The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Ensure that you have a Certificate Authority (CA) server configured for your network.
Generate a CA certificate.
Ensure that you have configured Cisco Identity Services Engine (ISE) Release 2.0.
Ensure that both the participating devices, the CA server, and Cisco Identity Services Engine (ISE) are synchronized using
Network Time Protocol (NTP). If time is not synchronized on all your devices, certificates will not be validated.
Ensure that 802.1x authentication and AAA are configured on your device.
Restrictions for MACsec Encryption
MACsec Key Agreement (MKA) is not supported with high availability.
MACsec with MKA is supported only on point-to-point links.
MACsec configuration is not supported on EtherChannel ports. Instead, MACsec configuration can be applied on the individual
member ports of an EtherChannel. To remove MACsec configuration, you must first unbundle the member ports from the EtherChannel,
and then remove it from the individual member ports.
If you have enabled Cisco StackWise Virtual on a switch, only switch-to-switch MACsec is supported on the line card ports.
MACSec cannot be configured on supervisor ports.
MACsec is not supported on C9400-SUP-1XL-Y supervisor module ports. On all other supervisor modules, MACsec is not supported
if the supervisor ports are operating at 1Gbps.
Delay protection and confidentiality offset of 50 is not supported on the supervisor ports.
The MACsec Cipher announcement is not supported for MACsec XPN Ciphers and switch-to-switch MACsec connections.
The MACsec XPN Cipher Suite are not supported on supervisor ports and switch-to-host MACsec connections.
MACsec XPN Cipher Suites do not provide confidentiality protection with a confidentiality offset.
As per IEEE standards, the maximum value of replay window is 230-1 for MACsec XPN Cipher Suites. Even if you configure a higher value than this, it will be restricted to 230-1 only.
GCM-AES-256 cipher suite is supported only with Network Advantage license.
Certificate-based MACsec is supported only if the access-session is configured as closed or in multiple-host mode. None of
the other configuration modes are supported.
Packet number exhaustion rekey is not supported.
MACsec switch-to-host connections are not supported on supervisor ports.
If the dot1q tag vlan native command is configured globally, the dot1x reauthentication will fail on trunk ports.
MACsec with Precision Time Protocol (PTP) is not supported.
MACsec is not supported on Locator ID Separation Protocol (LISP) interfaces and Cisco Software-Defined Access (SD-Access)
solution.
Cisco Secure StackWise Virtual is not supported.
MACsec in OpenFlow mode is not supported with high availability.
MACsec is not supported with Multicast VPN (mVPN).
MACsec is not supported in Software-Defined Access deployments.
should-secure access mode is not supported on supervisor ports.
MACsec Encryption Overview
MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. Cisco Catalyst 9400 Series Switches support 802.1AE encryption with MACsec Key Agreement (MKA) on the line card ports for encryption between the switch and the
host device. The switch also supports MACsec encryption for switch-to-switch (inter-network device) security using both Cisco
TrustSec Network Device Admission Control (NDAC), Security Association Protocol (SAP) and MKA-based key exchange protocol.
Note
When switch-to-switch MACSec is enabled, all traffic is encrypted, except the EAP-over-LAN (EAPOL) packets.
Link layer security can include both packet authentication between switches and MACsec encryption between switches (encryption
is optional). Link layer security is supported on SAP-based MACsec.
Table 1. MACsec Support on Switch Ports
Connections
MACsec support
Switch-to-host
MACsec MKA encryption
Switch-to-switch
MACsec MKA encryption (recommended)
Cisco TrustSec SAP
Cisco TrustSec and Cisco SAP are meant only for switch-to-switch links and are not supported on switch ports connected to
end hosts, such as PCs or IP phones. MKA is supported on switch-to-host facing links and switch-to-switch facing links originating
from the line card ports. Host-facing links typically use flexible authentication ordering for handling heterogeneous devices
with or without IEEE 802.1x, and can optionally use MKA-based MACsec encryption. Cisco NDAC and SAP are mutually exclusive
with Network Edge Access Topology (NEAT), which is used for compact switches to extend security outside the wiring closet.
Recommendations for MACsec Encryption
This section list the recommendations for configuring MACsec encryption:
Use the confidentiality (encryption) offset as 0 in switch-to-host connections.
Use Bidirectional Forwarding and Detection (BFD) timer value as 750 milliseconds for 10Gbps ports and 1.25 seconds for any
port with speed above 10Gbps.
Execute the shutdown command, and then the no shutdown command on a port, after changing any MKA policy or MACsec configuration for active sessions, so that the changes are applied
to active sessions.
Use Extended Packet Numbering (XPN) Cipher Suite for port speeds of 40Gbps and above.
Set the connectivity association key (CAK) rekey overlap timer to 30 seconds or more.
Do not use Cisco TrustSec Security Association Protocol (SAP) MACsec encryption for port speeds above 10Gbps.
Do not enable both Cisco TrustSec SAP and uplink MKA at the same time on any interface.
