Configuring MACsec Key Agreement

This chapter describes how to configure MACsec Key Agreement (MKA), and includes the following sections:

Finding Feature Information

Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "New and Changed Information"chapter or the Feature History table in this chapter.

Information About MACsec

This section provides information about MACsec, and contains the following sections:

MACsec

MACsec is an IEEE 802.1AE standards-based Layer 2 hop-by-hop encryption that provides data confidentiality, integrity, and replay protection for media access-independent protocols.

MACsec provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The infrastructure required to set up a MACsec service is achieved by the Cisco proprietary protocol, which is the security association (SA) protocol, or the MKA protocol based on the 802.1x-rev2010 standard. For more information about setting up a MACsec service using the SA protocol, see the "Configuring Cisco TrustSec" chapter.

The MKA protocol provides the required session keys and manages the required encryption keys. 802.1AE encryption with MKA is supported on all link types for encryption between any of the following devices, which are capable of MKA:

  • Between switches

  • Between routers

  • Between switches and routers

  • Between hosts and access switches

MACsec encrypts all the data, except the source and destination MAC addresses of an Ethernet packet. You can secure data on physical media using MACsec, which prevents data compromise at higher layers. As a result, MACsec encryption takes priority over any other encryption method, such as IPsec and SSL, at higher layers. MACsec provides integrity for the entire frame including the source and destination MAC addresses.

SECurity entitY MIB IEEE8021-SECY-MIB Support

MACsec supports the IEEE8021-SECY-MIB from Cisco NX-OS Release 8.2(3) onwards.

  • The IEEE8021-SECY-MIB provides Simple Network Management Protocol (SNMP) access to the MAC security entity (SecY) MIB running with MACsec-enabled line cards. The IEEE8021-SECY-MIB is used to query on the SecY data, encryption, decryption, and the hardware statistics.

  • The IEEE8021-SECY-MIB contains tables that specifies the detailed attributes of the MACsec Controlled Port interface index.

MKA Unique PSK Support

With this MACsec enhancement in Cisco NX-OS Release 8.2(3), pre-shared keys (PSK) are supported on break out interfaces..

MKA Unrecoverable SAK Support

This MACsec enhancement in Cisco NX-OS Release 8.2(3) makes the Secure Association Key (SAK) unrecoverable. A SAK rekey occurs every time a session comes up (such as power cycle, reload, failover, and so on).

MACsec Frame Format

The following figure shows the MACsec frame:

Figure 1. MACsec Frame

The MAC Protocol Data Unit (MPDU) in the MACsec frame has the following components:

  • Security tag (SecTag)—The SecTag is 8 to 16 bytes in length and identifies the secure association key (SAK) to be used for the frame. With Secure Channel Identifier (SCI) encoding, the security tag is 16 bytes in length, and without the encoding, 8 bytes in length (SCI encoding is optional). The SecTag also provides replay protection when frames are not received in a sequence.

    The following figure shows the components of the SecTag:

    Figure 2. SecTag
  • Secure data—The data, which is encrypted using MACsec, in the frame. It can be two or more octets in length.

  • Integrity check value (ICV)—The ICV provides an integrity check for the frame. It is 8 to 16 bytes in length depending on the cipher suite. Frames that do not match the expected ICV are dropped at the remote end's ingress port.

MKA Protocol

From Cisco NX-OS Release 8.2(1), MKA is supported only on Cisco Nexus M-3 series modules. The MKA protocol performs the following tasks:

  • Authenticating the members

  • Establishing and managing connectivity association

  • Managing the live or potential peers that are a part of a connectivity association, using keepalive every two seconds

  • Negotiating the cipher suite

  • Electing the key server from among the members of connectivity association

  • Generating Secure Association Key (SAK) and managing the key server

  • Distributing SAKs in an encrypted format by the key server to its members

  • Installing a key on the SecY of each member

  • Refreshing SAK before the old SAK expires

The packet body in an Extensible Authentication Protocol (EAP) over LAN (EAPOL) protocol data unit (PDU) is referred to as a MACsec Key Agreement PDU (MKPDU). When no MKPDU is received from a participant after three heartbeats, the corresponding participant is deleted from the live peer list. Each heartbeat is 2-seconds long. For example, when one of the remote participant switches gets disconnected, the corresponding local participant switch considers the remote participant switch as lost after three heartbeats.

MACsec provides encryption using Advanced Encryption Standard (AES) algorithm in Layer 2. MACsec uses the MKA protocol to exchange session keys and manage encryption keys.

The following figure shows the MKA encryption process resulting in a secured data link:

Figure 3. MKA Encryption Process

The following is a description of the MKA encryption process:

  1. When a link is established between two switches, they become peers. Mutual peer authentication takes place by configuring a pre-shared key (PSK). In a switch-to-switch connection using PSK, there is no concept of authenticator because of the EAP authentication on the switch. PSK can be configured only manually. From Cisco NX-OS Release 8.2(3) pre-shared keys (PSK) are supported on break out interfaces.

