09-Security Command Reference

HomeSupportResource CenterH3C S6850 & S9850 Switch Series Command References-Release 655x-6W10009-Security Command Reference
24-MACsec commands
Title Size Download
24-MACsec commands 109.00 KB

MACsec commands

confidentiality-offset

Use confidentiality-offset to set the MACsec confidentiality offset in an MKA policy.

Use undo confidentiality-offset to restore the default.

Syntax

confidentiality-offset offset-value

undo confidentiality-offset

Default

The MACsec confidentiality offset is 0. The entire frame is encrypted.

Views

MKA policy view

Predefined user roles

network-admin

Parameters

offset-value: Specifies the confidentiality offset in bytes. The value can be 0, 30 or 50.

Usage guidelines

The MACsec confidentiality offset specifies the number of bytes starting from the frame header. MACsec encrypts only the bytes after the offset in a frame.

When an MKA policy is applied to a port, the MACsec confidentiality offset in the policy overwrites the confidentiality offset previously configured on the port. However, MACsec uses the confidentiality offset propagated by the key server.

Examples

# Set the MACsec confidentiality offset to 30 bytes in MKA policy abcd.

<Sysname> system-view

[Sysname] mka policy abcd

[Sysname-mka-policy-abcd] confidentiality-offset 30

Related commands

macsec confidentiality-offset

mka apply policy

display macsec

Use display macsec to display MACsec information on ports.

Syntax

display macsec [ interface interface-type interface-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MACsec information on all ports.

verbose: Displays detailed MACsec information. If you do not specify this keyword, the command displays brief MACsec information.

Examples

# Display brief MACsec information on Ten-GigabitEthernet 1/1/1.

<Sysname> display macsec interface ten-gigabitethernet 1/1/1

Interface Ten-GigabitEthernet1/1/1

  Protect frames         : Yes

  Active MKA policy      : PL01

  Replay protection      : Enabled

  Replay window size     : 0 frames

  Confidentiality offset : 0 bytes

  Validation mode        : Check

# Display detailed MACsec information on Ten-GigabitEthernet 1/1/1.

<Sysname> display macsec interface ten-gigabitethernet 1/1/1 verbose

Interface Ten-GigabitEthernet1/1/1

  Protect frames         : Yes

  Active MKA policy      : PL01

  Replay protection      : Enabled

  Replay window size     : 0 frames

  Confidentiality offset : 0 bytes

  Validation mode        : Check

  Included SCI           : No

  SCI conflict           : No

  Cipher suite           : GCM-AES-128

  MKA life time          : 6 seconds

  Transmit secure channel:

    SCI           : 000C29F6A4380004

      Elapsed time: 00h:02m:19s

      Current SA  : AN 0        PN 1

  Receive secure channels:

    SCI           : 000C29258D430124

      Elapsed time: 00h:02m:17s

      Current SA  : AN 0        LPN 1

      Previous SA : AN N/A      LPN N/A

Table 1 Command output

Field

Description

Protect frames

Status of MACsec desire on the port:

·         Yes.

·         No.

If the port does not have an MKA principal actor, this field displays N/A.

Active MKA policy

MKA policy applied to the port.

This field displays N/A if the port is not enabled with MACsec desire.

This field is not available if the port is enabled with MACsec desire but is not applied an MKA policy.

Replay protection

Status of replay protection on the port:

·         Enabled.

·         Disabled.

If the port is not enabled with MACsec desire, this field displays N/A.

Replay window size

Replay protection window size in number of frames.

This field displays N/A in the following situations:

·         The port is not enabled with MACsec desire.

·         The port is not enabled with replay protection.

Confidentiality offset

Confidentiality offset in bytes.

If the port is not enabled with MACsec desire, this field displays N/A.

Validation mode

Validation mode:

·         Check.

·         Strict.

If the port is not enabled with MACsec desire, this field displays N/A.

Included SCI

Whether the frame includes SCI tag:

·         Yes.

·         No.

If the port is not enabled with MACsec desire, this field displays N/A.

SCI conflict

Whether the SCI in the received MKA packets is the same as the local SCI:

·         Yes—The SCI in the received MKA packets is the same as the local SCI.

·         No—No MKA packet is received, or the SCI in the received MKA packets is different from the local SCI.

Cipher suite

Cipher suite for MACsec encryption:

·         GCM-AES-128.

·         GCM-AES-256.