We recommend that you use MACsec MKA encryption.
Media Access Control Security and MACsec Key Agreement
MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption
keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys.
MKA and MACsec are implemented after successful authentication using certificate-based MACsec encryption or Pre Shared Key
(PSK) framework.
A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy associated with the MKA peer. MACsec
frames are encrypted and protected with an integrity check value (ICV). When the switch receives frames from the MKA peer,
it decrypts them and calculates the correct ICV by using session keys provided by MKA. The switch compares that ICV to the
ICV within the frame. If they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames
sent over the secured port (the access point used to provide the secure MAC service to a MKA peer) using the current session
key.
The MKA Protocol manages the encryption keys used by the underlying MACsec protocol. The basic requirements of MKA are defined
in 802.1x-REV. The MKA Protocol extends 802.1x to allow peer discovery with confirmation of mutual authentication and sharing
of MACsec secret keys to protect data exchanged by the peers.
The EAP framework implements MKA as a newly defined EAP-over-LAN (EAPOL) packet. EAP authentication produces a master session
key (MSK) shared by both partners in the data exchange. Entering the EAP session ID generates a secure connectivity association
key name (CKN).
It generates a random secure association key (SAK), which is sent to the client partner. The client is never a key server
and can only interact with a single MKA entity, the key server. After key derivation and generation, the switch sends periodic
transports to the partner at a default interval of 2 seconds.
The packet body in an EAPOL Protocol Data Unit (PDU) is referred to as a MACsec Key Agreement PDU (MKPDU). MKA sessions and
participants are deleted when the MKA lifetime (6 seconds) passes with no MKPDU received from a participant. For example,
if a MKA peer disconnects, the participant on the switch continues to operate MKA until 6 seconds have elapsed after the last
MKPDU is received from the MKA peer.
Note
Integrity check value (ICV) indicator in MKPDU is optional. ICV is not optional when the traffic is encrypted.
MKA Policies
You apply a defined MKA policy to an interface to enable MKA on the interface. Removing the MKA policy disables MKA on that
interface. You can configure these options:
Policy name, not to exceed 16 ASCII characters.
Confidentiality (encryption) offset of 0, 30, or 50 bytes for each physical interface
Definition of Policy-Map Actions
This section describes the policy-map actions and its definition:
Activate: Applies a service template to the session.
Authenticate: Starts authentication of the session.
Authorize: Explicitly authorizes a session.
Set-domain: Explicitly sets the domain of a client.
Terminate: Terminates the method that is running, and deletes all the method details associated with the session.
Deactivate: Removes the service-template applied to the session. If not applied, no action is taken.
Set-timer: Starts a timer and gets associated with the session. When the timer expires, any action that needs to be started
can be processed.
Authentication-restart: Restarts authentication.
Clear-session: Deletes a session.
Pause: Pauses authentication.
Rest of the actions as self-explanatory and are associated with authentication.
Virtual Ports
Use virtual ports for multiple secured connectivity associations on a single physical port. Each connectivity association
(pair) represents a virtual port. In switch-to-switch, you can have only one virtual port per physical port. In switch-to-host,
you can have a maximum of two virtual ports per physical port, of which one virtual port can be part of a data VLAN; the other
must externally tag its packets for the voice VLAN. You cannot simultaneously host secured and unsecured sessions in the same
VLAN on the same port. Because of this limitation, 802.1x multiple authentication mode is not supported.
The exception to this limitation is in multiple-host mode when the first MACsec supplicant is successfully authenticated and
connected to a hub that is connected to the switch. A non-MACsec host connected to the hub can send traffic without authentication
because it is in multiple-host mode. We do not recommend using multi-host mode because after the first successful client,
authentication is not required for other clients.
Virtual ports represent an arbitrary identifier for a connectivity association and have no meaning outside the MKA Protocol.
A virtual port corresponds to a separate logical port ID. Valid port IDs for a virtual port are 0x0002 to 0xFFFF. Each virtual
port receives a unique secure channel identifier (SCI) based on the MAC address of the physical interface concatenated with
a 16-bit port ID.
MKA Statistics
Some MKA counters are aggregated globally, while others are updated both globally and per session. You can also obtain information
about the status of MKA sessions. See Example: Displaying MKA Information for further information.
Key Lifetime and Hitless Key Rollover
A MACsec key chain can have multiple pre-shared keys (PSK) each configured with a key id and an optional lifetime. A key lifetime
specifies at which time the key expires. In the absence of a lifetime configuration, the default lifetime is unlimited. When
a lifetime is configured, MKA rolls over to the next configured pre-shared key in the key chain after the lifetime is expired.
Time zone of the key can be local or UTC. Default time zone is UTC.
You can Key rolls over to the next key within the same key chain by configuring a second key in the key chain and configuring
a lifetime for the first key. When the lifetime of the first key expires, it automatically rolls over to the next key in the
list. If the same key is configured on both sides of the link at the same time, then the key rollover is hitless, that is,
key rolls over without traffic interruption.
