MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release
Provides operational guidelines for ensuring reliable MACsec encryption, including recommendations for keychain management, fallback PSK configuration, and consistent interface application to prevent security gaps.
To ensure secure and reliable MACsec encryption:
Follow these guidelines to effectively and securely manage MACsec keychains:
Ensure that the MACsec Connectivity Association Key Name (CKN) and Connectivity Association Key (CAK) match exactly on both ends. If the CKN or CAK do not match, the MKA session cannot be established, resulting in failed secure communication.
Use unique, case-insensitive key IDs for each MACsec key to prevent session instability. MACsec key IDs are case-insensitive and stored in uppercase (for example, 'FF' and 'ff' are treated the same), so duplicate IDs may cause session instability. This case insensitivity does not apply to Netconf protocol configurations.
Use MACsec keys of even length, up to 64 characters. Odd-length keys cause the system to exit MACsec configuration mode, preventing key setup.
Always use the latest key in the keychain for MKA protocol operations. The key with the most recent Start Time among active keys is automatically used. You can verify key details with the show key chain command.
Activate new MACsec keys in advance to ensure at least a one-minute overlap with the current key, ensuring seamless CAK rollover and preventing session interruptions.
Set Start and Expiry times with future timestamps to automate CAK rotation. Automating key rotation enables bulk configuration for daily CAK rotation without manual intervention, improving operational efficiency and security.
Do not delete or allow the current active key to expire. Deleting or allowing the active key to expire will terminate the MKA session and disrupt traffic. To prevent service interruption, configure keys with an infinite lifetime. If fallback is enabled, traffic will continue by switching to the fallback key upon expiry or deletion of the primary active key.
Monitor key status regularly and take action before a key expires.When a key expires, the MACsec session terminates and secure connectivity is lost. Use the following commands to check status:
show macsec mka session : Displays no session information if key expires.
show macsec mka interface detail : Displays *** No Active Keys Present *** in the PSK information.
Follow these guidelines to ensure seamless and secure key management during MACsec operations:
Ensure the system performs a hitless rollover from the current active key to the fallback key during CAK rollover of primary keys if the latest active keys mismatch and the fallback keys match.
Ensure the system performs a hitless rollover back to the primary latest active key when a session is active with the fallback key and the primary latest active key mismatch is resolved between peers.
Enable active fallback to include the fallback PSK entry in MACsec show commands. When the session is secured with the primary key, the fallback session status must display as ACTIVE.
Configure a valid fallback PSK (CKN and CAK) with an infinite lifetime.
Do not configure the fallback PSK with a CAK mismatch. If a mismatch happens, resolve it by pushing a new set of PSK configurations across all association members—first on the fallback PSK keychain, then on the primary PSK keychain.
Configure the enable-legacy-fallback command under the macsec-policy to maintain backward compatibility if the peer device runs an older software release that does not support active fallback.
In point-to-point (P2P) topologies, rollover to the fallback PSK occurs when either node in the Secure Association (SA) cannot establish a session with the primary PSK.
In point-to-multipoint (P2MP) topologies, fallback occurs only when the primary key expires or is deleted on all peers, not just one. If the primary PSK is deleted or expires on a single node (e.g., R1), a new key server is selected among the remaining peers to perform a SAK rekey. This process excludes that node from the SA. All traffic to and from that node is dropped.
Follow these guidelines to ensure optimal configuration and performance of MACsec interfaces:
Configure separate keychains for primary and fallback PSKs. Do not update both PSKs at the same time. Use the fallback PSK only to recover a MACsec session if the primary key fails.
Adjust the interface MTU to account for MACsec overhead. For example, if the default MTU is 1514 bytes, set it to 1546 bytes (1514 + 32 bytes overhead). For IS-IS, ensure a minimum MTU of 1546 bytes.
Enable MACsec on all members of a bundle.
If MACsec peers use IOS-XR version 24.1.1 or higher, configure impose-overhead-on-bundle in the MACsec policy to adjust the bundle interface MTU for routing protocols running on the bundle interface.
If using IOS-XR versions prior to 24.1.1, configure the maximum MTU on the bundle interface to accommodate the protocol packet size plus 32 bytes MACsec overhead. Disable hello-padding for IS-IS running on the bundle interface.
Define the MACsec keychain before applying the MACsec configuration to the interface. If you apply the keychain without specifying a policy, the default MACsec policy is used.
Use the openconfig-macsec.yang OpenConfig data model to programmatically view the MACsec configuration. For more information, see the Programmability Configuration Guide for Cisco 8000 Series Routers.