Configuring Ethernet Ports MAC Security Overview
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 1-30
Enabling/Disabling MACSec on an Interface
The MACSec configuration consists of three steps:
• Create aes-gcm-128 keys and associate the keys to a keychain.
Refer to the “Chassis Management and Monitoring Commands” chapter in the OmniSwitch AOS
Release 8 CLI Reference Guide for more information on keychain configuration.
• Create secure channel for TX and RX with keychain associated for TX and RX, associate the secure
channel to a physical interface.
Note. The keychain associated with the SCI-TX and SCI-RX must have either two or four keys supporting
‘AES-GCM-128’ algorithm, and the number of keys in the keychain associated with both SCI-TX and
SCI-RX on an interface must be equal.
• Enable MACSec on the physical interface. MACSec cannot be administratively enabled on an interface
until both SCI-TX and SCI-RX are configured on the interface.
Use interfaces macsec admin-state command to enable or disable MACSec on a physical port or a port
range, configure secure channel association for TX and RX on the specified interface or interfaces, and set
the SA mode to static.
MACSec supports one secure channel for TX and one secure channel for RX configuration on an
interface. By default, the MACSec mode is set to ‘static’
-> interface port 1/1/1 macsec admin-state mode static sci-tx 0x1 key-chain 1
encryption sci-rx 0x1 key-chain 1 encryption
Use the no form of this command to disable encryption on TX or RX channel, remove keychain
configuration on TX or RX channel, remove TX or RX channel. For example,
-> no interface 1/1/1 macsec sci-rx 0x2 keychain
-> no interface 1/1/1 macsec sci-tx encryption
To Next Page
Loading...