On all participating devices, the MACsec key chain must be synchronised by using Network Time Protocol (NTP) and the same
time zone must be used. If all the participating devices are not synchronized, the connectivity association key (CAK) rekey
will not be initiated on all the devices at the same time.
Note
The lifetime of the keys need to be overlapped in order to achieve hitless key rollover.
Replay Protection Window Size
Replay protection is a feature provided by MACsec to counter replay attacks. Each encrypted packet is assigned a unique sequence
number and the sequence is verified at the remote end. Frames transmitted through a Metro Ethernet service provider network
are highly susceptible to reordering due to prioritization and load balancing mechanisms used within the network.
A replay window is necessary to support the use of MACsec over provider networks that reorder frames. Frames within the window
can be received out of order, but are not replay protected. The default window size is 0, which enforces strict reception
ordering. The replay window size can be configured in the range of 0 to 232- 1.
MACsec, MKA, and 802.1x Host Modes
You can use MACsec and the MKA Protocol with 802.1x single-host mode, multi-host mode, or Multi Domain Authentication (MDA)
mode. Multiple authentication mode is not supported.
Single-Host Mode
The figure shows how a single EAP authenticated session is secured by MACsec by using MKA
Multiple Host
Mode
In standard (not 802.1x REV) 802.1x multiple-host mode, a port is open
or closed based on a single authentication. If one user, the primary secured
client services client host, is authenticated, the same level of network access
is provided to any host connected to the same port. If a secondary host is a
MACsec supplicant, it cannot be authenticated and traffic would not flow. A
secondary host that is a non-MACsec host can send traffic to the network
without authentication because it is in multiple-host mode. The figure shows
MACsec in Standard Multiple-Host Unsecure Mode.
Note
Multi-host mode is not recommended because after the first successful
client, authentication is not required for other clients, which is not secure.
In standard (not 802.1x REV) 802.1x multiple-domain mode, a port is open
or closed based on a single authentication. If the primary user, a PC on data
domain, is authenticated, the same level of network access is provided to any
domain connected to the same port. If a secondary user is a MACsec supplicant,
it cannot be authenticated and traffic would no flow. A secondary user, an IP
phone on voice domain, that is a non-MACsec host, can send traffic to the
network without authentication because it is in multiple-domain mode.
Multiple-Domain Mode
In standard (not 802.1x REV) 802.1x multiple-domain mode, a port is open or closed based on a single authentication. If the
primary user, a PC on data domain, is authenticated, the same level of network access is provided to any domain connected
to the same port. If a secondary user is a MACsec supplicant, it cannot be authenticated and traffic would no flow. A secondary
user, an IP phone on voice domain, that is a non-MACsec host, can send traffic to the network without authentication because
it is in multiple-domain mode.
MACsec MKA using Certificate-based MACsec
Using certificate-based MACsec encryption, you can configure MACsec MKA on the switch-to-switch links from the line card ports.
Certificate-based MACsec encryption allows mutual authentication and obtains an MSK (master session key) from which the connectivity
association key (CAK) is derived for MKA operations. Device certificates are carried, using certificate-based MACsec encryption,
for authentication to the AAA server.
Prerequisites for MACsec MKA using Certificate-based MACsec
Ensure that you have a Certificate Authority (CA) server configured for your network.
Generate a CA certificate.
Ensure that you have configured Cisco Identity Services Engine (ISE) Release 2.0.
Ensure that both the participating devices, the CA server, and Cisco Identity Services Engine (ISE) are synchronized using
Network Time Protocol (NTP). If time is not synchronized on all your devices, certificates will not be validated.
Ensure that 802.1x authentication and AAA are configured on your device.
How to Configure MACsec Encryption
Configuring MKA and MACsec
By default, MACsec is disabled. No MKA policies are configured.
Configuring an MKA Policy
Beginning in privileged EXEC mode, follow these steps to create an MKA Protocol policy. Note that MKA also requires that you
enable 802.1x.
SUMMARY STEPS
enable
configure terminal
mka policypolicy-name
key-serverpriority
include-icv-indicator
macsec-cipher-suite
{gcm-aes-128 | gcm-aes-256}
confidentiality-offset offset-value
ssci-based-on-sci
end
show mka policy
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables privileged EXEC mode.
Enter your password, if prompted.
Step 2
configure terminal
Example:
Device# configure terminal
Enters global configuration mode.
Step 3
mka policypolicy-name
Example:
Device(config)# mka policy mka_policy
Identifies an MKA policy, and enters MKA policy configuration mode. The maximum policy name length is 16 characters.
Note
The default MACsec cipher suite in the MKA policy will always be "GCM-AES-128". If the device supports both "GCM-AES-128" and "GCM-AES-256" ciphers, it is highly recommended to define and use a user defined
MKA policy to include both 128 and 256 bits ciphers or only 256 bits cipher, as may be required.
