macsec commands

configure 
macsec 
apply-groups reference
apply-groups-exclude reference
connectivity-association string 
admin-state keyword
anysec boolean
apply-groups reference
apply-groups-exclude reference
auto-gen-psk 
apply-groups reference
apply-groups-exclude reference
cak-name-prefix string
generate-interval number
recovery-keychain reference
cipher-suite keyword
clear-tag-mode keyword
delay-protection boolean
description string
encryption-offset number
macsec-encrypt boolean
mka-hello-interval keyword
mka-key-server-priority number
psk-type keyword
replay-protection boolean
replay-window-size number
static-cak 
active-psk number
apply-groups reference
apply-groups-exclude reference
keychain 
primary reference
pre-shared-key number 
apply-groups reference
apply-groups-exclude reference
cak encrypted-leaf-hex-without-prefix
cak-name cak-name
encryption-type keyword
mac-policy number 
apply-groups reference
apply-groups-exclude reference
destination-mac-address mac-address 

macsec command descriptions

macsec

Synopsis Enter the macsec context
Context configure macsec
Treemacsec
Introduced16.0.R1

Platforms

All

connectivity-association [ca-name] string

Synopsis Enter the connectivity-association list instance
Contextconfigure macsec connectivity-association string
Treeconnectivity-association
Introduced16.0.R1

Platforms

All

anysec boolean
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisMark the CA for use by ANYsec encryption only
Contextconfigure macsec connectivity-association string anysec boolean
Treeanysec

Description

When configured to true, the system configures the Connectivity Association (CA) for exclusive use with ANYsec encyrption.

The following MACsec commands cannot be configured while ANYsec is configured.

  • configure macsec connectivity-association clear-tag-mode

  • configure macsec connectivity-association delay-protection

  • configure macsec connectivity-association encryption-offset

  • configure macsec connectivity-association macsec-encrypt

  • configure macsec connectivity-association replay-window-size

  • configure macsec mac-policy

When configured to false, the system removes the CA.

Default

false

Introduced23.3.R1

Platforms

7750 SR-1, 7750 SR-1 (FP5), 7750 SR-12e, 7750 SR-s

auto-gen-psk
Synopsis Enter the auto-gen-psk context
Contextconfigure macsec connectivity-association string auto-gen-psk
Treeauto-gen-psk

Description

Commands in this context configure PSK autogeneration.

Introduced26.7.R1

Platforms

All

cak-name-prefix string
Synopsis Prefix string to include in the CKN
Context configure macsec connectivity-association string auto-gen-psk cak-name-prefix string
Treecak-name-prefix

Description

This command configures the prefix string to use in the CKN. The system generates each CKN by combining the following:

  • 20 bytes of the cak-name-prefix. If the entire 20 bytes is not configured, the system pads the remaining bytes with zeroes.

  • 2 bytes of zeroes that are reserved for future use

  • 6 bytes of the local chassis mac (to ensure that the CKNs on different chassis are unique)

  • 4 bytes of a counter that increments by one every time a new CKN is generated

String length2 to 40
String format'cak-name-prefix' must be even-length hex up to 40 characters (e.g. 0a1b2c)
Introduced26.7.R1

Platforms

All

recovery-keychain reference
Synopsis Name of keychain to recover auto generate PSK
Contextconfigure macsec connectivity-association string auto-gen-psk recovery-keychain reference
Treerecovery-keychain

Description

This command configures the MACsec keychain used to establish the initial MKA. The initial MKA is used to distribute the first auto-generated PSK and establish the autogenerating MKA session. The system also uses the keychain as a backup if the autogenerated MKA fails for any reason.

Reference

configure system security keychains keychain named-item

Introduced26.7.R1

Platforms

All

cipher-suite keyword
Synopsis Data path encryption algorithm
Context configure macsec connectivity-association string cipher-suite keyword
Treecipher-suite
Optionsgcm-aes-128, gcm-aes-256, gcm-aes-xpn-128, gcm-aes-xpn-256

Default

gcm-aes-128

Introduced16.0.R1

Platforms

All

clear-tag-mode keyword
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisClear tag mode for clear text before the SecTAG
Contextconfigure macsec connectivity-association string clear-tag-mode keyword
Treeclear-tag-mode
Optionsnone, single-tag, dual-tag

Default

none

Introduced16.0.R1

Platforms

All

delay-protection boolean
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnable delay protection
Contextconfigure macsec connectivity-association string delay-protection boolean
Treedelay-protection

Default

false

Introduced20.10.R1

Platforms

All

macsec-encrypt boolean
Synopsis Encrypt and authenticate all PDUs
Context configure macsec connectivity-association string macsec-encrypt boolean
Treemacsec-encrypt

Description

When configured to true, all PDUs are encrypted and authenticated.

When configured to false, all PDUs are transmitted in clear text, however, they are still authenticated and have the trailing ICV.

Default

true

Introduced16.0.R1

Platforms

All

mka-key-server-priority number
Synopsis Key server priority used by the MKA protocol
Contextconfigure macsec connectivity-association string mka-key-server-priority number
Treemka-key-server-priority

Description

This command specifies the key server priority used by the MACsec Key Agreement (MKA) protocol to select the key server when MACsec is enabled using static connectivity association key (CAK) security mode.