  2. After successful peer authentication, a connectivity association is formed between the peers, and a secure connectivity association key name (CKN) is exchanged. After the exchange, the MKA ICV is validated with a connectivity association key (CAK), which is effectively a secret key.

  3. A key server is selected from among the switches, based on the configured key server priority. The lower the priority value, the higher the chances of a switch becoming the key server. If no value is configured, the default value 16 is taken to be the key server priority value for a switch. The lowest priority value leads to a switch being configured as the key server, while the other switch functions as a key client. The following rules apply to the key server selection process:

    • Numerically lower values of key server priority and SCI are accorded the highest preference.

    • Each switch selects a peer that advertises the highest preference as its key server, provided that peer has not selected another switch as its key server, or is not willing to function as the key server.

    • In the event of a tie for highest preferred key server, the switch with the highest SCI priority is chosen as the key server.

  4. A security association is formed between the peers. The key server generates and distributes the SAK to the key client, or the peer. SAKs are generated for every data exchange between the peers.

  5. Encrypted data is exchanged between the peers.


Note


MKA keychain can have a maximum of 64 keys. The latest CKNs are used in the order of preference.


Behavior of MKA Protocol

A switch handles MACsec and non-MACsec frames based on the security policy configured locally. The security policy can be should-secure or must-secure . The should-secure policy allows any unencrypted frame until its link is secured. After the link is secured, this policy allows only encrypted frames. The must-secure policy does not allow any unencrypted frame except EAPOL until its link is secured. After the link is secured, this policy allows only encrypted frames.

MACsec frames are encrypted and protected with an ICV using the security credentials provided by MKA. When a switch receives encrypted frames from the peers, it decrypts them and calculates the correct ICV by using the session keys provided by MKA. Any unencrypted frame received on a secured port is dropped. The switch compares the resulting ICV to the ICV within the frame. If they are not identical, the frame is dropped.


Note


Only MKPDUs (EAPOL) are not encrypted when exchanged between peers.


Use Cases for MKA

The following is a list of MKA use cases:

  • MACsec on port channels

  • Securing Provider Edge-to-Customer Edge links in a Multiprotocol Label Switching (MPLS) network

  • Securing PE-to-PE links using dark fiber

  • Securing CE-to-CE links using the EoMPLS network

    The following figure shows how MKA is used to secure CE-to-CE devices using the EoMPLS network:

    Figure 4. Securing CE-to-CE
  • Securing Data Center Interconnect (DCI)

    The following figure shows how MKA is used in securing DCI:

    Figure 5. Securing DCI
  • Securing a CE to multiple CEs using the Virtual Private LAN Services (VPLS) network

    The following figure shows how MKA is used to secure a CE to multiple CEs using the VPLS network:

    Figure 6. Securing CE to multiple CEs

Note


When trying to secure a CE to CE or multiple CEs using the MPLS or VPLS network, ensure that the PE devices that are used can tunnel the EAPOL packets to the other end transparently. The Cisco Nexus 7000 Series switches cannot tunnel the EAPOL packets transparently, and hence cannot be used as PE device for a MACsec use case.


Non-Standard Ethernet Type and DMAC Support for MACsec

From Cisco NX-OS Release 8.3(1), Cisco enables networks with WAN MACsec to change the Extensible Authentication Protocol (EAP) over LAN (EAPOL) protocol destination address, and the Ethernet type values to nonstandard values. The EAPOL destination Ethernet type can be changed from the default Ethernet type of 0x888E to an alternate value or, the EAPOL destination MAC address can be changed from the default DMAC of 01:80:C2:00:00:03 to an alternate value, to avoid being consumed by a provider bridge.

Prior to Cisco NX-OS 8.3(1), to establish a MACsec session in a WAN environment, MACsec and MKA implementation would negotiate MKA keys using an EAPOL packet. These EAPOL packets used Metro Ethernet Forum-defined (MEF defined) DMAC address (01:80:c2:00:00:03) and Ethernet type (0x888E). These well-defined MAC addresses used to be consumed by the provider switches.

The following table shows the combinations that are supported on the Cisco Nexus 7000 Series Switches for EAPOL packets with DMAC and Ethernet type:

Table 1. Supported EAPOL Packets with Ethernet Type and DMAC

Ethernet Type Value

DMAC Value

Supported Combination

Standard (0x888E)

Standard (01:80:c2:00:00:03)

Yes

Non-standard

Standard

Yes

Standard

Non-standard

Yes

Non-standard

Non-standard

Yes


Note


When a Cisco Nexus 7000 Series switch is a PE device, the DMAC values of the EAPOL packets from the CE devices must have nonstandard values so that the PE device does not consume the packets.

When a Cisco Nexus 7000 Series switch is a CE device, and the PE devices are non-Nexus 7000 switches, the DMAC value or Ethernet type value must be a nonstandard value so that the PE device does not consume the packets.