Configures MKA key server options and set priority (between 0-255).
Note
When value of key server priority is set to 255, the peer can not become the key server. The key server priority value is
valid only for MKA PSK; and not for MKA EAPTLS.
Step 5
include-icv-indicator
Example:
Device(config-mka-policy)# include-icv-indicator
Enables the ICV indicator in MKPDU. Use the no form of this command to disable the ICV indicator.
Set the confidentiality (encryption) offset for each physical interface.
Note
Offset Value can be 0, 30 or 50. If you are using Anyconnect on the client, it is recommended to use Offset 0.
Step 8
ssci-based-on-sci
Example:
Device(config-mka-policy)# ssci-based-on-sci
(Optional) Computes Short Secure Channel Identifier (SSCI) value based on Secure Channel Identifier (SCI) value. The higher
the SCI value, the lower is the SSCI value.
Step 9
end
Example:
Device(config-mka-policy)# end
Exit enters MKA policy configuration mode and returns to privileged EXEC mode.
Step 10
show mka policy
Example:
Device# show mka policy
Displays MKA policy configuration information.
Configuring Switch-to-host MACsec Encryption
Follow these steps to configure MACsec on an interface with one MACsec session for voice and one for data:
SUMMARY STEPS
enable
configureterminal
interface interface-id
switchport access vlanvlan-id
switchport mode access
macsec
access-session host-mode multi-host
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate
authentication violation protect
mka policy policy name
dot1x pae authenticator
spanning-tree portfast
end
show authentication session interfaceinterface-id
show macsec interfaceinterface-id
show mka sessions
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables privileged EXEC mode.
Enter the password, if prompted.
Step 2
configureterminal
Example:
Device# configure terminal
Enters the global configuration mode.
Step 3
interface interface-id
Example:
Device(config)# interface GigabitEthernet 1/0/1
Identifies the MACsec interface, and enters interface configuration mode. The interface must be a physical interface.
Step 4
switchport access vlanvlan-id
Example:
Device(config-if)# switchport access vlan 1
Configures the access VLAN for the port.
Step 5
switchport mode access
Example:
Device(config-if)# switchport mode access
Configures the interface as an access port.
Step 6
macsec
Example:
Device(config-if)# macsec
Enables 802.1ae MACsec on the interface. The macsec command enables MKA MACsec on switch-to-host links only.
(Optional) Enters a value between 1 and 65535 (in seconds). Obtains re-authentication timeout value from the server. Default
re-authentication time is 3600 seconds.
Configures the port to drop unexpected incoming MAC addresses when a new device connects to a port or when a device connects
to a port after the maximum number of devices are connected to that port. If not configured, the default is to shut down the
port.
Step 13
mka policy policy name
Example:
Device(config-if)# mka policy mka_policy
Applies an existing MKA protocol policy to the interface, and enables MKA on the interface. If no MKA policy was configured
(by entering the mka policy global configuration command).
Step 14
dot1x pae authenticator
Example:
Device(config-if)# dot1x pae authenticator
Configures the port as an 802.1x port access entity (PAE) authenticator.
Step 15
spanning-tree portfast
Example:
Device(config-if)# spanning-tree portfast
Enables spanning tree Port Fast on the interface in all its associated VLANs. When Port Fast feature is enabled, the interface
changes directly from a blocking state to a forwarding state without making the intermediate spanning-tree state changes
Step 16
end
Example:
Device(config)# end
Exits interface configuration mode and returns to privileged EXEC mode.
Step 17
show authentication session interfaceinterface-id
Example:
Device# show authentication session interface GigabitEthernet 1/0/1
Verify the authorized session security status.
Step 18
show macsec interfaceinterface-id
Example:
Device# show macsec interface GigabitEthernet 1/0/1
Verify MACsec status on the interface.
Step 19
show mka sessions
Example:
Device# show mka sessions
Verify the established mka sessions.
Configuring MKA MACsec using PSK
Configuring MACsec MKA using PSK
Beginning in privileged EXEC mode, follow these steps to configure MACsec MKA policies using a Pre Shared Key (PSK).
Generates a RSA key pair for signing and encryption.
You can also assign a label to each key pair using the label keyword. The label is referenced by the trustpoint that uses
the key pair. If you do not assign a label, the key pair is automatically labeled <Default-RSA-Key>.
If you do not use additional keywords this command generates one general purpose RSA key pair. If the modulus is not specified,
the default key modulus of 1024 is used. You can specify other modulus sizes with the modulus keyword.
Step 4
end
Example:
Device(config)# end
Exits global configuration mode and returns to privileged EXEC mode.
Step 5
show authentication session interfaceinterface-id
Example:
Device# show authentication session interface gigabitethernet 0/1/1
Verifies the authorized session security status.
Configuring Enrollment using SCEP
Simple Certificate Enrollment Protocol (SCEP) is a Cisco-developed enrollment protocol that uses HTTP to communicate with
the certificate authority (CA) or registration authority (RA). SCEP is the most commonly used method for sending and receiving
requests and certificates.