Range0 to 255

Default

16

Introduced26.3.R1

Platforms

All

psk-type keyword
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisType of PSK to apply.
Contextconfigure macsec connectivity-association string psk-type keyword
Treepsk-type
Optionsstatic, auto-gen

Default

static

Introduced 26.7.R1

Platforms

All

replay-protection boolean
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisDiscard packet when not within the replay window size
Contextconfigure macsec connectivity-association string replay-protection boolean
Treereplay-protection

Description

When configured to true, replay protection is enabled and packets are discarded when they are not within the replay window size. 

With replay protection, the sequence of the ID number of received packets is checked. If a packet arrives out of sequence and the difference between the packet IDs exceeds the replay protection window size, the packet is counted by the receiving port and discarded. For example if the replay protection window size is configured to five and a packet with an ID of 1006 arrives on the receiving link immediately following the packet assigned an ID of 1000, the packet with ID 1006 is counted and discarded because it is outside the parameter of the window size.

Replay protection is particularly useful for addressing man-in-the-middle attacks. A packet that is replayed by a man-in-the-middle attacker on the Ethernet link that arrives on the receiving link out of sequence will be detected and dropped instead of forwarded through the network.

Replay protection should not be enabled in cases where packets are expected to arrive out of order.

When configured to false, replay protection is not enabled.

Default

false

Introduced16.0.R1

Platforms

All

replay-window-size number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisReplay protection window size
Contextconfigure macsec connectivity-association string replay-window-size number
Treereplay-window-size
Range0 to 4294967294

Default

0

Introduced16.0.R1

Platforms

All

static-cak
Synopsis Enter the static-cak context
Context configure macsec connectivity-association string static-cak
Treestatic-cak

Description

Commands in this context configure the Connectivity Association Key (CAK) to manage the MACsec Key Agreement (MKA).

Introduced16.0.R1

Platforms

All

active-psk number
Synopsis Active pre-shared-key (PSK)
Context configure macsec connectivity-association string static-cak active-psk number
Treeactive-psk

Description

This command specifies the active transmitting PSK. If two PSKs are configured, the arriving MACsec MKA can be decrypted via CAKs using either PSK; however, only the active PSK is used for TX encryption of MKA PDUs.

Range1 to 2

Default

1

Introduced16.0.R1

Platforms

All

pre-shared-key [psk-id] number
Synopsis Enter the pre-shared-key list instance
Contextconfigure macsec connectivity-association string static-cak pre-shared-key number
Treepre-shared-key

Description

Commands in this context configure pre-shared key attributes to enable MACsec using static connectivity association key (CAK) security mode.

A pre-shared key includes a connectivity association key name (CKN) and a connectivity association key (CAK). The pre-shared key, the CKN and the CAK, must match on both ends of a link.

A pre-shared key is configured on both devices at each end of a point-to-point link to enable MACsec via static CAK security mode. The MACsec Key Agreement (MKA) protocol is enabled after the successful MKA liveliness negotiation.

The encryption type is used to encrypt the SAK and authenticate the MKA packet. The symmetric encryption key SAK (Security Association Key) must be encrypted (wrapped) via the MKA protocols. The AES key is derived from the pre-shared-key.

Max. instances2
Introduced16.0.R1

Platforms

All

cak encrypted-leaf-hex-without-prefix
Synopsis Connectivity association key (CAK) for the PSK
Contextconfigure macsec connectivity-association string static-cak pre-shared-key number cak encrypted-leaf-hex-without-prefix
Treecak

Description

This command specifies the connectivity association key (CAK) for the pre-shared key. Two values are derived from the CAK:

  • Key Encryption Key (KEK), used to encrypt the MKA and SAK (symmetric key used for data path PDUs) distributed between all members

  • Integrity Check Value (ICV), used to authenticate the MKA and SAK PDUs distributed between all members

This command uses a protected format where the specific format is indicated by the hash, hash2, hash3, or custom suffix. See "Configuration secrets" in the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide for more information.

String length1 to 126
String format'encrypted-leaf-hex-without-prefix' must have clear text in hex without 0x or end with hash/hash2/hash3/custom
Introduced16.0.R1

Platforms

All

cak-name cak-name
Synopsis Connectivity association key name (CKN) for the PSK
Contextconfigure macsec connectivity-association string static-cak pre-shared-key number cak-name cak-name
Treecak-name

Description

This command specifies the connectivity association key name (CKN) for the pre-shared key. The CKN is appended to the MKA for identification of the appropriate CAK by the peer.

String length1 to 64
String format'cak-name' must be even-length hex up to 64 characters (e.g. 0a1b2c)
Introduced16.0.R1

Platforms

All

mac-policy [mac-policy-id] number

Synopsis Enter the mac-policy list instance
Contextconfigure macsec mac-policy number
Treemac-policy
Introduced16.0.R5

Platforms

All

[mac-policy-id] number
Synopsis MAC address policy ID
Context configure macsec mac-policy number
Treemac-policy
Max. range0 to 4294967295

Notes

This element is part of a list key.

Introduced16.0.R5

Platforms

All

destination-mac-address [dest-mac-addr] mac-address
Synopsis Add a list entry for destination-mac-address
Contextconfigure macsec mac-policy number destination-mac-address mac-address
Treedestination-mac-address
Max. instances5
Introduced16.0.R5

Platforms

All