MetroCluster Manuals ( CA08871-401 )
Configure MACsec encryption on Cisco 9336C switches
Note
|
MACsec encryption can only be applied to the WAN ISL ports. |
Configure MACsec encryption on Cisco 9336C switches
You must only configure MACsec encryption on the WAN ISL ports that run between the sites. You must configure MACsec after applying the correct RCF file.
Licensing requirements for MACsec
MACsec requires a security license. For a complete explanation of the Cisco NX-OS licensing scheme and how to obtain and apply for licenses, see the Cisco NX-OS Licensing Guide
Enable Cisco MACsec Encryption WAN ISLs in MetroCluster IP configurations
You can enable MACsec encryption for Cisco 9336C switches on the WAN ISLs in a MetroCluster IP configuration.
-
Enter global configuration mode:
configure terminal
IP_switch_A_1# configure terminal IP_switch_A_1(config)#
-
Enable MACsec and MKA on the device:
feature macsec
IP_switch_A_1(config)# feature macsec
-
Copy the running configuration to the startup configuration:
copy running-config startup-config
IP_switch_A_1(config)# copy running-config startup-config
Configure a MACsec key chain and keys
You can create a MACsec key chain or keys on your configuration.
Key Lifetime and Hitless Key Rollover
A MACsec keychain can have multiple pre-shared keys (PSKs), each configured with a key ID and an optional lifetime. A key lifetime specifies at which time the key activates and expires. In the absence of a lifetime configuration, the default lifetime is unlimited. When a lifetime is configured, MKA rolls over to the next configured pre-shared key in the keychain after the lifetime is expired. The time zone of the key can be local or UTC. The default time zone is UTC. A key can roll over to a second key within the same keychain if you configure the second key (in the keychain) and configure a lifetime for the first key. When the lifetime of the first key expires, it automatically rolls over to the next key in the list. If the same key is configured on both sides of the link at the same time, then the key rollover is hitless (that is, the key rolls over without traffic interruption).
-
Enter the global configuration mode:
configure terminal
IP_switch_A_1# configure terminal IP_switch_A_1(config)#
-
To hide the encrypted key octet string, replace the string with a wildcard character in the output of the
show running-config
andshow startup-config
commands:IP_switch_A_1(config)# key-chain macsec-psk no-show
NoteThe octet string is also hidden when you save the configuration to a file. By default, PSK keys are displayed in encrypted format and can easily be decrypted. This command applies only to MACsec key chains.
-
Create a MACsec key chain to hold a set of MACsec keys and enter MACsec key chain configuration mode:
key chain name macsec
IP_switch_A_1(config)# key chain 1 macsec IP_switch_A_1(config-macseckeychain)#
-
Create a MACsec key and enter MACsec key configuration mode:
key key-id
The range is from 1 to 32 hex digit key-string, and the maximum size is 64 characters.
IP_switch_A_1 switch(config-macseckeychain)# key 1000 IP_switch_A_1 (config-macseckeychain-macseckey)#
-
Configure the octet string for the key:
key-octet-string octet-string cryptographic-algorithm AES_128_CMAC | AES_256_CMAC
IP_switch_A_1(config-macseckeychain-macseckey)# key-octet-string abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789 cryptographic-algorithm AES_256_CMAC
NoteThe octet-string argument can contain up to 64 hexadecimal characters. The octet key is encoded internally, so the key in clear text does not appear in the output of the show running-config macsec
command. -
Configure a send lifetime for the key (in seconds):
send-lifetime start-time duration duration
IP_switch_A_1(config-macseckeychain-macseckey)# send-lifetime 00:00:00 Oct 04 2020 duration 100000
By default, the device treats the start time as UTC. The start-time argument is the time of day and date that the key becomes active. The duration argument is the length of the lifetime in seconds. The maximum length is 2147483646 seconds (approximately 68 years).
