cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1469
Views
15
Helpful
2
Replies

MACsec MKA using PSK on C9000

stefanzuber
Level 1
Level 1

Hello,
I want to enable MACsec with PSK between the Core and Distribution Switches (C9600 and C9500) which are stretched over darkfibers.
The link speeds are 10G, 40G and 100G and I noticed following from the configuration guide:

  • Use Extended Packet Numbering (XPN) Cipher Suite for port speeds of 40Gbps and above.
  • Do not use Cisco TrustSec Security Association Protocol (SAP) MACsec encryption for port speeds above 10Gbps.

Will this configuration below work or do I need pay attention to something else? Will this configuration work without any issues on 10G links as well?

 

key chain keychain1 macsec
 key 1000
 cryptographic-algorithm gcm-aes-256
 key-string 1234567890123456789012345678901212345678901234567890123456789012
end

 

mka policy mka_policy
 macsec-cipher-suite gcm-aes-xpn-256
end

 

interface Hu1/0/49
 mka policy mka_policy
 mka pre-shared-key key-chain keychain1

end

 

Are these commands are needed in the interface configuration?

interface Hu1/0/49
 macsec network-link
 macsec replay-protection window-size 10

 

In the configuration guide are different examples for physical interfaces and port-channel interfaces. Please advise.

And what's about "include-icv-indicator" in the policy? This is enabled by default, isn't it?

Thanks for your advice and sharing your experience.

1 Accepted Solution

Accepted Solutions

Timothy Glen
Cisco Employee
Cisco Employee

Hi stefanzuber,

 

macsec network-link should be included in the interface configuration.  This is the command that enables MACsec on the interface. 

 

Use show mka policy to see if ICV in enabled if not configured in the policy, in my lab it is enabled by default. 

My understanding is that include-icv-indicator is an option for interoperability with other vendor's implementation.  

Cisco documents state this on include-icv-indicator. 

This parameter configures inclusion of the optional ICV Indicator as part of the transmitted MACsec Key Agreement PDU (MKPDU). This configuration is necessary for MACsec to interoperate with routers that run software prior to IOS XR version 6.1.3. This configuration is also important in a service provider WAN setup where MACsec interoperates with other vendor MACsec implementations that expect ICV indicator to be present in the MKPDU. 

https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/62x/b-system-security-cg-ncs5500-62x/b-system-security-cg-ncs5500-62x_chapter_0101.html

 

Other than that the PSK configuration you listed looks good.   If you're interested take a look at this doc.

https://community.cisco.com/t5/networking-documents/configuring-macsec-switch-to-switch-with-pre-shared-key/ta-p/4280159

 

 

Tim

View solution in original post

2 Replies 2

Timothy Glen
Cisco Employee
Cisco Employee

Hi stefanzuber,

 

macsec network-link should be included in the interface configuration.  This is the command that enables MACsec on the interface. 

 

Use show mka policy to see if ICV in enabled if not configured in the policy, in my lab it is enabled by default. 

My understanding is that include-icv-indicator is an option for interoperability with other vendor's implementation.  

Cisco documents state this on include-icv-indicator. 

This parameter configures inclusion of the optional ICV Indicator as part of the transmitted MACsec Key Agreement PDU (MKPDU). This configuration is necessary for MACsec to interoperate with routers that run software prior to IOS XR version 6.1.3. This configuration is also important in a service provider WAN setup where MACsec interoperates with other vendor MACsec implementations that expect ICV indicator to be present in the MKPDU. 

https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/62x/b-system-security-cg-ncs5500-62x/b-system-security-cg-ncs5500-62x_chapter_0101.html

 

Other than that the PSK configuration you listed looks good.   If you're interested take a look at this doc.

https://community.cisco.com/t5/networking-documents/configuring-macsec-switch-to-switch-with-pre-shared-key/ta-p/4280159

 

 

Tim

Hi Tim,

thank you for your reply and useful information. In my Lab on C9600 Include ICV-Indicator is also enabled by default.

 

Best regards

Stefan

Review Cisco Networking for a $25 gift card