Feature History for MKA

The following table lists the release history for this feature.

Table 2. Feature History for MKA

Feature Name

Releases

Feature Information

MACSec should-secure

8.2(3)

Added support for the should-secure policy.

Non-Standard Ethernet Type or DMAC Support for MACSec

8.3(1)

Added support for this feature.

MKA

8.2(1)

The MKA feature was included in the Cisco Nexus M3 Series modules.

Default Settings for MKA

This table lists the default settings for MKA.

Table 3. Default MKA Settings

Parameter

Default

MKA

Disabled

MACsec policy

system-default-macsec-policy

Key server priority value for MACsec encryption

16

Cipher suite

GCM-AES-XPN-25

Confidentiality offset

0

Guidelines and Limitations for MKA

MKA has the following guidelines and limitations:

  • MKA can be enabled or disabled independent of the Cisco TrustSec feature.

  • MKA and Cisco TrustSec SGT cannot be used together at the same time on a given physical port.

  • MKA interacts with a Cisco TrustSec process to obtain the Cisco TrustSec SA protocol and SGT details.

  • MKA and Cisco TrustSec processes can be used at the same time on a system.

  • MKA and Cisco TrustSec MACsec, that is, the SA protocol, cannot be used together at the same time on a given physical port.

  • MKA is currently supported only on physical ports and port channels. It is not supported on subinterfaces.

  • MKA cannot be configured on member ports.

  • Interfaces configured with MKA cannot be introduced into a port channel.

  • MKA does not support stateful restart, stateful system switchover, or In-Service Software Upgrades (ISSU).

  • Cisco Nexus 7000 Series switches do not support the should-secure mode for the MKA security policy. The default mode is must-secure. From Cisco NX-OS Release 8.2(3) the should-secure security policy is supported.

  • From Cisco NX-OS Release 8.2(3) syslog messages are displayed when the MACSEC session goes up or down.

  • The MKA SecY statistics can only be obtained from the line card module, and not from the supervisor.

The Non-Standard Ethernet Type and DMAC Support for MACSec feature has the following guidelines and restrictions:

  • You can configure only one DMAC, or Ethernet type, or DMAC and Ethernet type combination value for MACSec. For example, if you have configured the nonstandard Ethernet Type value macsec non-standard eapol ethertype 0x8976 , you cannot configure another nonstandard Ethernet Type called macsec non-standard eapol ethertype 0x8972 . The same principle holds good for nonstandard DMAC option too.

  • You cannot modify or delete a nonstandard Ethernet type or DMAC if any interface with a policy is using the nonstandard values. To modify the globally configured Ethernet type or DMAC, you have to disassociate the policies from all the interfaces.

  • When a Provider Edge device is a Cisco Nexus 7000 Series Switch, you need to configure Virtual Private LAN Services (VPLS) with VLAN 1 or native VLAN to bring up the nonstandard MKA sessions.

Configuring MKA

Before configuring MKA on an interface, the MACsec keychain and the MACsec policy must be defined. If a keychain does not exist before configuring the interface, an empty keychain will be created. If a policy does not exist before configuring the interface, the default policy is used. The default policy is system-default-macsec-policy . Configuring MKA involves the following steps:

  1. Enable the MKA feature.

  2. (Optional) Create a MACsec keychain.

  3. (Optional) Create a MACsec policy.

  4. Apply a MACsec on a physical port.

Enabling MKA

Procedure


Step 1

Enter the global configuration mode:

switch# configure terminal

Step 2

Enable the MKA feature:

switch(config)# feature mka

Note

 

Use the no form of this command to disable the MKA feature.

Step 3

Exit the global configuration mode:

switch(config)# exit


Example: Enabling MKA

This running configuration example shows how to enable the MKA feature:

configure terminal
 feature mka
 exit

Configuring a MACsec Keychain

Procedure


Step 1

Enter the global configuration mode:

switch# configure terminal

Step 2

Configure a keychain, and enter the macseckeychain configuration mode:

switch(config)# key chain keychain-name macsec

Note

 

Use the no form of this command to remove the keychain.

Step 3

Configure a MACsec key and enter the macseckeychain-macseckey configuration mode:

switch(config-macseckeychain)# key key-ID

Note

 

Valid MACsec key identifier range is from 1 to 32 octet. The maximum size of the octet string is 64 characters. Use the no form of this command to remove the key.

Step 4

Set the key octet string and the 128-bit AES encryption algorithm:

switch(config-macseckeychain-macseckey)# key-octet-string string cryptographic-algorithm AES-128-CMAC

Note

 

The maximum size of the octet string is 64 characters. Use the no form of this command to remove the string.