-
Copy the running configuration to the startup configuration:
copy running-config startup-config
IP_switch_A_1(config)# copy running-config startup-config
-
Displays the keychain configuration:
show key chain name
IP_switch_A_1(config-macseckeychain-macseckey)# show key chain 1
Configure a MACsec policy
-
Enter global configuration mode:
configure terminal
IP_switch_A_1# configure terminal IP_switch_A_1(config)#
-
Create a MACsec policy:
macsec policy name
IP_switch_A_1(config)# macsec policy abc IP_switch_A_1(config-macsec-policy)#
-
Configure one of the following ciphers, GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, or GCM-AES-XPN-256:
cipher-suite name
IP_switch_A_1(config-macsec-policy)# cipher-suite GCM-AES-256
-
Configure the key server priority to break the tie between peers during a key exchange:
key-server-priority number
switch(config-macsec-policy)# key-server-priority 0
-
Configure the security policy to define the handling of data and control packets:
security-policy security policy
Choose a security policy from the following options:
-
must-secure — packets not carrying MACsec headers are dropped
-
should-secure — packets not carrying MACsec headers are permitted (this is the default value)
IP_switch_A_1(config-macsec-policy)# security-policy should-secure
-
-
Configure the replay protection window so the secured interface does not accept a packet that is less than the configured window size:
window-size number
NoteThe replay protection window size represents the maximum out-of-sequence frames that MACsec accepts and are not discarded. The range is from 0 to 596000000. IP_switch_A_1(config-macsec-policy)# window-size 512
-
Configure the time in seconds to force an SAK rekey:
sak-expiry-time time
You can use this command to change the session key to a predictable time interval. The default is 0.
IP_switch_A_1(config-macsec-policy)# sak-expiry-time 100
-
Configure one of the following confidentiality offsets in the layer 2 frame where encryption begins:
conf-offsetconfidentiality offset
Choose from the following options:
-
CONF-OFFSET-0.
-
CONF-OFFSET-30.
-
CONF-OFFSET-50.
IP_switch_A_1(config-macsec-policy)# conf-offset CONF-OFFSET-0
NoteThis command might be necessary for intermediate switches to use packet headers (dmac, smac, etype) like MPLS tags.
-
-
Copy the running configuration to the startup configuration:
copy running-config startup-config
IP_switch_A_1(config)# copy running-config startup-config
-
Display the MACsec policy configuration:
show macsec policy
IP_switch_A_1(config-macsec-policy)# show macsec policy
Enable Cisco MACsec encryption on the interfaces
-
Enter global configuration mode:
configure terminal
IP_switch_A_1# configure terminal IP_switch_A_1(config)#
-
Select the interface that you configured with MACsec encryption.
You can specify the interface type and identity. For an Ethernet port, use ethernet slot/port.
IP_switch_A_1(config)# interface ethernet 1/15 switch(config-if)#
-
Add the keychain and policy to be configured on the interface to add the MACsec configuration:
macsec keychain keychain-name policy policy-name
IP_switch_A_1(config-if)# macsec keychain 1 policy abc
-
Repeat steps 1 and 2 on all interfaces where MACsec encryption is to be configured.
-
Copy the running configuration to the startup configuration:
copy running-config startup-config
IP_switch_A_1(config)# copy running-config startup-config
Disable Cisco MACsec Encryption WAN ISLs in MetroCluster IP configurations
You might need to disable MACsec encryption for Cisco 9336C switches on the WAN ISLs in a MetroCluster IP configuration.
-
Enter global configuration mode:
configure terminal
IP_switch_A_1# configure terminal IP_switch_A_1(config)#
-
Disable the MACsec configuration on the device:
macsec shutdown
IP_switch_A_1(config)# macsec shutdown
NoteSelecting the “no” option restores the MACsec feature. -
Select the interface that you already configured with MACsec.
You can specify the interface type and identity. For an Ethernet port, use ethernet slot/port.
IP_switch_A_1(config)# interface ethernet 1/15 switch(config-if)#
-
Remove the keychain and policy configured on the interface to remove the MACsec configuration:
no macsec keychain keychain-name policy policy-name
IP_switch_A_1(config-if)# no macsec keychain 1 policy abc
-
Repeat steps 3 and 4 on all interfaces where MACsec is configured.
-
Copy the running configuration to the startup configuration:
copy running-config startup-config
IP_switch_A_1(config)# copy running-config startup-config
Verifying the MACsec configuration
-
Repeat all of the previous procedures on the second switch within the configuration to establish a MACsec session.
-
Run the following commands to verify that both switches are successfully encrypted:
-
Run:
show macsec mka summary
-
Run:
show macsec mka session
-
Run:
show macsec mka statistics
You can verify the MACsec configuration using the following commands:
Command
Displays information about…
show macsec mka session interface typeslot/port number
The MACsec MKA session for a specific interface or for all interfaces
show key chain name
The key chain configuration
show macsec mka summary
The MACsec MKA configuration
show macsec policy policy-name
The configuration for a specific MACsec policy or for all MACsec policies
-