The on-switch configuration is pretty simple. First, we will create a key chain that will contain both the Connectivity Key Name (CKN) and the Connectivity Association Key (CAK). The CKN must be an even number of Hex digits and the CAK must be 32 or 64 Hex digits. Optionally we can create a MACsec Key Agreement policy. Finally, we will enable MACsec network link on the interface, apply the MKA policy and the key. The configuration for the CKN and the CAK must be the same on both sides of the link.
Configure terminal
key chain mka-keys macsec
!
! Must match on both sides.
! Must be an even number of digits
! Connectivity Key Name (CKN)
key HEX-CKN-EVEN#
!
! Must match on both sides
! MKA Authentication Cipher
cryptographic-algorithm aes-256-cmac
!
! Must match on both sides
! Must be 32 characters for 128 bits
! OR Must be 64 characters for 256 bits
! Connectivity Association Key (CAK)
key-string ----32-OR-64-HEX-CHARS----
!
mka policy mkapolicy1
! 128 bit is supported by Cat 9200
! 256 bit is supported by Cat 9300
macsec-cipher-suite gcm-aes-128
!
!
! Interface Configuration
!
int g1/0/1
macsec network-link
mka policy mkapolicy1
mka pre-shared-key key-chain mka-keys
!
end
!
No comments:
Post a Comment