Step 5

Exit all the configuration modes:

switch(config-macseckeychain-macseckey)# end

Step 6

(Optional) Verify the MACsec keychain:

switch# show key chain keychain-name


Example: Configuring a MACsec Keychain

This running configuration example shows how to configure a MACsec keychain. Replace the <placeholders> with relevant values for your setup.

configure terminal
 key chain <k1> macsec
 key <01>
 key-octet-string <0123456789aabbcc0123456789aabbcc> cryptographic-algorithm AES_128_CMAC
 end

This example shows how to verify a MACsec keychain:

switch# show key chain
 Key-Chain k1 Macsec
 Key 01 -- text 7 "075f701e1d5d4c53404a520d052829272b63647040534355560e005952560c001b"
    cryptographic-algorithm AES_128_CMAC
    send lifetime (always valid) [active]

Configuring a MACsec Policy

Procedure


Step 1

Enter the global configuration mode:

switch# configure terminal

Step 2

Enter the MACsec policy configuration mode:

switch(config)# macsec policy policy-name

Note

 

Use the no form of this command to disable the policy.

Step 3

Configure a security policy to define the handling of data and control packets:

switch(config-macsec-policy)# security-policy {must-secure | should-secure }

Note

 
  • should-secure: This policy allows any unencrypted frame until its link is secured. After the link is secured, this policy allows only encrypted frames.

  • must-secure: This policy does not allow any unencrypted frame until its link is secured. After the link is secured, this policy allows only encrypted frames.

Step 4

Configure the confidentiality offset:

switch(config-macsec-policy)# conf-offset {CONF-OFFSET-0 | CONF-OFFSET-30 | CONF-OFFSET-50}

Note

 

Use the no form of this command to disable the confidentiality offset. If the confidentiality offset is unspecified, the encryption is not offset.

Step 5

Configure the cipher suite:

switch(config-macsec-policy)# cipher-suite {GCM-AES-128 | GCM-AES-256 | GCM-AES-XPN-128 | GCM-AES-XPN-256}

Note

 

Use the no form of this command to set the default value. If the cipher suite is unspecified, the default is GCM-AES-XPN-256 .

Step 6

Set the key server priority value:

switch(config-macsec-policy)# key-server-priority value

Note

 

The valid range is from 0 to 255. The default is 16. Use the no form of this command to set the default value.

Step 7

Set the SAK expiry time:

switch(config-macsec-policy)# sak-expiry-time seconds

Note

 

The range is from 1 to 2592000 seconds. The default is pn-exhaust. Use the no form of this command to set the default value.

Step 8

Exit all the configuration modes:

switch(config-macsec-policy)# end

Step 9

(Optional) Verify MKA:

switch# show run mka

Step 10

(Optional) Verify the MACsec policy:

switch# show macsec policy [policy-name]


Example: Configuring a MACsec Policy

This running configuration example shows how to configure a MACsec policy. Replace the <placeholders> with relevant values for your setup.

configure terminal
 macsec policy <p1>
  security-policy <must-secure | should-secure>
  conf-offset CONF-OFFSET-0
  cipher-suite GCM-AES-XPN-256
  key-server-priority <9>
  sak-expiry-time <60>
  end

This example shows how to configure a should-secure security policy.

configure terminal
 macsec policy p100
  security-policy should-secure
  end

This example shows how to verify a configured security policy:

switch# show macsec policy p100
MACSec Policy      Cipher           Pri  Window   Offset   Security        SAK Rekey time
-------------------------------- ---------------- ---- -------- -------- ------------ ------
p100               GCM-AES-XPN-256  16   0        0        should-security pn-exhaust

This example displays the status of MKA:

switch# show run mka
 !Command: show running-config mka
!Time: Wed Apr 19 05:08:01 2017
version 8.2(0)SK(1)
feature mka
macsec policy p1  
   cipher-suite GCM-AES-XPN-128  
   key-server-priority 9  
   security-policy must-secure  
   sak-expiry-time 60

This example shows how to verify a configured MACsec policy:

switch# show macsec policy p1
MACsec Policy            Cipher           Pri  Window   Offset   Security     SAK Rekey time
------------------------ ---------------- ---- -------- -------- ------------ --------------
p1                       GCM-AES-XPN-128    9     0        0     must-secure       60       

This example shows how to view all the MACsec policies in a switch:

switch# show macsec policy
MACsec Policy                    Cipher          Pri Window Offset   Security     SAK Rekey time
-------------------------------- --------------- --- ------ -------- ------------ -----------
p1                               GCM-AES-XPN-128  9     0    0        must-secure  60        
system-default-macsec-policy     GCM-AES-XPN-256  16    0    0        must-secure  pn-exhaust

Configuring MKA on an Interface or a Port Channel

Procedure


Step 1

Enter the global configuration mode:

switch# configure terminal

Step 2

Configure an interface or a port channel:

switch(config)# interface ethernet slot/ port

switch(config)# interface port-channel port-channel

Step 3

Configure a policy and the policy name for the MACsec keychain:

switch(config-if)# macsec keychain keychain-name policy policy-name

Note

 

Use the no form of this command to disable the policy on the interface or the port channel.

