Media Access Control Security (MACsec) secures data communication on IEEE 802 LANs. MACsec provides services such as data encryption, frame integrity check, and data origin validation for frames on the MAC sublayer of the Data Link Layer.

Basic concepts

MKA

MACsec Key Agreement (MKA) protocol is used for encryption key negotiation.

CA

Connectivity association (CA) is a group of participants that use the same key and key algorithm.

CAK

The key used by the CA participants is called a connectivity association key (CAK). The CAK is not directly used for data packet encryption. It and other parameters generate the encryption key. A CAK can be a key generated during 802.1X authentication or a user-configured preshared key. The user-configured preshared key takes precedence over the 802.1X-generated key.

The following types of CAKs are available:

· Pairwise CAK—Used by CAs that have two participants.

· Group CAK—Used by CAs that have more than two participants.

The pairwise CAK is used most often because MACsec is typically applied to point-to-point networks.

CKN

Connectivity Association Key Name (CKN) is the name of a CAK.

SC

Security Channel (SC) transmits secure data between CA participants.

SCI

Security Channel Identifier (SCI) includes the MAC address and ID of a port, which uniquely identifies an SC.

SA

Secure association (SA) is an agreement negotiated by CA participants. The agreement includes a cipher suite and keys for integrity check.

SAK

Security Association Key (SAK) is generated from the CAK based on an algorithm, which encrypts data transmitted along the SC. An SC can contain multiple SAs, and each SA uses a unique SAK.

MKA limits the number of packets that can be encrypted by an SAK. When the limit is exceeded, the SAK will be refreshed. For example, when packets with the minimum size are sent on a 10 Gbps link, an SAK rekey occurs about every 300 seconds.

ICV

The packet sender calculates an Integrity Check Value (ICV) from packet data units by using an algorithm and includes the ICV in the frame trailer. The packet receiver recalculates an ICV and compares the calculated ICV with the ICV in the frame trailer to check packet data integrity.

Security mechanisms

Data encryption

MACsec enables a port to encrypt outbound frames and decrypt MACsec-encrypted inbound frames. The keys for encryption and decryption are negotiated by MKA.

Integrity check

MACsec performs integrity check when the device receives a MACsec-encrypted frame. The integrity check uses the following process:

· Uses a key negotiated by MKA to calculate an ICV for the frame.

· Compares the calculated ICV with the ICV in the frame trailer.

¡ If the ICVs are the same, the device verifies the frame as legal.

¡ If the ICVs are different, the device determines whether to drop the frame based on the validation mode. The device supports the following validation modes:

- check—Performs validation only, and does not drop illegal frames.

- disabled—Does not perform validation.

- strict—Performs validation, and drops illegal frames.

Replay protection

When MACsec frames are transmitted over the network, frame disorder might occur. MACsec replay protection allows the device to accept the out-of-order packets within the replay protection window size and drop other out-of-order packets. Suppose the replay protection window size is a on a port. After the port receives a packet with PN x, it can accept only packets whose PN is greater than or equal to x-a.

Packet structure

After SAK negotiation and installation between CA participants are completed, the negotiated key will be used for data packet forwarding.

· The data packet sender performs the following tasks:

a. Uses an SAK and an encryption algorithm to encrypt the MAC Service Data Unit (MSDU) of the original packet. The encrypted part is called secure data.

b. Uses the SAK and a validity algorithm to calculate an ICV from the source MAC address, destination MAC address, SecTAG, and secure data, and then includes the ICV in the packet trailer.

c. Sends the complete MACsec-encrypted packet to the peer end.

· The packet receiver performs the following tasks:

a. Uses the SAK and a decryption algorithm to obtain the plaintext from the encrypted packet.

b. Uses a validity algorithm to calculate an ICV, and compares the calculated ICV with the ICV in the packet trailer. If the ICVs are the same, the packet has not been modified.

Figure 1 MACsec-encrypted packet

A MACsec-encrypted packet has the following key fields:

· DA—Destination MAC address in the packet. The length is 6 bytes.

· SecTAG—Security tag. The length is 8 or 16 bytes.

· Secure Data—Packet payload after MACsec encryption. MACsec can encrypt only the bytes after the MACsec confidentiality offset in a frame. The offset value can be 0, 30, or 50.