If the port is not enabled with MACsec desire, this field displays N/A.

MKA life time

MKA session keepalive timer.

Transmit secure channel

Information about the secure channel for outbound traffic.

This field is not available if the port is not enabled with MACsec desire.

Receive secure channel

Information about the secure channel for inbound traffic.

This field is not available if the port is not enabled with MACsec desire.

Elapsed time

Lifetime of the secure channel.

SCI

A hexadecimal string that contains the MAC address and port ID.

Current SA

Current SA used by the secure channel.

If no current SA is available, each of the AN, PN, and LPN fields for the current SA displays N/A.

Previous SA

Previous SA used by the secure channel.

If no previous SA is available, each of the AN and LPN fields for the previous SA displays N/A.

PN

Packet number for outbound traffic.

AN

SA number.

LPN

The minimum received packet number allowed by SAK.

 

Related commands

mka apply policy

display mka policy

Use display mka policy to display MKA policy information.

Syntax

display mka { default-policy | policy [ name policy-name ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

default-policy: Specifies the system-defined MKA policy.

policy: Specifies an MKA policy or all MKA policies.

name policy-name: Specifies an MKA policy by policy name. The policy-name argument represents the MKA policy name, a case-sensitive string of 1 to 16 characters. If you do not specify an MKA policy, this command displays information about all MKA policies.

Examples

# Display information about all MKA policies.

<Sysname> display mka policy

PolicyName          ReplayProtection   WindowSize    ConfOffset    Validation

default-policy      Yes                0             0             Check

policy1             Yes                0             30            Check

policy2             Yes                0             30            Check

policy3             No                 0             0             Strict

policy4             Yes                200           50            Check

policy5             Yes                0             0             Check

Table 2 Command output

Field

Description

PolicyName

Name of the MKA policy.

ReplayProtection

Whether the replay protection feature is enabled.

WindowSize

Replay protection window size in number of frames.

ConfOffset

Confidentiality offset in bytes.

Validation

Validation mode:

·         Check.

·         Strict.

 

Related commands

mka policy

mka apply policy

display mka session

Use display mka session to display MKA session information.

Syntax

display mka session [ interface interface-type interface-number | local-sci sci-id ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MKA session information on all ports.

local-sci sci-id: Specifies a local SCI, a case-insensitive hexadecimal string of 16 characters.

verbose: Displays detailed MKA session information. If you do not specify this keyword, the command displays brief MKA session information.

Examples

# Display brief MKA session information on Ten-GigabitEthernet 1/1/1.

<Sysname> display mka session interface ten-gigabitethernet 1/1/1

Interface Ten-GigabitEthernet1/1/1

Tx-SCI    : 000C29F6A4380004

Priority  : 0

Capability: 3

  CKN for participant: ABCD

    Key server            : Yes

    MI (MN)               : D7B00EDA353242704CC6B0DB (7)

    Live peers            : 1

    Potential peers       : 0

    Principal actor       : Yes

    MKA session status    : Secured

    Confidentiality offset: 30 bytes

# Display detailed MKA session information on Ten-GigabitEthernet 1/1/1.

<Sysname> display mka session interface ten-gigabitethernet 1/1/1 verbose

Interface Ten-GigabitEthernet1/1/1

Tx-SCI    : 000C29F6A4380004

Priority  : 0

Capability: 3

  CKN for participant: ABCD

    Key server            : Yes

    MI (MN)               : D7B00EDA353242704CC6B0DB (7)

    Live peers            : 1

    Potential peers       : 0

    Principal actor       : Yes

    MKA session status    : Secured

    Confidentiality offset: 30 bytes

    Current SAK status    : Rx & Tx

    Current SAK AN        : 0

    Current SAK KI (KN)   : 4273791304C1C26259C94C3400000001 (1)

    Previous SAK status   : N/A

    Previous SAK AN       : N/A

    Previous SAK KI (KN)  : N/A

    Live peer list:

    MI                        MN         Priority  Capability  Rx-SCI

    EA58DC3F8715953DBC6593F0  840        100       3           00E0020000000106

 

    Potential peer list:

    MI                        MN         Priority  Capability  Rx-SCI

    DA58DC3Q4573543DBC6699F0  3          200       3           00E0021200000107

Table 3 Command output

Field

Description

Tx-SCI

SCI for outbound traffic, in hexadecimal notation.

Priority

Key server priority, in the range of 0 to 255.