Step 4

Exit all the configuration modes:

switch(config-if)# end

Step 5

(Optional) Verify the MKA session details:

switch# show macsec mka session [interface ethernet slot/ port] [details] [internal-details]

Step 6

(Optional) View the MKA summary information:

switch# show macsec mka summary


Example: Configuring MKA on an Interface or Port Channel

This running configuration example shows how to configure MKA on an interface. Replace the <placeholders> with relevant values for your setup.

configure terminal
 interface ethernet <11>/<31>
 macsec keychain <k3> policy <p1>
 end

This running configuration example shows how to configure MKA on a port channel. Replace the <placeholders> with relevant values for your setup.

configure terminal
 interface port channel <100>
 macsec keychain <k3> policy <p1>
 end

The following example shows information about all the interfaces in the MKA session:

switch# show macsec mka session
Interface         Local-TxSCI               # Peers            Status       Key-Server
----------------- ------------------------- ------------------ ------------ ----------
Ethernet2/1       0000.0043.0038/0001       1                  Secured      Yes
Ethernet2/7       0000.0043.003e/0001       1                  Secured      Yes
Ethernet2/25      0000.0043.0050/0001       1                  Secured      No 
Ethernet2/30      0000.0043.0055/0001       1                  Secured      No 
----------------- ------------------------- ------------------ ------------ ----------
Total Number of Sessions : 4
        Secured Sessions : 4
        Pending Sessions : 0

The following example shows detailed information about all the interfaces in the MKA session:

switch# show macsec mka session details
Detailed Status for MKA Session
-----------------------------------
Interface Name          : Ethernet11/25    
Session Status                      : Secured    
Local Tx-SCI                        : 00b0.e135.9c24/0001    
Local Tx-SSCI                       : 3    
MKA Port Identifier                 : 3    
CAK Name (CKN)                      : 0100000000000000000000000000000000000000000000000000000000000000    
Member Identifier (MI)              : 17173194E288E086B275A49F    
Message Number (MN)                 : 12465    
MKA Policy Name                     : p1    
Key Server Priority                 : 9    
Key Server                          : No    
SAK Cipher Suite                    : GCM-AES-XPN-128    
SAK Cipher Suite (Operational)      : GCM-AES-XPN-128    
Replay Window Size                  : 0    
Confidentiality Offset              : CONF-OFFSET-0    
Confidentiality Offset (Operational): CONF-OFFSET-0    
Latest SAK Status                   : Rx & TX    
Latest SAK AN                       : 0    
Latest SAK KI                       : 10314879    
Latest SAK KN                       : 57    
Last SAK key time                   : 06:59:24 UTC Wed Apr 19 2017    
Number of Macsec Capable Live Peers: 3    
Number of SA consumed in Hardware  : 3    
Number of Macsec Capable Live Peers Responded: 0
Live Peer List:
MI                         MN         SCI                     SSCI Key-Server Priority
-------------------------------------------------------------------------------------
7F649D00075CA2B14065F50D  12466      00b0.e135.9c23/0001       4     9
67DF7F5DE06AFC9A2F125914  12464      9c57.adfd.8acb/0001       2     9
57BCB803EB00453525F7382C  12466      9c57.adfd.8acc/0001       1     9

Detailed Status for MKA Session
-----------------------------------
Interface Name          : Ethernet4/27
    Session Status                      : Secured
    Local Tx-SCI                        : 5006.ab91.9f4e/0001
    Local Tx-SSCI                       : 2
    MKA Port Identifier                 : 2
    CAK Name (CKN)                      : 1000000000000000000000000000000000000000000000000000000000000000
    Member Identifier (MI)              : 4B18586C685B28F2354B1E2B
    Message Number (MN)                 : 49
    MKA Policy Name                     : mustsecureks
    Key Server Priority                 : 9
    Key Server                          : Yes
    SAK Cipher Suite                    : GCM-AES-256
    SAK Cipher Suite (Operational)      : GCM-AES-256
    Replay Window Size                  : 0
    Confidentiality Offset              : CONF-OFFSET-0
    Confidentiality Offset (Operational): CONF-OFFSET-0
    Latest SAK Status                   : Rx & TX
    Latest SAK AN                       : 2
    Latest SAK KI                       : 1817712715
    Latest SAK KN                       : 1
    Last SAK key time                   : 20:42:51 UTC Thu May 04 2017
    Number of Macsec Capable Live Peers: 2
    Number of SA consumed in Hardware  : 2
    Number of Macsec Capable Live Peers Responded: 2
Live Peer List:
MI                         MN   SCI               SSCI Key-Server-Priority Tx/Rx Programmed
------------------------------------------------------------------------------- ------
3634B7ADE028833E219C2304 7624 9c57.adfc.0f34/0001 1     16                    Yes
92D6F93C2BC4058AD25FA0E5 7655 5006.ab91.4584/0001 3     16                    Yes