· ICV—Integrity check value. The length is 8 to 16 bytes. If a packet has been tampered with, the ICV value will change. This protects the packet from malicious modification.

Figure 2 SecTAG field

· Ethertype (ET)—Ethernet type of the MACsec protocol. The length is 2 bytes and the value is 0x88E5.

· TAG control information (TCI)—Provides information including the MACsec version number, whether the packet has been encrypted, whether integrity calculation has been performed, and whether the packet trailer carries an ICV. The length is 6 bits.

· Association Number (AN)—Number of an SA in the SC that transmits the packet. The length is 2 bits. An SC can include four SAs.

· Short Length (SL)—The length is 1 byte. If the length of the Secure Data field is less than 48 bytes, the value for this field is the length of Secure Data field. if the length of the Secure Data field is greater than 48 bytes, the value for this field is 0.

· Packet Number (PN)—Number of the packet. The length is 4 bytes. Every time the packet sender sends a packet, the value for this field increases by 1 to prevent packet replay attacks.

· Secure Channel Identifier (SCI)—8-byte identifier for the SC, including a 6-byte MAC address and a 2-byte port number.

MACsec application modes

MACsec supports the device-oriented mode.

Device-oriented mode

As shown in Figure 3, MACsec secures data transmission between devices. In this mode, the same preshared key must be configured on the MACsec ports that connect the devices. The devices use the configured preshared key as the CAK.

Figure 3 Device-oriented mode

‌

MACsec operating mechanism

Operating mechanism for device-oriented mode

As shown in Figure 4, the devices use the configured preshared key to start session negotiation.

Figure 4 MACsec interactive process in device-oriented mode

The following shows the MACsec process:

1. The devices use the configured preshared key as the CAK to exchange EAPOL-MKA packets.

2. The devices exchange the MACsec capability and required parameters for session establishment. The parameters include MKA key server priority and MACsec desire.

3. During the negotiation process, the port with higher MKA key server priority becomes the key server. The key server generates and distributes an SAK.

4. The devices use the SAK to encrypt packets, and they send and receive the encrypted packets in secure channels.

5. When a device receives a logoff request from the peer, it immediately deletes the associated secure session.

Protocols and standards

IEEE 802.1X-2010, Port-Based Network Access Control

IEEE 802.1AE-2006, Media Access Control (MAC) Security

Restrictions and guidelines: MACsec configuration

MACsec is supported only on the following modules:

· SC modules prefixed with LSCM2.

· SD interface modules.

· SF interface modules.

When you configure MACsec on interfaces of SC modules prefixed with LSCM2 or SD interface modules, follows these guidelines:

· You can enable MACsec on a maximum of 32 interfaces of a module.

· As a best practice to avoid packet dropping, make sure MACsec traffic speed is below 100 Gbps.

MACsec tasks at a glance

To configure MACsec, perform the following tasks:

1. Configuring basic MACsec parameters

¡ Enabling MKA

¡ Enabling MACsec desire

¡ Specifying the cipher suite for MACsec encryption

This task is required in device-oriented mode.

¡ Configuring a preshared key

This task is required in device-oriented mode.

2. (Optional.) Configuring extended MACsec features

¡ Configuring the MKA key server priority

¡ Setting the MKA life time

This task is applicable only in device-oriented mode.

¡ Configuring MACsec protection parameters

Choose one of the following tasks:

- Configuring MACsec protection parameters in interface view

- Configuring MACsec protection parameters by MKA policy

¡ Enabling inclusion of the SCI in the SecTAG field of MACsec frames on an interface

¡ Enabling MACsec maintenance mode on an interface

¡ Enabling MKA session logging

Enabling MKA

About this task

MKA establishes and manages MACsec secure channels on a port. It also negotiates keys used by MACsec.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable MKA.

mka enable

By default, MKA is disabled on the port.

Enabling MACsec desire

About this task

The MACsec desire feature expects MACsec protection for outbound frames. The key server determines whether MACsec protects the outbound frames.

MACsec protects the outbound frames of a port when the following requirements are met:

· The key server is MACsec capable.

· Both the local participant and its peer are MACsec capable.

· A minimum of one participant is enabled with MACsec desire.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable MACsec desire.

macsec desire

By default, the port does not expect MACsec protection for outbound frames.