Capability

MACsec capability:

·         0—The port is MACsec incapable.

·         1—The port supports integrity check only.

·         2—The port supports integrity check and packet encryption. The confidentiality offset must be 0.

·         3—The port supports integrity check and packet encryption. The confidentiality offset can be 0, 30, or 50.

CKN for participant

CAK name of the MKA instance.

Key server

Whether the local end is the key server.

MI

Member identifier in hexadecimal notation.

MN

Message number.

Live peers

Numbers of peers that have already been learned.

Potential peers

Numbers of peers that are being negotiated.

Principal actor

Whether the MKA instance is the principal actor.

MKA instance refers to the operation entity of the MKA protocol on a port. A port might have multiple MKA instances. The principal actor is the MKA instance in active state.

MKA session status

MKA session status:

·         Unknown.

·         Pending.

·         Unauthenticated—The port has not been authenticated.

·         Authenticated—The port has passed the 802.1X authentication.

·         Secured—The session will be secured.

If the MKA instance is not the principal actor, this field displays N/A.

Confidentiality offset

Confidentiality offset issued by the key server.

This field displays N/A in the following situations:

·         The packet is transmitted in plain text.

·         The MKA instance is not the principal actor.

Current SAK status

Status of the current SAK:

·         Tx—The SAK is used to send packets.

·         Rx—The SAK is used to receive packets.

This field displays N/A in the following situations:

·         The MKA instance is not the principal actor.

·         The SAK does not exist.

Current SAK AN

SA number of the current SAK in use.

This field displays N/A in the following situations:

·         The MKA instance is not the principal actor.

·         The SAK does not exist.

Current SAK KI

Key identifier of the current SAK in use, a string of hexadecimal digits that contains the key server's 12-byte MI and KN.

This field displays N/A in the following situations:

·         The MKA instance is not the principal actor.

·         The SAK does not exist.

KN

SAK number.

This field displays N/A in the following situations:

·         The MKA instance is not the principal actor.

·         The SAK does not exist.

Previous SAK status

Status of the previous SAK:

·         Tx—The SAK is used to send packets.

·         Rx—The SAK is used to receive packets.

This field displays N/A in the following situations:

·         The MKA instance is not the principal actor.

·         The SAK does not exist.

Previous SAK AN

SA number of the previous SAK.

This field displays N/A in the following situations:

·         The MKA instance is not the principal actor.

·         The SAK does not exist.

Previous SAK KI

Key identifier of the previous SAK, a string of hexadecimal digits that contains the key server's 12-byte MI and KN.

This field displays N/A in the following situations:

·         The MKA instance is not the principal actor.

·         The SAK does not exist.

Live peer list

List of peers that have participated in the MKA session.

This field is not available if no live peer exists.

Potential peer list

List of peers that are being negotiated.

This field is not available if no potential peer exists.

Rx-SCI

SCI for inbound traffic, in hexadecimal notation.

 

Related commands

reset mka session

display mka statistics

Use display mka statistics to display MKA statistics on ports.

Syntax

display mka statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MKA statistics on all ports.

Examples

# Display MKA statistics on Ten-GigabitEthernet 1/1/1.

<Sysname> display mka statistics interface ten-gigabitethernet 1/1/1

Interface Ten-GigabitEthernet1/1/1 statistics

MKPDUs with invalid CKN : 0

MKPDUs with invalid ICV : 0

MKPDUs with Rx error    : 0

CKN for participant     : ABCD

  Tx MKPDUs             : 2379

  Rx MKPDUs             : 2375

  MKPDUs with invalid MN: 0

  MKPDUs with Tx error  : 0

  SAKs distributed      : 0

  SAKs received         : 5

Table 4 Command output

Field

Description

MKPDUs with invalid CKN

Number of received MKA packets with invalid CKNs.

MKPDUs with invalid ICV

Number of MKA packets that failed ICV check.

MKPDUs with Rx error

Number of received error MKA packets.

CKN for participant

CAK name of the MKA instance.

Tx MKPDUs

Number of the MKA packets sent by the MKA instance.

Rx MKPDUs

Number of the MKA packets received by the MKA instance.

MKPDUs with invalid MN

Number of MKA packets with illegal MNs received by the MKA instance.

MKPDUs with Tx error

Number of error MKA packets sent by the MKA instance.

SAKs distributed

Number of SAKs distributed by the MKA instance.

SAKs received

Number of SAKs received by the MKA instance.