Procedure
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables privileged EXEC mode.
Enter your password, if prompted.
Step 2
configure terminal
Example:
Device# configure terminal
Enters global configuration mode.
Step 3
crypto pki trustpointserver name
Example:
Device(config)# crypto pki trustpoint ka
Declares the trustpoint and a given name and enters ca-trustpoint configuration mode.
Specifies the URL of the CA on which your device should send certificate requests.
An IPv6 address can be added in the URL enclosed in brackets. For example: http:// [2001:DB8:1:1::1]:80.
The pem keyword adds privacy-enhanced mail (PEM) boundaries to the certificate request.
Step 5
rsakeypairlabel
Example:
Device(ca-trustpoint)# rsakeypair exampleCAkeys
Specifies which key pair to associate with the certificate.
Note
The rsakeypair name must match the trust-point name.
Step 6
serial-number none
Example:
Device(ca-trustpoint)# serial-number none
The none keyword specifies that a serial number will not be included in the certificate request.
Step 7
ip-address none
Example:
Device(ca-trustpoint)# ip-address none
The none keyword specifies that no IP address should be included in the certificate request.
Step 8
revocation-check crl
Example:
Device(ca-trustpoint)# revocation-check crl
Specifies CRL as the method to ensure that the certificate of a peer has not been revoked.
Step 9
auto-enrollpercentregenerate
Example:
Device(ca-trustpoint)# auto-enroll 90 regenerate
Enables auto-enrollment, allowing the client to automatically request a rollover certificate from the CA.
If auto-enrollment is not enabled, the client must be manually re-enrolled in your PKI upon certificate expiration.
By default, only the Domain Name System (DNS) name of the device is included in the certificate.
Use the percent argument to specify that a new certificate will be requested after the percentage of the lifetime of the current
certificate is reached.
Use the regenerate keyword to generate a new key for the certificate even if a named key already exists.
If the key pair being rolled over is exportable, the new key pair will also be exportable. The following comment will appear
in the trustpoint configuration to indicate whether the key pair is exportable: “! RSA key pair associated with trustpoint
is exportable.”
It is recommended that a new key pair be generated for security reasons.
Step 10
exit
Example:
Device(ca-trustpoint)# exit
Exits ca-trustpoint configuration mode and returns to global configuration mode.
Step 11
crypto pki authenticatename
Example:
Device(config)# crypto pki authenticate myca
Retrieves the CA certificate and authenticates it.
Step 12
end
Example:
Device(config)# end
Exits global configuration mode and returns to privileged EXEC mode.
Step 13
show crypto pki certificatetrustpoint name
Example:
Device# show crypto pki certificate ka
Displays information about the certificate for the trust point.
Configuring Enrollment Manually
If your CA does not support SCEP or if a network connection between the router and CA is not possible. Perform the following
task to set up manual certificate enrollment:
Procedure
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables privileged EXEC mode.
Enter your password, if prompted.
Step 2
configure terminal
Example:
Device# configure terminal
Enters global configuration mode.
Step 3
enable
Example:
Device> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 4
configure terminal
Example:
Device# configure terminal
Enters global configuration mode.
Step 5
crypto pki trustpointserver name
Example:
Device# crypto pki trustpoint ka
Declares the trustpoint and a given name and enters ca-trustpoint configuration mode.
Imports a certificate via TFTP at the console terminal, which retrieves the granted certificate.
The device attempts to retrieve the granted certificate via TFTP using the same filename used to send the request, except
the extension is changed from “.req” to “.crt”. For usage key certificates, the extensions “-sign.crt” and “-encr.crt” are
used.
The device parses the received files, verifies the certificates, and inserts the certificates into the internal certificate
database on the switch.
Note
Some CAs ignore the usage key information in the certificate request and issue general purpose usage certificates. If your
CA ignores the usage key information in the certificate request, only import the general purpose certificate. The router will
not use one of the two key pairs generated.
Step 15
end
Example:
Device(config)# end
Exits global configuration mode and returns to privileged EXEC mode.
Step 16
show crypto pki certificatetrustpoint name
Example:
Device# show crypto pki certificate ka
Displays information about the certificate for the trust point.
Configuring Switch-to-switch MACsec Encryption
To apply MACsec MKA using certificate-based MACsec encryption to interfaces, perform the following task:
Procedure
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables privileged EXEC mode.
Enter your password, if prompted.
Step 2
configure terminal
Example:
Device# configure terminal
Enters global configuration mode.
Step 3
interfaceinterface-id
Example:
Device(config)# interface gigabitethernet 0/2/1
Identifies the MACsec interface, and enter interface configuration mode. The interface must be a physical interface.
Step 4
macsecnetwork-link
Example:
Device(config-if)# macsec network-link
Enables MACsec on the interface.
Step 5
authentication periodic
Example:
Device(config-if)# authentication periodic
(Optional) Enables reauthentication for this port.