Specifying the cipher suite for MACsec encryption

About this task

MACsec uses the GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, GCM-AES-XPN-256, GCM-SM4-128, or GCM-SM4-XPN-128 cipher suite to encrypt, validate, and decrypt protected data frames.

After you specify a SM algorithm cipher suite for MACsec encryption in system view, the cipher suites that take effect on interfaces are as follows:

· If the card does not support SM algorithms, the cipher suites configured on the interfaces take effect.

· If the card supports SM algorithms, the specified SM algorithm cipher suite takes effect on the interfaces.

Traditionally, the priorities of the following algorithm configurations on an interface are in descending order: non-default configuration of the interface, global non-default configuration, and default configuration of the interface. For the global SM algorithm configuration to take precedence over the non-default algorithm configuration of the interface, the algorithm configuration of the interface is restored to the default after the global SM algorithm configuration is deployed.

H3C's implementations of GCM-AES-256 and GCM-AES-XPN-256 cipher suites differ from their standard open source counterparts. To successfully establish MKA sessions with a peer that uses the standard open source GCM-AES-256 or GCM-AES-XPN-256 cipher suite, you must specify the standard cipher suite for MACsec encryption.

Restrictions and guidelines

SM algorithm cipher suites take effect only on cards that support SM algorithms.

This feature is supported only in device-oriented mode. Do not configure this feature on an 802.1X-enabled port.

Make sure the connected MACsec ports are configured with the same cipher suite. If the ports are configured with different cipher suites, they cannot successfully establish MKA sessions.

Specify the cipher suite for MACsec encryption (interface view)

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Specify the cipher suite for MACsec encryption.

macsec cipher-suite { gcm-aes-128 | gcm-aes-256 [ standard ] | gcm-aes-xpn-128 | gcm-aes-xpn-256 [ standard ] }

By default, MACsec uses the GCM-AES-128 cipher suite for encryption.

Specify the cipher suite for MACsec encryption (system view)

1. Enter system view.

system-view

2. Specify the cipher suite for MACsec encryption.

In standalone mode:‌

macsec cipher-suite { gcm-sm4-128 | gcm-sm4-xpn-128 } { slot slot-number }

In IRF mode:

macsec cipher-suite { gcm-sm4-128 | gcm-sm4-xpn-128 } { chassis chassis-number slot slot-number }

By default, MACsec uses the cipher suite configured in interface view for encryption.

Configuring a preshared key

Restrictions and guidelines

In device-oriented mode, configure a preshared key as the CAK. To successfully establish an MKA session between two devices, make sure the following requirements are met:

· The connected MACsec ports are configured with the same CAK name (CKN) and CAK.

· Only the ports are configured with the same CKN in the network.

Different cipher suites for MACsec encryption have different requirements for the CKN and CAK configuration.

· The GCM-AES-128 or GCM-AES-XPN-128 cipher suite requires that the CKN and CAK each must be 32 characters long. If the configured CKN or CAK is not 32 characters long, the system performs the following operations when it runs the cipher suite:

¡ Automatically increases the length of the CKN or CAK by zero padding if the CKN or CAK contains less than 32 characters.

¡ Uses only the first 32 characters if the CKN or CAK contains more than 32 characters.

· The GCM-AES-256 or GCM-AES-XPN-256 cipher suite requires that the CKN and CAK each must be 64 characters long. If the configured CKN or CAK contains less than 64 characters, the system automatically increases the length of the CKN or CAK by zero padding when it runs the cipher suite.

Procedure

1. ‍Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Set a preshared key.

mka psk ckn name cak { cipher | simple } string

By default, no MKA preshared key exists.

Configuring the MKA key server priority

Restrictions and guidelines

When you configure the MKA key server priority, follow these restrictions and guidelines:

· In device-oriented mode, the port that has higher priority becomes the key server. The lower the priority value, the higher the priority. If a port and its peers have the same priority, MACsec compares the secure channel identifier (SCI) values on the ports. The port with the lowest SCI value (a combination of MAC address and port ID) becomes the key server.

· A port with priority 255 cannot become the key server. For a successful key server selection, make sure a minimum of one participant's key server priority is not 255.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Set the MKA key server priority.

mka priority priority-value

The default setting is 0.

Setting the MKA life time

Restrictions and guidelines

This task is applicable only in device-oriented mode.