 

Related commands

reset mka statistics

macsec cipher-suite

Use macsec cipher-suite to specify the cipher suite for MACsec encryption.

Use undo macsec cipher-suite to restore the default.

Syntax

macsec cipher-suite { gcm-aes-128 | gcm-aes-256 }

undo macsec cipher-suite

Default

MACsec uses the GCM-AES-128 cipher suite for encryption.

Views

Ethernet interface view

Predefined user roles

network-admin

Parameters

gcm-aes-128: Specifies the GCM-AES-128 cipher suite.

gcm-aes-256: Specifies the GCM-AES-256 cipher suite.

Usage guidelines

This command is supported only on the ports of the H3C LSWM18CQMSEC interface module.

Do not use this command on an 802.1X-enabled port.

This command is supported only in device-oriented mode. Make sure the connected ports are configured with the same cipher suite. If the ports are configured with different cipher suites, they cannot successfully establish MKA sessions.

Examples

# Specify the GCM-AES-256 cipher suite for MACsec encryption on Ten-GigabitEthernet 1/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] macsec cipher-suite gcm-aes-256

Related commands

dot1x

mka psk

macsec confidentiality-offset

Use macsec confidentiality-offset to set the MACsec confidentiality offset on a port.

Use undo macsec confidentiality-offset to restore the default.

Syntax

macsec confidentiality-offset offset-value

undo macsec confidentiality-offset

Default

The MACsec confidentiality offset on the port is 0. The entire frame is encrypted.

Views

Ethernet interface view

Predefined user roles

network-admin

Parameters

offset-value: Specifies the confidentiality offset in bytes. The value can be 0, 30 or 50.

Usage guidelines

The MACsec confidentiality offset specifies the number of bytes starting from the frame header. MACsec encrypts only the bytes after the offset in a frame.

If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the confidentiality offset in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except the confidentiality offset) of the MKA policy are effective on the port.

MACsec uses the MACsec confidentiality offset propagated by the key server.

Examples

# Set the MACsec confidentiality offset to 30 bytes on Ten-GigabitEthernet 1/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] macsec confidentiality-offset 30

Related commands

confidentiality-offset

display macsec

display mka session

mka apply policy

macsec desire

Use macsec desire to enable MACsec desire. The port expects MACsec protection for outbound frames.

Use undo macsec desire to disable MACsec desire.

Syntax

macsec desire

undo macsec desire

Default

MACsec desire is disabled. A port does not expect MACsec protection for outbound frames.

Views

Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

This command allows a MACsec port to expect MACsec protection for outbound frames. The key server determines whether MACsec protects the outbound frames.

MACsec protects the outbound frames of the port when the following requirements are met:

·          The key server is MACsec capable.

·          Both the local participant and its peer are MACsec capable.

·          A minimum of one participant is enabled with the MACsec desire feature.

Examples

# Enable MACsec desire on Ten-GigabitEthernet 1/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] macsec desire

macsec mka-session log enable

Use macsec mka-session log enable to enable MKA session logging.

Use undo macsec mka-session log enable to disable MKA session logging.

Syntax

macsec mka-session log enable

undo macsec mka-session log enable

Default

MKA session logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to generate logs for MKA session changes, such as peer aging and SAK updates. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.

As a best practice, disable MKA session logging to prevent excessive log output.

Examples

# Enable MKA session logging.

<Sysname> system-view

[Sysname] macsec mka-session log enable

Related commands

info-center source (Network Management and Monitoring Command Reference)

macsec replay-protection enable

Use macsec replay-protection enable to enable MACsec replay protection on a port.

Use undo macsec replay-protection enable to disable MACsec replay protection on a port.

Syntax

macsec replay-protection enable

undo macsec replay-protection enable

Default

MACsec replay protection is enabled on the port.

Views

Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

This feature allows a MACsec port to accept a number of out-of-order or repeated inbound frames.

If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the MACsec replay protection configuration in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except MACsec replay protection) of the MKA policy are effective on the port.

Examples

# Enable MACsec replay protection on Ten-GigabitEthernet 1/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] macsec replay-protection enable

Related commands

display macsec

macsec replay-protection window-size

mka apply policy

replay-protection enable

macsec replay-protection window-size

Use macsec replay-protection window-size to set the MACsec replay protection window size on a port.

Use undo macsec replay-protection window-size to restore the default.

