt | |
Description | When configured to true, all PDUs are encrypted and authenticated. When configured to false, all PDUs are transmitted in clear text, however, they are still authenticated and have the trailing ICV. | |
Default | true | |
Introduced | 16.0.R1 | |
Platforms | All |
replay-protection boolean
Synopsis | Discard packet when not within the replay window size | |
Context | configure macsec connectivity-association string replay-protection boolean | |
Tree | replay-protection | |
Description | When configured to true, replay protection is enabled and packets are discarded when they are not within the replay window size. With replay protection, the sequence of the ID number of received packets is checked. If a packet arrives out of sequence and the difference between the packet IDs exceeds the replay protection window size, the packet is counted by the receiving port and discarded. For example if the replay protection window size is configured to five and a packet with an ID of 1006 arrives on the receiving link immediately following the packet assigned an ID of 1000, the packet with ID 1006 is counted and discarded because it is outside the parameter of the window size. Replay protection is particularly useful for addressing man-in-the-middle attacks. A packet that is replayed by a man-in-the-middle attacker on the Ethernet link that arrives on the receiving link out of sequence will be detected and dropped instead of forwarded through the network. Replay protection should not be enabled in cases where packets are expected to arrive out of order. When configured to false, replay protection is not enabled. | |
Default | false | |
Introduced | 16.0.R1 | |
Platforms | All |
replay-window-size number
Synopsis | Replay protection window size | |
Context | configure macsec connectivity-association string replay-window-size number | |
Tree | replay-window-size | |
Range | 0 to 4294967294 | |
Default | 0 | |
Introduced | 16.0.R1 | |
Platforms |
All |
static-cak
Synopsis | Enter the static-cak context | |
Context | configure macsec connectivity-association string static-cak | |
Tree | static-cak | |
Description | Commands in this context configure the Connectivity Association Key (CAK) to manage the MACsec Key Agreement (MKA). | |
Introduced | 16.0.R1 | |
Platforms | All |
active-psk number
Synopsis | Active pre-shared-key (PSK) | |
Context | configure macsec connectivity-association string static-cak active-psk number | |
Tree | active-psk | |
Description | This command specifies the active transmitting PSK. If two PSKs are configured, the arriving MACsec MKA can be decrypted via CAKs using either PSK; however, only the active PSK is used for TX encryption of MKA PDUs. | |
Range | 1 to 2 | |
Default | 1 | |
Introduced | 16.0.R1 | |
Platforms |
All |
mka-hello-interval keyword
Synopsis | MKA hello interval | |
Context | configure macsec connectivity-association string static-cak mka-hello-interval keyword | |
Tree | mka-hello-interval | |
Description | This command configures the interval at which MKA hello packets are sent or received for the connectivity association. | |
Options | ||
Default | 2 | |
Introduced | 19.5.R1 | |
Platforms |
All |
mka-key-server-priority number
Synopsis | Key server priority used by the MKA protocol | |
Context | configure macsec connectivity-association string static-cak mka-key-server-priority number | |
Tree | mka-key-server-priority | |
Description | This command specifies the key server priority used by the MACsec Key Agreement (MKA) protocol to select the key server when MACsec is enabled using static connectivity association key (CAK) security mode. | |
Range | 0 to 255 | |
Default | 16 | |
Introduced | 16.0.R1 | |
Platforms |
All |
pre-shared-key [psk-id] number
Synopsis | Enter the pre-shared-key list instance | |
Context | configure macsec connectivity-association string static-cak pre-shared-key number | |
Tree | pre-shared-key | |
Description | Commands in this context configure pre-shared key attributes to enable MACsec using static connectivity association key (CAK) security mode. A pre-shared key includes a connectivity association key name (CKN) and a connectivity association key (CAK). The pre-shared key, the CKN and the CAK, must match on both ends of a link. A pre-shared key is configured on both devices at each end of a point-to-point link to enable MACsec via static CAK security mode. The MACsec Key Agreement (MKA) protocol is enabled after the successful MKA liveliness negotiation. The encryption type is used to encrypt the SAK and authenticate the MKA packet. The symmetric encryption key SAK (Security Association Key) must be encrypted (wrapped) via the MKA protocols. The AES key is derived from the pre-shared-key. | |
Max. instances | 2 | |
Introduced | 16.0.R1 | |
Platforms | All |
[psk-id] number
Synopsis | Pre-shared-key (PSK) ID | |
Context | configure macsec connectivity-association string static-cak pre-shared-key number | |
Tree | pre-shared-key | |
Range | 1 to 2 | |
Notes | This element is part of a list key. | |
Introduced | 16.0.R1 | |
Platforms | All |
cak encrypted-leaf-hex-without-prefix
Synopsis | Connectivity association key (CAK) for the PSK | |
Context | configure macsec connectivity-association string static-cak pre-shared-key number cak encrypted-leaf-hex-without-prefix | |
Tree | cak | |
Description | This command specifies the connectivity association key (CAK) for the pre-shared key. Two values are derived from the CAK:
| |
String length | 1 to 71 | |
Introduced | 16.0.R1 | |
Platforms | All |
cak-name cak-name
Synopsis | Connectivity association key name (CKN) for the PSK | |
Context | configure macsec connectivity-association string static-cak pre-shared-key number cak-name cak-name | |
Tree | cak-name | |
Description | This command specifies the connectivity association key name (CKN) for the pre-shared key. The CKN is appended to the MKA for identification of the appropriate CAK by the peer. | |
String length | 1 to 64 | |
Introduced | 16.0.R1 | |
Platforms | All |
encryption-type keyword
Synopsis | Encryption for authentication of the MKA packet | |
Context | configure macsec connectivity-association string static-cak pre-shared-key number encryption-type keyword | |
Tree | encryption-type | |
Options | ||
Notes | This element is mandatory. | |
Introduced | 16.0.R1 | |
Platforms | All |
mac-policy [mac-policy-id] number
Synopsis | Enter the mac-policy list instance | |
Context | configure macsec mac-policy number | |
Tree | mac-policy | |
Introduced | 16.0.R5 | |
Platforms | All |
[mac-policy-id] number
Synopsis | MAC address policy ID | |
Context | configure macsec mac-policy number | |
Tree | mac-policy | |
Max. range | 0 to 4294967295 | |
Notes | This element is part of a list key. | |
Introduced | 16.0.R5 | |
Platforms | All |
destination-mac-address [dest-mac-addr] mac-address
Synopsis | Add a list entry for destination-mac-address | |
Context | configure macsec mac-policy number destination-mac-address mac-address | |
Tree | destination-mac-address | |
Max. instances | 5 | |
Introduced | 16.0.R5 | |
Platforms | All |
[dest-mac-addr] mac-address
Synopsis | Destination MAC address added to the MAC policy | |
Context | configure macsec mac-policy number destination-mac-address mac-address | |
Tree | destination-mac-address | |
Notes | This element is part of a list key. | |
Introduced | 16.0.R5 | |
Platforms | All |