Make sure the participants at each end of a secure session have the same MKA life time.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Set the MKA life time.

mka timer mka-life seconds

By default, the MKA life time is 6 seconds.

Configuring MACsec protection parameters

About MACsec protection parameters

You can set the following MACsec protection parameters:

· MACsec confidentiality offset—Specifies the number of bytes starting from the frame header. MACsec encrypts only the bytes after the offset in a frame. The offset value can be 0, 30, or 50.

· MACsec replay protection—Allows a MACsec port to accept a number of out-of-order or repeated inbound frames.

· MACsec validation—Allows a port to perform integrity check based on the validation modes.

Restrictions and guidelines for MACsec protection parameter configuration

You can configure MACsec protection parameters either in interface view or through MKA policies.

The use of MKA policies provides a centralized method to configure MACsec protection parameters. When you need to configure the same settings for MACsec protection parameters on multiple ports, you can configure them in an MKA policy and apply the policy to the ports.

If you configure a protection parameter in interface view after applying an MKA policy, the configuration in interface view overwrites the configuration of that parameter in the MKA policy. The other protection parameters in the MKA policy still take effect.

If you apply an MKA policy to a port after configuring protection parameters on the port, the settings in the policy overwrite all protection parameter settings in interface view. The protection parameters not configured in the policy are restored to the default.

When you configure a MACsec validation mode not supported by the switch or card on an interface, the system will generate a log indicating that the mode is not supported.

If the MACsec validation mode configured on an interface is not supported by the switch or card, the system will generate a log indicating that the mode is not supported after you execute the mka enable command on that interface.

The configured MACsec confidentiality offset does not take effect on the GCM-AES-XPN-128 or GCM-AES-XPN-256 cipher suite. The confidentiality offset is fixed at 0 for these two suites.

Configuring MACsec protection parameters in interface view

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Set the MACsec confidentiality offset.

macsec confidentiality-offset offset-value

The default setting is 0, and the entire frame needs to be encrypted.

MACsec uses the confidentiality offset propagated by the key server.

4. Configure MACsec replay protection:

a. Enable MACsec replay protection.

macsec replay-protection enable

By default, MACsec replay protection is enabled on the port.

b. Set the MACsec replay protection window size.

macsec replay-protection window-size size-value

The default setting is 0. The device accepts only frames that arrive in the correct order. Out-of-order or duplicated frames will be dropped.

The configured replay protection window size takes effect only when MACsec replay protection is enabled.

5. Set a MACsec validation mode.

macsec validation mode { check | disabled| strict }

The default setting is check.

SF interface modules do not support the disabled keyword.

To avoid data loss, use the display macsec command to verify that MKA negotiation with the peer device has succeeded before you change the mode to strict.

Parameter	Description
check	Verifies incoming frames but does not drop illegal frames.
disabled	Disables MACsec validation for incoming frames.
strict	Verifies incoming frames and drops illegal frames.

‌

Configuring MACsec protection parameters by MKA policy

Restrictions and guidelines

An MKA policy can be applied to a port or multiple ports. When you apply an MKA policy to a port, follow these restrictions and guidelines:

· The settings in the MKA policy overwrite all protection parameter settings configured in interface view. The protection parameters not configured in the policy are restored to the default.

· Any modifications to the MKA policy take effect immediately.

· When you remove an MKA policy application from the port, the MACsec parameter settings on the port restore to the default.

· When you apply a nonexistent MKA policy to the port, the port automatically uses the system-defined MKA policy named default-policy. If you create the policy, the policy will be automatically applied to the port.

· The configured MACsec confidentiality offset does not take effect on the GCM-AES-XPN-128 or GCM-AES-XPN-256 cipher suite. The confidentiality offset is fixed at 0 for these two suites.

Procedure

1. Enter system view.

system-view

2. Create an MKA policy and enter its view.

mka policy policy-name

By default, a system-defined MKA policy exists. The policy name is default-policy.

The settings for parameters in the system-defined policy are the same as the default settings for the parameters on a port.

You cannot delete or modify the system-defined MKA policy.

You can create multiple MKA policies.

3. Set the MACsec confidentiality offset.

confidentiality-offset offset-value

The default setting is 0, and the entire frame needs to be encrypted.

MACsec uses the confidentiality offset propagated by the key server.