Syntax

macsec replay-protection window-size size-value

undo macsec replay-protection window-size

Default

The MACsec replay protection window size is 0 on a port. The device accepts only frames that arrive in the correct order. Out-of-order or duplicated frames will be dropped.

Views

Ethernet interface view

Predefined user roles

network-admin

Parameters

size-value: Specifies the replay protection window size, in the range of 0 to 4294967295 frames.

Usage guidelines

To allow a MACsec port to accept a number of out-of-order frames, enable replay protection and specify a replay protection window size on the port.

Suppose the replay protection window size is a on a port. After the port receives a packet with packet number (PN) x, it can accept only packets whose PN is greater than or equal to x-a.

The replay protection window size takes effect only when the replay protection feature is enabled on the port.

Set a replay protection window size based on the forwarding path of frames. If the frames might be forwarded multiple times, set a large replay protection window size.

If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the replay protection window size in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except the replay protection window size) of the MKA policy are effective on the port.

Examples

# Set the MACsec replay protection window size to 100 on Ten-GigabitEthernet 1/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] macsec replay-protection window-size 100

Related commands

display macsec

macsec replay-protection enable

mka apply policy

replay-protection window-size

macsec validation mode

Use macsec validation mode to set a MACsec validation mode on a port.

Use undo macsec validation mode to restore the default.

Syntax

macsec validation mode { check | strict }

undo macsec validation mode

Default

The MACsec validation mode is check on a port.

Views

Ethernet interface view

Predefined user roles

network-admin

Parameters

check: Performs validation only and does not drop illegal frames.

strict: Performs validation and drops illegal frames.

Usage guidelines

To avoid data loss, use the default validation mode check on the MACsec devices in case of MKA negotiation failure. After you use the display macsec command to verify that MKA negotiation has succeeded, change the validation mode to strict.

If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the validation mode in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except the validation mode) of the MKA policy are effective on the port.

Examples

# Set the MACsec validation mode to strict on Ten-GigabitEthernet 1/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] macsec validation mode strict

Related commands

display macsec

mka apply policy

validation mode

mka apply policy

Use mka apply policy to apply an MKA policy to a port.

Use undo mka apply policy to remove the MKA policy from a port.

Syntax

mka apply policy policy-name

undo mka apply policy

Default

No MKA policy is applied to the port.

Views

Ethernet interface view

Predefined user roles

network-admin

Parameters

policy-name: Specifies the name of an MKA policy, a case-sensitive string of 1 to 16 characters.

Usage guidelines

An MKA policy defines MACsec parameters, including confidentiality offset, validation mode, replay protection, and replay protection window size.

When you apply an MKA policy to a port, the MACsec parameter settings in the policy overwrite the MACsec parameters previously configured on the port. Any modifications to the MKA policy take effect immediately.

When you remove the MKA policy from a port, the MACsec parameter settings on the port restore to the default.

When you delete an MKA policy, ports that use the policy automatically use the system-defined MKA policy default-policy.

When you apply a nonexistent MKA policy to a port, the port automatically uses the system-defined MKA policy default-policy. After you create the specified policy, the policy will be automatically applied to the port.

Examples

# Apply MKA policy abcd to Ten-GigabitEthernet 1/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] mka apply policy abcd

Related commands

confidentiality-offset

display mka policy

replay-protection enable

replay-protection window-size

validation mode

mka enable

Use mka enable to enable MKA on a port.

Use undo mka enable to disable MKA on a port.

Syntax

mka enable

undo mka enable

Default

MKA is disabled on a port.

Views

Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

MKA establishes and manages MACsec secure channels on a port. It also negotiates encryption keys used by MACsec.

The enabling of MKA on a port triggers MKA negotiation. After MKA negotiation succeeds, an MKA session is successfully established.

Examples

# Enable MKA on Ten-GigabitEthernet 1/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] mka enable

Related commands

display mka session

mka policy

Use mka policy to create an MKA policy and enter its view, or enter the view of an existing MKA policy.

Use undo mka policy to delete an MKA policy.

Syntax

mka policy policy-name

undo mka policy policy-name

Default

A system-defined MKA policy exists. The policy name is default-policy.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies the name of an MKA policy, a case-sensitive string of 1 to 16 characters.

Usage guidelines

MKA policy provides a centralized method for configuring MACsec confidentiality offset, validation mode, replay protection, and replay protection window size.

The system supports multiple MKA policies.