The following example shows information about a configured port channel in an MKA session:

switch# show macsec mka session interface port-channel 100
Interface          Local-TxSCI                      # Peers        Status   Key-Server
----------------- -------------------------------- --------------- -------- ----------
Ethernet2/7        0000.0043.003e/0001              1              Secured     Yes
Ethernet2/30       0000.0043.0055/0001              1              Secured     No

The following example shows detailed information about a configured port channel in the MKA session:

switch# show macsec mka session interface port-channel 100 details
Detailed Status for MKA Session
-----------------------------------
Interface Name          : Ethernet2/7
Session Status          : Secured    
Local Tx-SCI            : 0000.0043.003e/0001    
Local Tx-SSCI           : 2    
MKA Port Identifier     : 2    
CAK Name (CKN)          : 0300000000000000000000000000000000000000000000000000000000000000
Member Identifier (MI)  : 057D3366D35DA9A19D259D7F
Message Number (MN)     : 1534
MKA Policy Name         : p1 
Key Server Priority     : 16 
Key Server              : Yes 
SAK Cipher Suite        : GCM-AES-XPN-256    
SAK Cipher Suite (Operational)      : GCM-AES-XPN-256
Replay Window Size                  : 0
Confidentiality Offset              : CONF-OFFSET-0
Confidentiality Offset (Operational): CONF-OFFSET-0
Latest SAK Status                   : Rx & TX
Latest SAK AN                       : 0
Latest SAK KI                       : 1714650373
Latest SAK KN                       : 49
Last SAK key time                   : 08:07:29 UTC Fri Jan 06 2017
Number of Macsec Capable Live Peers: 1
Number of SA consumed in Hardware  : 1
Number of Macsec Capable Live Peers Responded: 1

Live Peer List:
MI                       MN   SCI                SSCI Key-Server-Priority Tx/Rx Programmed
------------------------------------------------------------------------------------------
E7A5637789614DB8550C8967 1533 0000.0043.0055/0001  1     16                 Yes
Interface Name          : Ethernet2/30
Session Status          : Secured
Local Tx-SCI            : 0000.0043.0055/0001
Local Tx-SSCI           : 1
MKA Port Identifier     : 1
CAK Name (CKN)          : 0300000000000000000000000000000000000000000000000000000000000000   
Member Identifier (MI)  : E7A5637789614DB8550C8967
Message Number (MN)     : 1534
MKA Policy Name         : p1
Key Server Priority     : 16
Key Server              : No
SAK Cipher Suite        : GCM-AES-XPN-256
SAK Cipher Suite (Operational)      : GCM-AES-XPN-256
Replay Window Size                  : 0
Confidentiality Offset              : CONF-OFFSET-0
Confidentiality Offset (Operational): CONF-OFFSET-0
Latest SAK Status                   : Rx & TX
Latest SAK AN                       : 0
Latest SAK KI                       : 1714650373
Latest SAK KN                       : 49
Last SAK key time                   : 08:07:29 UTC Fri Jan 06 2017
Number of Macsec Capable Live Peers: 1
Number of SA consumed in Hardware  : 1
Number of Macsec Capable Live Peers Responded: 0
Live Peer List:
MI                       MN    SCI                SSCI Key-Server-Priority Tx/Rx Programmed
-------------------------------------------------------------------------------------------
057D3366D35DA9A19D259D7F 1533  0000.0043.003e/0001 2    16                 Yes

The following example shows the summary of the MKA session for the configured interface:

switch# show macsec mka summary
Interface      Status   Cipher           Key-Server   MACSEC-policy     CKN                                                              Keychain
------------- --------- ---------------- ------------ ----------------- ---------------------------------------------------------------- --------
Ethernet11/25  Secured  GCM-AES-XPN-128  No           p1                0100000000000000000000000000000000000000000000000000000000000000 k1
Ethernet11/31  Secured  GCM-AES-XPN-128  Yes          p1                0300000000000000000000000000000000000000000000000000000000000000 k3

Configuring a Non-standard Ethernet Type Value for EAPOL

Before you begin

Enable the MKA feature.

SUMMARY STEPS

  1. configure terminal
  2. [no] macsec non-standard eapol ethertype ethernet-type
  3. macsec policy policy-name
  4. mka enable non-std-eapol {DMAC-ONLY | ETYPE-AND-DMAC-BOTH | ETYPE-ONLY}
  5. exit
  6. interface interface-name
  7. macsec keychain keychain-name policy policy-name
  8. (Optional) show macsec policy policy-name
  9. (Optional) show macsec mka session

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

[no] macsec non-standard eapol ethertype ethernet-type

Example:

switch(config)# macsec non-standard eapol ethertype 0x8976

Configures a non-standard Ethernet type for a EAPOL. Use the no form of the command to disassociate the Ethernet type for a EAPOL.

