For supporting the MACsec configuration, configure the following:
Syntax
Macsec policy validation rules
| Validation | Error/Warning/Prompt |
|---|---|
|
While creating or editing a policy: |
|
|
Maximum policy name length is 32 |
The policy name exceeds the maximum permissible limit of %s characters. (where the %s is the Max length of the Policy Name, which is 32.) |
|
Checks on the Policy Name string: Character validity (Alpha-numeric and hyphen. Must start and end with alphanumeric only). |
Invalid policy name. The policy name may contain alphanumeric characters and hyphen, and must begin and end with a alphanumeric character. |
|
Check for maximum number of policies (48). |
Cannot create a new policy because the total number of policies on this device has reached the maximum limit of %s. (where %s, is the maximum number of policies, currently 48) |
|
While removing the policy: |
|
|
A policy cannot be deleted if applied on any port at the time of removal |
Policy %s is currently in use on one or more ports and cannot be deleted. (where %s is the name of the policy). |
|
The policy name does not exist. |
MACsec policy %s does not exist. |
|
While modifying a policy: |
|
|
When a policy is applied on an interface, the mode, CKN and CAK cannot be modified. |
Cannot modify mode, CAK or CKN when the policy is in use on one or more ports. |
Configure the mode of this MACsec policy. The mode determines how the CA Key Name (CKN) and CA Key (CAK) are obtained.
Syntax
Configure the MACsec policy to use pre-shared key mode. In the pre-shared key mode, the CA Key Name (CKN) and the CA Key (CAK) are set manually.
Configure the CA Key Name (CKN) of this MACsec policy. A CKN must be specified before the policy can be applied. Enter the CKN as a string of hexadecimal digits up to 32 characters long. If the CKN configured is less than 32 digits, it will be padded up to 32 hexadecimal digits with 0s. A CAK must be specified before the policy can be applied. Enter the CAK as a string of hexadecimal digits up to 64 characters long. If the CAK is less than 64 digits, it will be padded up to 64 hexadecimal digits with 0s.
As CAK is a key and needs to be protected, when in encrypt-credentials mode the value gets encrypted and stored in the configuration.
Syntax
|
Validation |
Error/Warning/Prompt |
|---|---|
|
Length check on CKN: Up to 32 digits long hex string CKN should have even number of digits. |
"Invalid CKN. The CKN should be an even number of hexadecimal digits no longer than %s digits." Eg: Invalid CKN. The CKN should be an even number of hexadecimal digits no longer than 32 digits. |
|
Length check on CAK: Up to 64 digits long hex string CAK should have even number of digits |
"Invalid CAK. The CAK should be an even number of hexadecimal digits no longer than %s digits." Eg: Invalid CAK. The CAK should be an even number of hexadecimal digits no longer than 64 digits. |
|
Length check for encrypted CAK: Either 44 or 88 characters long ASCII string. |
“Invalid encrypted key.” |
|
Validity check on the encrypted CAK: Decrypt and apply the CAK rules: “Length check on CAK: Up to 64 digits long hex string CAK should have even number of digits” |
“Invalid encrypted key.” |
Syntax
Enable confidentiality in this MACsec policy. When confidentiality is enabled, data packets are encrypted and verified. When confidentiality is disabled, data packets are not encrypted, but they are still verified. By default, confidentiality is enabled.
|
Validation |
Error/Warning/Prompt |
|---|---|
|
When in FIPS(Enhanced Security) mode, confidentiality change from ICV only (no confidentiality) to confidentiality is not allowed, if the policy is already in use on any port. |
“Cannot enable confidentiality in Enhaned Security mode, when the policy is already in use on a port.” |
Syntax
Configure the Replay Protection feature on this MACsec policy. When Replay Protection is enabled, the receiving port checks the IP number of all received packets. If a packet arrives out of sequence and the difference between the packet numbers exceeds the Replay Protection window size, the packet is dropped. By setting the replay window size to 0, it is mandated that all packets arrive in order. The default value of Replay Protection is enabled and the default value of the Replay Protection window size is 0.
Syntax
|
|
|
![[NOTE: ]](images/note.gif) |
NOTE: When a validation check fails on any port in the port-list, the CLI command aborts and returns error message. No configuration changes take place on any of the ports in the port-list. |
|
|
|
Validation |
Error/Warning/Prompt |
|---|---|
|
Check whether the policy with the |
Policy %s does not exist. |
|
PolicyName exists, and whether it can be applied on any port. |
Cannot apply the MACsec policy on ports, because the policy is not complete. |
|
Another policy is already applied on this port. |
Cannot apply the MACsec policy on port %s, because another MACsec policy is already configured on this port. |
|
Trunk (lacp, trunk, dt-trunk, dt-lacp) |
Cannot configure the MACsec policy on port %s when it is part of a trunk. (where %s is the port name.) |
Syntax
Configure the MACsec Key Agreement (MKA) protocol parameters.
Configure 802.1X (Port Based Network Access), MAC address based network access, or web authentication based network access or the MACsec Key Agreement (MKA) protocol on the device.
NOTE: See the help for the commands
aaa port-access authenticator,aaa port-access supplicant,aaa port-access mac-based,aaa port-access web-basedfor further details on authenticator, supplicant, MAC address based, and web authentication based network access configuration.
Syntax
Configure the MKA key server Priority. The key server priority is used by MKA protocol in selecting a key server. The participant with the lower server priority is selected as the key server. The default value is 16.
Syntax
Configure the MKA transmit interval. MKA sends the periodic MKA protocol data unit (PDU) at this interval to the connected device to maintain MACsec connectivity on the link. The default value is 2 seconds.
Syntax
Configure the MACsec Key Agreement (MKA) protocol parameters.
|
|
|
|
|
NOTE: When a validation check fails on any port in the Port-List, the CLI command aborts and returns error message. No configuration changes take place on any of the ports in the Port-List. |
|
|
|
Validation |
Error/Warning/Prompt |
|---|---|
|
Range check for MKA server priority value [0-31]. |
Invalid value %s. The MKA server priority ranges from %s to %s. Eg: Invalid value 50. The MKA server priority ranges from 0 to 31. |
|
Range check for MKA transmit-interval [2-6] |
Invalid value %s. The MKA transmit interval ranges from %s to %s. Eg: Invalid value 1. The MKA transmit interval ranges from 2 to 6 seconds. |
Syntax
|
Validation |
Error/Warning/Prompt |
|---|---|
|
Check for valid logical ports entered. |
Module not present for port or invalid port: %s. (Parser thrown error for a Port). |
|
Check if MACsec is enabled on the port before letting it proceed to clear. |
Cannot clear MKA statistics, because MACsec is not enabled on the port. |
Syntax
|
Validation |
Error/Warning/Prompt |
|---|---|
|
Check for valid logical ports entered. |
Module not present for port or invalid port: %s. (Parser thrown error for a Port). |
|
Check if MACsec is enabled on the port before letting it proceed to clear. |
Cannot clear MACsec statistics, because MACsec is not enabled on the port. |