You cannot delete or modify the system-defined MKA policy default-policy.

Examples

# Create an MKA policy named abcd and enter its view.

<Sysname> system-view

[Sysname] mka policy abcd

[Sysname-mka-policy-abcd]

Related commands

confidentiality-offset

display mka policy

mka apply policy

replay-protection enable

replay-protection window-size

validation mode

mka priority

Use mka priority to set the MKA key server priority.

Use undo mka priority to restore the default.

Syntax

mka priority priority-value

undo mka priority

Default

The MKA key server priority is 0.

Views

Ethernet interface view

Predefined user roles

network-admin

Parameters

priority-value: Specifies the priority value, in the range of 0 to 255. The priority is inversely related to its value.

Usage guidelines

If you use 802.1 X-generated CAK, the access device port automatically becomes the key server.

The port that has higher priority (lower priority value) becomes the key server if you use a preshared key as the CAK. If the port and its peers have the same priority, MACsec compares the SCI values on the ports. The port with the lowest SCI value becomes the key server.

A port with priority 255 cannot become the key server. For a successful key server selection, make sure a minimum of one participant's key server priority is not 255.

Examples

# Set the MKA key server priority to 2 on Ten-GigabitEthernet 1/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] mka priority 2

Related commands

display mka session

mka psk

Use mka psk to set a preshared key as the CAK.

Use undo mka psk to restore the default.

Syntax

mka psk ckn name cak { cipher | simple } string

undo mka psk

Default

No preshared key exists.

Views

Ethernet interface view

Predefined user roles

network-admin

Parameters

ckn name: Specifies the preshared key name, a hexadecimal string with an even number of case-insensitive characters. The name length is in the range of 2 to 64 characters.

cak: Specifies the preshared key.

cipher: Specifies the preshared key in encrypted form.

simple: Specifies the preshared key in plaintext form. For security purposes, the preshared key specified in plaintext form will be stored in encrypted form.

string: Specifies the preshared key. The plaintext form of the key is a hexadecimal string with an even number of case-insensitive characters, and the key length is in the range of 2 to 64 characters. The encrypted form of the key is a case-sensitive string of 2 to 117 characters.

Usage guidelines

The CAK can be either generated during 802.1X or manually configured at the CLI. The manually configured CAK takes precedence over the 802.1X-generated key.

When 802.1X is not enabled on MACsec ports, you can execute this command to configure a preshared key on each MACsec port. Make sure the connected ports are configured with the same CKN and CAK. If the connected ports are configured with different CKNs and CAKs, they cannot successfully establish MKA sessions.

To successfully establish an MKA session between two connected ports, make sure only the ports are configured with the same CKN in the network.

To delete the configured keys for MKA sessions that have been established, perform the following tasks:

1.        Execute the undo mka psk command on the key server.

2.        Execute the undo mka psk command on the non-key server.

The deletion operation deletes the established MKA sessions at the same time.

Different cipher suites for MACsec encryption have different requirements for the CKN and CAK configuration.

·          The GCM-AES-128 cipher suite requires that the CKN and CAK each must be 32 characters long. If the configured CKN or CAK is not 32 characters long, the system performs the following operations when it runs the cipher suite:

?  Automatically increases the length of the CKN or CAK by zero padding if the CKN or CAK contains less than 32 characters.

?  Uses only the first 32 characters if the CKN or CAK contains more than 32 characters.

·          The GCM-AES-256 cipher suite requires that the CKN and CAK each must be 64 characters long. If the configured CKN or CAK contains less than 64 characters, the system automatically increases the length of the CKN or CAK by zero padding when it runs the cipher suite.

Examples

# Configure the CAK name as AB, and set the CAK to 1234 in plain text on Ten-GigabitEthernet 1/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] mka psk ckn AB cak simple 1234

Related commands

dot1x

macsec cipher-suite

mka timer mka-life

Use mka timer mka-life to set the MKA life time.

Use undo mka timer mka-life to restore the default.

Syntax

mka timer mka-life seconds

undo mka timer mka-life

Default

The MKA life time is 6 seconds.

Views

Ethernet interface view

Predefined user roles

network-admin

Parameters

seconds: Sets the MKA life time in seconds. The value range for this argument is 6 to 60.

Usage guidelines

The participants at each end of a secure session exchange MKA protocol packets to keep the session alive.