Step 3

macsec policy policy-name

Example:

switch(config)# macsec policy test

Configures a MACSec policy and enters MACSec configuration mode.

Step 4

mka enable non-std-eapol {DMAC-ONLY | ETYPE-AND-DMAC-BOTH | ETYPE-ONLY}

Example:

switch(config-macsec-policy)# mka enable non-std-eapol ETYPE-ONLY

Configures the non-standard EAPOL type for the MACSec policy. You can choose either a non-standard DMAC, or Ethernet type, or both.

Step 5

exit

Example:

switch(config-macsec-policy)# exit

Exits global configuration mode.

Step 6

interface interface-name

Example:

switch(config-if)# interface ethernet2/1

Enters interface configuration mode.

Step 7

macsec keychain keychain-name policy policy-name

Example:

switch(config-if)# macsec keychain 1 policy etype-only

Configure a policy and the policy name for the MACSec keychain and applies it to the interface.

Step 8

(Optional) show macsec policy policy-name

Example:

switch(config)# show macsec policy test
(Optional)

Displays the MACSec policies on the interface.

Step 9

(Optional) show macsec mka session

Example:

switch(config)# show macsec mka session
(Optional)

Displays the MKA session details.

Configuring a Non-standard Ethernet Type Value for EAPOL

The following running configuration example shows how to configure a non-standard Ethernet Type value for an EAPOL on an interface. Replace the <placeholders> with relevant values for your setup.
switch# configure terminal
switch(config)# macsec non-standard eapol ethertype 0x8976
switch(config)# macsec policy test
switch(config-macsec-policy)# mka enable non-std-eapol ETYPE-ONLY
switch(config-macsec-policy)# exit
switch(config-if)interface ethernet2/1
switch(config-if)# macsec keychain 1 policy ETYPE-ONLY
switch(config)# exit

switch(config)# show macsec mka session

Interface       Local-TxSCI              # Peers    Status     Key-Server EAPoL Type        
--------------- ------------------------ ---------- ---------- ---------- ------------------
Ethernet2/1     0000.0043.0038/0001      0          Pending    Yes       Non Standard ETYPE-ONLY 
Ethernet2/25    0000.0043.0050/0001      0          Pending    Yes       Non Standard ETYPE-ONLY 
--------------- ------------------------ ---------- ---------- ---------- ------------------

Configuring a Non-standard DMAC Address Value for EAPOL

Before you begin

Enable the MKA feature.

SUMMARY STEPS

  1. configure terminal
  2. [no] macsec non-standard eapol dmac-addr dmac-address
  3. macsec policy policy-name
  4. mka enable non-std-eapol {DMAC-ONLY | ETYPE-AND-DMAC-BOTH | ETYPE-ONLY}
  5. exit
  6. interface interface-name
  7. macsec keychain keychain-name policy policy-name
  8. (Optional) show macsec policy policy-name
  9. (Optional) show macsec mka session

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

[no] macsec non-standard eapol dmac-addr dmac-address

Example:

switch(config)# macsec non-standard eapol dmac-addr 11:11:22:22:33:33

Configures a non-standard DMAC address value for a EAPOL. Use the no form of the command to disassociate the Ethernet type for a EAPOL.

Step 3

macsec policy policy-name

Example:

switch(config)# macsec policy test

Configures a MACSec policy and enters MACSec configuration mode.

Step 4

mka enable non-std-eapol {DMAC-ONLY | ETYPE-AND-DMAC-BOTH | ETYPE-ONLY}

Example:

switch(config-macsec-policy)# mka enable non-std-eapol DMAC-ONLY

Configures the non-standard EAPOL type for the MACSec policy. You can choose either a non-standard DMAC, or Ethernet type, or both.

Step 5

exit

Example:

switch(config-macsec-policy)# exit

Exits global configuration mode.

Step 6

interface interface-name

Example:

switch(config-if)# interface ethernet2/1

Enters interface configuration mode.

Step 7

macsec keychain keychain-name policy policy-name

Example:

switch(config-if)# macsec keychain 1 policy DMAC-ONLY

Configure a policy and the policy name for the MACSec keychain and applies it to the interface.

Step 8

(Optional) show macsec policy policy-name

Example:

switch(config)# show macsec policy test
(Optional)

Displays the MACSec policies on the interface.

Step 9

(Optional) show macsec mka session

Example:

switch(config)# show macsec mka session
(Optional)

Displays the MKA session details.