4. Configure MACsec replay protection:

a. Enable MACsec replay protection.

replay-protection enable

By default, MACsec replay protection is enabled.

b. Set the replay protection window size.

replay-protection window-size size-value

The default replay protection window size is 0. The device accepts only frames that arrive in the correct order. Out-of-order or duplicated frames will be dropped.

5. Set a MACsec validation mode.

validation mode { check | disabled | strict }

The default setting is check.

Parameter	Description
check	Verifies incoming frames but does not drop illegal frames.
disabled	Disables MACsec validation for incoming frames.
strict	Verifies incoming frames and drops illegal frames.

6. Apply an MKA policy:

a. Return to system view.

quit

b. Enter interface view.

interface interface-type interface-number

c. Apply the MKA policy to the port.

mka apply policy policy-name

By default, no MKA policy is applied to a port.

Enabling inclusion of the SCI in the SecTAG field of MACsec frames on an interface

About this task

The secure channel identifier (SCI) identifies the source of a MACsec frame. It contains the MAC address and ID of the port that sends the frame.

To have an interface send encrypted MACsec frames with the SCI included in the SecTAG field, perform this task.

Restrictions and guidelines

To forward traffic between a pair of peer MACsec interfaces, you must make sure inclusion of the SCI in the SecTAG field is enabled or disabled on both of them.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable inclusion of the SCI in the SecTAG field of MACsec frames sent out of the interface.

macsec include-sci

By default, a MACsec port sends MACsec frames with the SCI included in the SecTAG field.

Enabling MACsec maintenance mode on an interface

About this task

To protect data security, a MACsec port is blocked by default until it establishes an MKA session with its peer port. In blocked state, the MACsec port can send and receive MKA protocol packets, but it cannot send or receive data packets. On a network that uses a controller to deploy configuration, this might cause a configuration deployment failure if the configuration delivered to a device must traverse a MACsec port.

To make sure a device can always receive its configuration from a controller over the link between a pair of MACsec ports, enable MACsec maintenance mode on the MACsec ports. In this mode, a MACsec port is unblocked regardless of whether it has established an MKA session with its peer port.

For security purposes, a MACsec port in MACsec maintenance mode will still be blocked when it receives frames that contain its own SCI (identified by its MAC address and port ID).

A MACsec port in MACsec maintenance mode issues its SCI information only after it receives MKA protocol packets from its peer port.

Restrictions and guideline

CAUTION:

If you enable MACsec maintenance mode on an interface before it establishes an MKA session with its peer end, data frames are exposed to security risks. Before you perform this operation, make sure you fully understand this impact on security.

Prerequisites

Before you enable or disable MACsec maintenance mode on a MACsec port:

· Disable MKA on that port.

· Use the link-delay down command to increase the delay to report a link down event to CPU. Transient link state flapping might occur after you enable MACsec maintenance mode. This step prevents a link down event from causing MKA packet exchange failure during this period.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable MACsec maintenance mode.

macsec maintenance-mode enable

By default, MACsec maintenance mode is disabled.

CAUTION:

Enabling this feature before MKA session establishment reduces security of data packets. Please be cautious.

Enabling MKA session logging

About this task

This feature enables the device to generate logs for MKA session changes, such as peer aging and SAK updates. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.

Restrictions and guidelines

As a best practice, disable this feature to prevent excessive MKA session log output.

Procedure

1. Enter system view.

system-view

2. Enable MKA session logging.

macsec mka-session log enable

By default, MKA session logging is disabled.

Display and maintenance commands for MACsec

Execute display commands in any view and reset commands in user view.

Task	Command
Display MACsec information on ports.	display macsec [ interface interface-type interface-number ] [ verbose ]
Display MKA policy information.	display mka { default-policy \| policy [ name policy-name ] }
Display MKA session information.	display mka session [ interface interface-type interface-number \| local-sci sci-id ] [ verbose ]
Display MKA statistics on ports.	display mka statistics [ interface interface-type interface-number ]
Reset MKA sessions on ports.	reset mka session [ interface interface-type interface-number ]
Clear MKA statistics on ports.	reset mka statistics [ interface interface-type interface-number ]

‌

MACsec configuration examples

Example: Configuring device-oriented MACsec

Network configuration

As shown in Figure 5, Device A is the MACsec key server.

To secure data transmission between the two devices by MACsec, perform the following tasks on Device A and Device B, respectively:

· Set the MACsec confidentiality offset to 30 bytes.