The MKA life time sets the session keepalive timer for participants. The timer starts on a participant when the participant receives the first MKA protocol packet from its peer. If the participant does not receive any subsequent MKA protocol packets from that peer before the timer expires, the participant determines that the session is insecure and then removes the session.

This command is applicable only in device-oriented mode.

Make sure the participants at each end of a secure session have the same MKA life time.

Examples

# Set the MKA life time to 10 seconds on Ten-GigabitEthernet 1/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] mka timer mka-life 10

Related commands

display macsec

replay-protection enable

Use replay-protection enable to enable MACsec replay protection in an MKA policy.

Use undo replay-protection enable to disable MACsec replay protection in an MKA policy.

Syntax

replay-protection enable

undo replay-protection enable

Default

MACsec replay protection is enabled in an MKA policy.

Views

MKA policy view

Predefined user roles

network-admin

Usage guidelines

This feature allows a MACsec port to accept a number of out-of-order or repeated inbound frames.

When an MKA policy is applied to a port, the replay protection configuration in the policy overwrites the replay protection feature already used by the port.

Examples

# Enable MACsec replay protection in MKA policy abcd.

<Sysname> system-view

[Sysname] mka policy abcd

[Sysname-mka-policy-abcd] replay-protection enable

Related commands

macsec replay-protection enable

mka apply policy

replay-protection window-size

replay-protection window-size

Use replay-protection window-size to set the MACsec replay protection window size in an MKA policy.

Use undo replay-protection window-size to restore the default.

Syntax

replay-protection window-size size-value

undo replay-protection window-size

Default

The MACsec replay protection window size in an MKA policy is 0. The device accepts only frames that arrive in the correct order. Out-of-order or duplicated frames will be dropped.

Views

MKA policy view

Predefined user roles

network-admin

Parameters

size-value: Specifies the replay protection window size, in the range of 0 to 4294967295 frames.

Usage guidelines

The MACsec replay protection window size allows a MACsec port to accept a number of out-of-order inbound frames.

Suppose the replay protection window size is a on a port. After the port receives a packet with PN x, it can accept only packets whose PN is greater than or equal to x-a.

The replay protection window size takes effect only when the replay protection feature is enabled on the port.

Set a replay protection window size based on the forwarding path of frames. If the frames might be forwarded multiple times, set a large replay protection window size.

When an MKA policy is applied to a port, the replay protection window size in the policy overwrites the window size already configured on the port.

Examples

# Set the MACsec replay protection window size to 100 in MKA policy abcd.

<Sysname> system-view

[Sysname] mka policy abcd

[Sysname-mka-policy-abcd] replay-protection window-size 100

Related commands

macsec replay-protection window-size

macsec replay-protection enable

mka apply policy

reset mka session

Use reset mka session to reset MKA sessions on ports.

Syntax

reset mka session [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command resets MKA sessions on all ports.

Usage guidelines

This command first clears MKA sessions, and then immediately triggers a new session establishment negotiation.

Examples

# Reset MKA sessions on Ten-GigabitEthernet 1/1/1.

<Sysname> reset mka session interface ten-gigabitethernet 1/1/1

Related commands

display mka session

reset mka statistics

Use reset mka statistics to clear MKA statistics on ports.

Syntax

reset mka statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears MKA statistics on all ports.

Examples

# Clear MKA statistics on Ten-GigabitEthernet 1/1/1.

<Sysname> reset mka statistics interface ten-gigabitethernet 1/1/1

Related commands

display mka statistics

validation mode

Use validation mode to set a MACsec validation mode in an MKA policy.

Use undo validation mode to restore the default.

Syntax

validation mode { check | strict }

undo validation mode

Default

The MACsec validation mode is check. The device performs validation only and does not drop illegal frames.

Views

MKA policy view

Predefined user roles

network-admin

Parameters

check: Performs validation only and does not drop illegal frames.

strict: Performs validation and drops illegal frames.

Usage guidelines

To avoid data loss, use the default validation mode check on the MACsec devices in case of MKA negotiation failure. After you use the display macsec command to verify that MKA negotiation has succeeded, change the validation mode to strict.

When an MKA policy is applied to a port, the MACsec validation mode in the policy overwrites the MACsec validation mode already configured on the port.

Examples

# Set the MACsec validation mode to strict in MKA policy abcd.

<Sysname> system-view

[Sysname] mka policy abcd

[Sysname-mka-policy-abcd] validation mode strict

Related commands

macsec validation mode

mka apply policy