Configuring a Non-standard DMAC Address Value for EAPOL

The following running configuration example shows how to configure a non-standard DMAC value for an EAPOL on an interface. Replace the <placeholders> with relevant values for your setup.
switch# configure terminal
switch(config)# macsec non-standard eapol dmac-addr 11:11:22:22:33:33
switch(config)# macsec policy test
switch(config-macsec-policy)# mka enable non-std-eapol DMAC-ONLY
switch(config-macsec-policy)# exit
switch(config-if)interface ethernet2/1
switch(config-if)# macsec keychain 1 policy DMAC-ONLY
switch(config)# exit

switch(config)# show macsec mka session

Interface       Local-TxSCI              # Peers    Status     Key-Server EAPoL Type        
--------------- ------------------------ ---------- ---------- ---------- ------------------
Ethernet2/1     0000.0043.0038/0001      0          Pending    Yes       Non Standard DMAC-ONLY 
Ethernet2/25    0000.0043.0050/0001      0          Pending    Yes       Non Standard DMAC-ONLY 
--------------- ------------------------ ---------- ---------- ---------- ------------------

Displaying MKA Statistics and Capability

Use the following commands to display MKA statistics and capability:

  • show macsec mka statistics [interface ethernet slot/ port] —Displays MKA statistics for the MKA session on an interface or a port channel.


    Note


    Use the member port interface to retrieve the statistics for the MKA session on a port channel.


  • show macsec mka capability interface all —Displays MKA capability information for a configured interface.

Example: Displaying MKA Statistics

The following example shows how to obtain the MKA statistics for the MKA session on a configured interface:

switch# show macsec mka statistics interface ethernet 11/25
 
Per-CA MKA Statistics for Session on interface (Ethernet11/25) with CKN 0x1
============================================================================
CA Statistics
   Pairwise CAK Rekeys..... 0
 
SA Statistics
   SAKs Generated.......... 0
   SAKs Rekeyed............ 0
   SAKs Received........... 60
   SAK Responses Received.. 0
 
MKPDU Statistics
   MKPDUs Transmitted...... 18676
      "Distributed SAK".. 0
 
   MKPDUs Validated & Rx... 55986
      "Distributed SAK".. 60
MKA Statistics for Session on interface (Ethernet11/25)
=======================================================
CA Statistics
   Pairwise CAK Rekeys..... 0
 
SA Statistics
   SAKs Generated.......... 0
   SAKs Rekeyed............ 0
   SAKs Received........... 60
   SAK Responses Received.. 0
 
MKPDU Statistics
   MKPDUs Transmitted...... 18676
      "Distributed SAK".. 0
   MKPDUs Validated & Rx... 55986
      "Distributed SAK".. 60
MKA IDB Statistics
   MKPDUs Tx Success.......... 19147
   MKPDUs Tx Fail............. 0
   MKPDUS Tx Pkt build fail... 0
   MKPDUS No Tx on intf down.. 0
   MKPDUS No Rx on intf down.. 0
   MKPDUs Rx CA Not found..... 0
   MKPDUs Rx Error............ 0
   MKPDUs Rx Success.......... 55986
 
MKPDU Failures
   MKPDU Rx Validation ..................... 0
   MKPDU Rx Bad Peer MN..................... 0
   MKPDU Rx Non-recent Peerlist MN.......... 0
   MKPDU Rx Drop SAKUSE, KN mismatch........ 0
   MKPDU Rx Drop SAKUSE, Rx Not Set......... 0
   MKPDU Rx Drop SAKUSE, Key MI mismatch.... 0
   MKPDU Rx Drop SAKUSE, AN Not in Use...... 0
   MKPDU Rx Drop SAKUSE, KS Rx/Tx Not Set... 16956
   MKPDU Rx Drop Packet, Ethertype Mismatch. 0
 
SAK Failures
   SAK Generation................... 0
   Hash Key Generation.............. 0
   SAK Encryption/Wrap.............. 0
   SAK Decryption/Unwrap............ 0
 
CA Failures
   ICK Derivation................... 0
   KEK Derivation................... 0
   Invalid Peer MACsec Capability... 0
 
MACsec Failures
   Rx SA Installation............... 12
   Tx SA Installation............... 0

Example: Displaying MKA Capability

The following example shows how to obtain MKA capability information for an interface:

switch# show macsec mka capability interface all
MKA capability information for interface(s)
--------- ---- ------ --------- --------- ------------ ------- ------- --- ----- ---- ----
Interface SGT  L3-Cap Sec-Pause Clr-Pause Fips-on-Asic MacSec  AES-256 XPN WinSz RxSA TxSA 
--------- ---- ------ --------- --------- ------------ ------- ------- --- ----- ---- ----

Eth2/1    Yes   Yes    Yes       Yes       Yes          Yes      Yes     Yes 32    3    3   

Eth2/2    Yes   Yes    Yes       Yes       Yes          Yes      Yes     Yes 32    3    3   

Eth2/3    Yes   Yes    Yes       Yes       Yes          Yes      Yes     Yes 32    3    3   
.
.
.
Eth2/48   Yes   Yes    Yes       Yes       Yes          Yes      Yes     Yes 32    3    3

Additional References for MKA

This sections provides additional information related to implementing MKA.

Related Documentation

Related Topic

Document Title

Cisco NX-OS licensing

Cisco NX-OS Licensing Guide

Command Reference

Cisco Nexus 7000 Series NX-OS Security Command Reference