· Enable MACsec replay protection, and set the replay protection window size to 100.

· Set the MACsec validation mode to strict.

· Configure the CAK name (CKN) and the CAK as E9AC and 09DB3EF1, respectively.

Figure 5 Network diagram

‌

Procedure

1. Configure Device A:

# Enter system view.

<DeviceA> system-view

# Enter Ten-GigabitEthernet 3/0/1 interface view.

[DeviceA] interface ten-gigabitethernet 3/0/1

# Enable MACsec desire on Ten-GigabitEthernet 3/0/1.

[DeviceA-Ten-GigabitEthernet3/0/1] macsec desire

# Set the MKA key server priority to 5.

[DeviceA-Ten-GigabitEthernet3/0/1] mka priority 5

# Configure the CKN as E9AC and the CAK as 09DB3EF1 in plain text.

[DeviceA-Ten-GigabitEthernet3/0/1] mka psk ckn E9AC cak simple 09DB3EF1

# Set the MACsec confidentiality offset to 30 bytes.

[DeviceA-Ten-GigabitEthernet3/0/1] macsec confidentiality-offset 30

# Enable MACsec replay protection.

[DeviceA-Ten-GigabitEthernet3/0/1] macsec replay-protection enable

# Set the MACsec replay protection window size to 100.

[DeviceA-Ten-GigabitEthernet3/0/1] macsec replay-protection window-size 100

# Set the MACsec validation mode to strict.

[DeviceA-Ten-GigabitEthernet3/0/1] macsec validation mode strict

# Enable MKA on Ten-GigabitEthernet 3/0/1.

[DeviceA-Ten-GigabitEthernet3/0/1] mka enable

[DeviceA-Ten-GigabitEthernet3/0/1] quit

2. Configure Device B:

# Enter system view.

<DeviceB> system-view

# Enter Ten-GigabitEthernet 3/0/1 interface view.

[DeviceB] interface ten-gigabitethernet 3/0/1

# Enable MACsec desire on Ten-GigabitEthernet 3/0/1.

[DeviceB-Ten-GigabitEthernet3/0/1] macsec desire

# Set the MKA key server priority to 10.

[DeviceB-Ten-GigabitEthernet3/0/1] mka priority 10

# Configure the CKN as E9AC and the CAK as 09DB3EF1 in plain text.

[DeviceB-Ten-GigabitEthernet3/0/1] mka psk ckn E9AC cak simple 09DB3EF1

# Set the MACsec confidentiality offset to 30 bytes.

[DeviceB-Ten-GigabitEthernet3/0/1] macsec confidentiality-offset 30

# Enable MACsec replay protection.

[DeviceB-Ten-GigabitEthernet3/0/1] macsec replay-protection enable

# Set the MACsec replay protection window size to 100.

[DeviceB-Ten-GigabitEthernet3/0/1] macsec replay-protection window-size 100

# Set the MACsec validation mode to strict.

[DeviceB-Ten-GigabitEthernet3/0/1] macsec validation mode strict

# Enable MKA on Ten-GigabitEthernet 3/0/1.

[DeviceB-Ten-GigabitEthernet3/0/1] mka enable

[DeviceB-Ten-GigabitEthernet3/0/1] quit

Verifying the configuration

# Display MACsec information on Ten-GigabitEthernet 3/0/1 of Device A.

[DeviceA] display macsec interface ten-gigabitethernet 3/0/1 verbose

Interface Ten-GigabitEthernet3/0/1

Protect frames : Yes

Replay protection : Enabled

Config replay window size : 100 frames

Active replay window size : 100 frames

Config confidentiality offset : 30 bytes

Active confidentiality offset : 30 bytes

Config validation mode : Strict

Active validation mode : Strict

Included SCI : No

SCI conflict : No

Cipher suite : GCM-AES-128

MKA life time : 6 seconds

Transmit secure channel:

SCI : 00E00100000A0006

Elapsed time: 00h:05m:00s

Current SA : AN 0 PN 1

Receive secure channels:

SCI : 00E0020000000106

Elapsed time: 00h:03m:18s

Current SA : AN 0 LPN 1

Previous SA : AN N/A LPN N/A

# Display MKA session information on Ten-GigabitEthernet 3/0/1 of Device A.

[DeviceA] display mka session interface ten-gigabitethernet 3/0/1 verbose

Interface Ten-GigabitEthernet3/0/1

Tx-SCI : 00E00100000A0006

Priority : 5

Capability: 3

CKN for participant: E9AC

Key server : Yes

MI (MN) : 85E004AF49934720AC5131D3 (182)

Live peers : 1

Potential peers : 0

Principal actor : Yes

MKA session status : Secured

Confidentiality offset: 30 bytes

Tx-SSCI : N/A

Current SAK status : Rx & Tx

Current SAK AN : 0

Current SAK KI (KN) : 85E004AF49934720AC5131D300000003 (3)

Previous SAK status : N/A

Previous SAK AN : N/A

Previous SAK KI (KN) : N/A

Live peer list:

MI MN Prio Cap Rx-SCI Rx-SSCI

12A1677D59DD211AE86A0128 182 10 3 00E0020000000106 N/A

# Display MACsec information on Ten-GigabitEthernet 3/0/1 of Device B.

[DeviceB] display macsec interface ten-gigabitethernet 3/0/1 verbose

Interface Ten-GigabitEthernet3/0/1

Protect frames : Yes

Replay protection : Enabled

Config replay window size : 100 frames

Active replay window size : 100 frames

Config confidentiality offset : 30 bytes

Active confidentiality offset : 30 bytes

Config validation mode : Strict

Active validation mode : Strict

Included SCI : No

SCI conflict : No

Cipher suite : GCM-AES-128

MKA life time : 6 seconds

Transmit secure channel:

SCI : 00E0020000000106

Elapsed time: 00h:05m:36s

Current SA : AN 0 PN 1

Receive secure channels:

SCI : 00E00100000A0006

Elapsed time: 00h:03m:21s

Current SA : AN 0 LPN 1

Previous SA : AN N/A LPN N/A

# Display MKA session information on Ten-GigabitEthernet 3/0/1 of Device B.

[DeviceB] display mka session interface ten-gigabitethernet 3/0/1 verbose

Interface Ten-GigabitEthernet3/0/1

Tx-SCI : 00E0020000000106

Priority : 10

Capability: 3

CKN for participant: E9AC

Key server : No

MI (MN) : 12A1677D59DD211AE86A0128 (1219)

Live peers : 1

Potential peers : 0

Principal actor : Yes

MKA session status : Secured

Confidentiality offset: 30 bytes

Tx-SSCI : N/A

Current SAK status : Rx & Tx

Current SAK AN : 0

Current SAK KI (KN) : 85E004AF49934720AC5131D300000003 (3)

Previous SAK status : N/A

Previous SAK AN : N/A

Previous SAK KI (KN) : N/A

Live peer list:

MI MN Prio Cap Rx-SCI Rx-SSCI

85E004AF49934720AC5131D3 1216 5 3 00E00100000A0006 N/A

Troubleshooting MACsec

Cannot establish MKA sessions between MACsec devices

Symptom

The devices cannot establish MKA sessions when the following conditions exist:

· The link connecting the devices is up.

· The ports at the ends of the link are MACsec capable.

Analysis

The symptom might occur for the following reasons:

· The ports at the link are not enabled with MKA.

· A port at the link is not configured with a preshared key or configured with a preshared key different from the peer.

Solution

To resolve the issue:

1. Enter interface view.

2. Use the display this command to check the MACsec configuration:

¡ If MKA is not enabled on the port, execute the mka enable command.

¡ If a preshared key is not configured or the preshared key is different from the peer, use the mka psk command to configure a preshared key. Make sure the preshared key is the same as the preshared key on the peer.

3. If the issue persists, contact H3C Support.

11-Security Configuration Guide

About MACsec

Basic concepts

About this task

Procedure

About this task

Procedure

Specifying the cipher suite for MACsec encryption

About this task

Restrictions and guidelines

Specify the cipher suite for MACsec encryption (interface view)

Specify the cipher suite for MACsec encryption (system view)

Restrictions and guidelines

Procedure

Restrictions and guidelines

Procedure

Restrictions and guidelines

Procedure

Restrictions and guidelines

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guideline

Prerequisites

Procedure

About this task

Restrictions and guidelines

Procedure

Network configuration

Procedure

Verifying the configuration

Symptom

Analysis

Solution

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us