Prevents preauthentication access on the interface.
Step 9
access-session port-control auto
Example:
Device(config-if)# access-session port-control auto
Sets the authorization state of a port.
Step 10
dot1x pae both
Example:
Device(config-if)# dot1x pae both
Configures the port as an 802.1X port access entity (PAE) supplicant and authenticator.
Step 11
dot1x credentials profile
Example:
Device(config-if)# dot1x credentials profile
Assigns a 802.1x credentials profile to the interface.
Step 12
end
Example:
Device(config-if)# end
Exits interface configuration mdoe and returns to privileged EXEC mode.
Step 13
show macsec interfaceinterface-id
Example:
Device# show macsec interface GigabitEthernet 1/0/1
Displays MACsec details for the interface.
Configuring Cisco TrustSec MACsec
Configuring Cisco TrustSec Switch-to-Switch Link Security in Manual Mode
Before you begin
When manually configuring Cisco TrustSec on an interface, consider these usage guidelines and restrictions:
If no SAP parameters are defined, Cisco TrustSec encapsulation or encryption is not performed.
If you select GCM as the SAP operating mode, you must have a MACsec Encryption software license from Cisco. If you select
GCM without the required license, the interface is forced to a link-down state.
These protection levels are supported when you configure SAP pairwise master key (sap pmk):
SAP is not configured—no protection.
sap mode-list gcm-encrypt gmac no-encap—protection desirable but not mandatory.
sap mode-list gcm-encrypt gmac—confidentiality preferred and integrity required. The protection is selected by the supplicant according to supplicant preference.
sap mode-list gmac—integrity only.
sap mode-list gcm-encrypt—confidentiality required.
sap mode-list gmac gcm-encrypt—integrity required and preferred, confidentiality optional.
Before changing the configuration from MKA to Cisco TrustSec SAP and vice versa, we recommend that you remove the interface
configuration.
Beginning in privileged EXEC mode, follow these steps to manually configure Cisco TrustSec on an interface to another Cisco
TrustSec device:
SUMMARY STEPS
configure terminal
interface interface-id
cts manual
sap pmkkey[ mode-listmode1[ mode2[ mode3[ mode4] ] ] ]
sap pmkkey[ mode-listmode1[ mode2[ mode3[ mode4] ] ] ]
Example:
Switch(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm-encrypt null no-encap
(Optional) Configures the SAP pairwise master key (PMK) and operation mode. SAP is disabled by default in Cisco TrustSec manual
mode.
key—A hexadecimal value with an even number of characters and a maximum length of 32 characters.
The SAP operation mode options:
gcm-encrypt—Authentication and encryption
Note
Select this mode for MACsec authentication and encryption if your software license supports MACsec encryption.
gmac—Authentication, no encryption
no-encap—No encapsulation
null—Encapsulation, no authentication or encryption
Note
If the interface is not capable of data link encryption, no-encap is the default and the only available SAP operating mode. SGT is not supported.
Step 5
no propagate sgt
Example:
Switch(config-if-cts-manual)# no propagate sgt
Use the no form of this command when the peer is incapable of processing a SGT. The no propagate sgt command prevents the interface from transmitting the SGT to the peer.
Starting Cisco IOS XE Fuji 16.8.1 release, for MKA PSK sessions, the CKN uses exactly the same string as the CKN which is
configured as the hex-string for the key, instead of the fixed 32 bytes.
The following is sample output of the show mka session command for the above configuration:
Device# show mka session
Total MKA Sessions....... 1
Secured Sessions... 1
Pending Sessions... 0
====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
Port-ID Peer-RxSCI MACsec-Peers Status CKN
====================================================================================================
Et0/0 aabb.cc00.6600/0002 icv NO NO
2 aabb.cc00.6500/0002 1 Secured 11 *Note that the CKN key-string is exactly the same that has been configured for the key as hex-string.*
In case of interoperability between two images, where one having the CKN behavior change, and one without the CKN behavior
change, the hex-string for the key must be a 64-character hex-string with zero padded for it to work on a device that has
an image with the CKN behavior change. See the examples below:
Configuration without CKN key-string behavior change:
Examples: Configuring MACsec MKA using Certificate-based MACsec
This example shows how to configure MACsec MKA using certificate-based MACsec:
Device> enable
Device# configure terminal
Device(config)# interface Gigabitethernet 1/0/1
Device(config-if)# macsec network-link
Device(config-if)# authentication periodic
Device(config-if)# authentication timer reauthenticate interval
Device(config-if)#access-session host-mode multi-domain
Device(config-if)# access-session closed
Device(config-if)# access-session port-control auto
Device(config-if)# dot1x pae both
Device(config-if)#dot1x credentials profile
Device(config-if)# dot1x supplicant eap profile profile_eap_tls
Device(config-if)#service-policy type control subscriber sub1
Device(config-if)# end
Examples : Cisco TrustSec Switch-to-Switch Link Security
This example shows the configuration necessary for a Cisco TrustSec switch-to-switch security. You must configure the AAA
and RADIUS for link security. In this example, ACS-1 through ACS-3 can be any server names and cts-radius is the Cisco TrustSec
server.
Switch(config)#aaa new-model
Switch(config)#radius server ACS-1
Switch(config-radius-server)#address ipv4 10.5.120.12 auth-port 1812 acct-port 1813
Switch(config-radius-server)#pac key cisco123
Switch(config-radius-server)#exit
Switch(config)#radius server ACS-2
Switch(config-radius-server)#address ipv4 10.5.120.14 auth-port 1812 acct-port 1813
Switch(config-radius-server)#pac key cisco123
Switch(config-radius-server)#exit
Switch(config)#radius server ACS-3
Switch(config-radius-server)#address ipv4 10.5.120.15 auth-port 1812 acct-port 1813
Switch(config-radius-server)#pac key cisco123
Switch(config-radius-server)#exit
Switch(config)#aaa group server radius cts-radius
Switch(config-sg-radius)#server name ACS-1
Switch(config-sg-radius)#server name ACS-2
Switch(config-sg-radius)#server name ACS-3
Switch(config-sg-radius)#exit
Switch(config)#aaa authentication login default none
Switch(config)#aaa authentication dot1x default group cts-radius
Switch(config)#aaa authorization network cts-radius group cts-radius
Switch(config)#aaa session-id common
Switch(config)#cts authorization list cts-radius
Switch(config)#dot1x system-auth-control
This example shows how to configure Cisco TrustSec authentication in manual mode on an interface:
Switch# configure terminal
Switch(config)# interface tengiigabitethernet 1/1/2
Switch(config-if)# cts manual
Switch(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm-encrypt null no-encap
Switch(config-if-cts-manual)# no propagate sgt
Switch(config-if-cts-manual)# exit
Switch(config-if)# end
Example: Displaying MKA Information
The following is a sample output from the show mka sessions command:
Device# show mka sessions
Total MKA Sessions....... 1
Secured Sessions... 1
Pending Sessions... 0
====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
Port-ID Peer-RxSCI MACsec-Peers Status CKN
====================================================================================================
Gi1/0/1 204c.9e85.ede4/002b p2 NO YES
43 c800.8459.e764/002a 1 Secured 0100000000000000000000000000000000000000000000000000000000000000
The following is a sample output from the show mka sessions interfaceinterface-name command:
Device# show mka sessions interface GigabitEthernet 1/0/1
Summary of All Currently Active MKA Sessions on Interface GigabitEthernet1/0/1...
====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
Port-ID Peer-RxSCI MACsec-Peers Status CKN
====================================================================================================
Gi1/0/1 204c.9e85.ede4/002b p2 NO YES
43 c800.8459.e764/002a 1 Secured 0100000000000000000000000000000000000000000000000000000000000000
The following is sample output from the show mka sessions interfaceinterface-namedetail command.
Device# show mka sessions interface GigabitEthernet 1/0/1 detail
MKA Detailed Status for MKA Session
===================================
Status: SECURED - Secured MKA Session with MACsec
Local Tx-SCI............. 204c.9e85.ede4/002b
Interface MAC Address.... 204c.9e85.ede4
MKA Port Identifier...... 43
Interface Name........... GigabitEthernet1/0/1
Audit Session ID.........
CAK Name (CKN)........... 0100000000000000000000000000000000000000000000000000000000000000
Member Identifier (MI)... D46CBEC05D5D67594543CEAE
Message Number (MN)...... 89567
EAP Role................. NA
Key Server............... YES
MKA Cipher Suite......... AES-128-CMAC
Latest SAK Status........ Rx & Tx
Latest SAK AN............ 0
Latest SAK KI (KN)....... D46CBEC05D5D67594543CEAE00000001 (1)
Old SAK Status........... FIRST-SAK
Old SAK AN............... 0
Old SAK KI (KN).......... FIRST-SAK (0)
SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)
SAK Retire Time.......... 0s (No Old SAK to retire)
MKA Policy Name.......... p2
Key Server Priority...... 2
Delay Protection......... NO
Replay Protection........ YES
Replay Window Size....... 0
Confidentiality Offset... 0
Algorithm Agility........ 80C201
Send Secure Announcement.. DISABLED
SAK Cipher Suite......... 0080C20001000001 (GCM-AES-128)
MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired........... YES
# of MACsec Capable Live Peers............ 1
# of MACsec Capable Live Peers Responded.. 1
Live Peers List:
MI MN Rx-SCI (Peer) KS Priority
----------------------------------------------------------------------
38046BA37D7DA77E06D006A9 89555 c800.8459.e764/002a 10
Potential Peers List:
MI MN Rx-SCI (Peer) KS Priority
----------------------------------------------------------------------
Dormant Peers List:
MI MN Rx-SCI (Peer) KS Priority
----------------------------------------------------------------------
The following is a sample output from the show mka sessions details command:
Device# show mka sessions details
MKA Detailed Status for MKA Session
===================================
Status: SECURED - Secured MKA Session with MACsec
Local Tx-SCI............. 204c.9e85.ede4/002b
Interface MAC Address.... 204c.9e85.ede4
MKA Port Identifier...... 43
Interface Name........... GigabitEthernet1/0/1
Audit Session ID.........
CAK Name (CKN)........... 0100000000000000000000000000000000000000000000000000000000000000
Member Identifier (MI)... D46CBEC05D5D67594543CEAE
Message Number (MN)...... 89572
EAP Role................. NA
Key Server............... YES
MKA Cipher Suite......... AES-128-CMAC
Latest SAK Status........ Rx & Tx
Latest SAK AN............ 0
Latest SAK KI (KN)....... D46CBEC05D5D67594543CEAE00000001 (1)
Old SAK Status........... FIRST-SAK
Old SAK AN............... 0
Old SAK KI (KN).......... FIRST-SAK (0)
SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)
SAK Retire Time.......... 0s (No Old SAK to retire)
MKA Policy Name.......... p2
Key Server Priority...... 2
Delay Protection......... NO
Replay Protection........ YES
Replay Window Size....... 0
Confidentiality Offset... 0
Algorithm Agility........ 80C201
Send Secure Announcement.. DISABLED
SAK Cipher Suite......... 0080C20001000001 (GCM-AES-128)
MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired........... YES
# of MACsec Capable Live Peers............ 1
# of MACsec Capable Live Peers Responded.. 1
Live Peers List:
MI MN Rx-SCI (Peer) KS Priority
----------------------------------------------------------------------
38046BA37D7DA77E06D006A9 89560 c800.8459.e764/002a 10
Potential Peers List:
MI MN Rx-SCI (Peer) KS Priority
----------------------------------------------------------------------
Dormant Peers List:
MI MN Rx-SCI (Peer) KS Priority
----------------------------------------------------------------------
The following is a sample output from the show mka policy command:
The following is a sample output from the show macsec interface command:
Device# show macsec interface HundredGigE 2/0/4
MACsec is enabled
Replay protect : enabled
Replay window : 0
Include SCI : yes
Use ES Enable : no
Use SCB Enable : no
Admin Pt2Pt MAC : forceTrue(1)
Pt2Pt MAC Operational : no
Cipher : GCM-AES-128
Confidentiality Offset : 0
Capabilities
ICV length : 16
Data length change supported: yes
Max. Rx SA : 16
Max. Tx SA : 16
Max. Rx SC : 8
Max. Tx SC : 8
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128
GCM-AES-256
GCM-AES-XPN-128
GCM-AES-XPN-256
Access control : must secure
Transmit Secure Channels
SCI : 3C5731BBB5850475
SC state : inUse(1)
Elapsed time : 7w0d
Start time : 7w0d
Current AN: 0
Previous AN: -
Next PN: 149757
SA State: inUse(1)
Confidentiality : yes
SAK Unchanged : yes
SA Create time : 00:04:41
SA Start time : 7w0d
SC Statistics
Auth-only Pkts : 0
Auth-only Bytes : 0
Encrypted Pkts : 0
Encrypted Bytes : 0
SA Statistics
Auth-only Pkts : 0
Auth-only Bytes : 0
Encrypted Pkts : 149756
Encrypted Bytes : 16595088
Port Statistics
Egress untag pkts 0
Egress long pkts 0
Receive Secure Channels
SCI : 3C5731BBB5C504DF
SC state : inUse(1)
Elapsed time : 7w0d
Start time : 7w0d
Current AN: 0
Previous AN: -
Next PN: 149786
RX SA Count: 0
SA State: inUse(1)
SAK Unchanged : yes
SA Create time : 00:04:39
SA Start time : 7w0d
SC Statistics
Notvalid pkts 0
Invalid pkts 0
Valid pkts 0
Late pkts 0
Uncheck pkts 0
Delay pkts 0
UnusedSA pkts 0
NousingSA pkts 0
Validated Bytes 0
Decrypted Bytes 0
SA Statistics
Notvalid pkts 0
Invalid pkts 0
Valid pkts 149784
Late pkts 0
Uncheck pkts 0
Delay pkts 0
UnusedSA pkts 0
NousingSA pkts 0
Validated Bytes 0
Decrypted Bytes 16654544
Port Statistics
Ingress untag pkts 0
Ingress notag pkts 631726
Ingress badtag pkts 0
Ingress unknownSCI pkts 0
Ingress noSCI pkts 0
Ingress overrun pkts 0
Feature History for MACsec Encryption
This table provides release and related information for features explained in this module.
These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.
Release
Feature
Feature Information
Cisco IOS XE Fuji 16.9.1
MACsec Encryption
MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices.
Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator,
go to http://www.cisco.com/go/cfn.