Solved: MACsec MKA using PSK on C9000

stefanzuber · ‎01-20-2021

Hello,
I want to enable MACsec with PSK between the Core and Distribution Switches (C9600 and C9500) which are stretched over darkfibers.
The link speeds are 10G, 40G and 100G and I noticed following from the configuration guide:

Use Extended Packet Numbering (XPN) Cipher Suite for port speeds of 40Gbps and above.
Do not use Cisco TrustSec Security Association Protocol (SAP) MACsec encryption for port speeds above 10Gbps.

Will this configuration below work or do I need pay attention to something else? Will this configuration work without any issues on 10G links as well?

key chain keychain1 macsec
key 1000
cryptographic-algorithm gcm-aes-256
key-string 1234567890123456789012345678901212345678901234567890123456789012
end

mka policy mka_policy
macsec-cipher-suite gcm-aes-xpn-256
end

interface Hu1/0/49
mka policy mka_policy
mka pre-shared-key key-chain keychain1

end

Are these commands are needed in the interface configuration?

interface Hu1/0/49
macsec network-link
macsec replay-protection window-size 10

In the configuration guide are different examples for physical interfaces and port-channel interfaces. Please advise.

And what's about "include-icv-indicator" in the policy? This is enabled by default, isn't it?

Thanks for your advice and sharing your experience.

Timothy Glen · ‎02-17-2021

Hi stefanzuber,

macsec network-link should be included in the interface configuration. This is the command that enables MACsec on the interface.

Use show mka policy to see if ICV in enabled if not configured in the policy, in my lab it is enabled by default.

My understanding is that include-icv-indicator is an option for interoperability with other vendor's implementation.

Cisco documents state this on include-icv-indicator.

This parameter configures inclusion of the optional ICV Indicator as part of the transmitted MACsec Key Agreement PDU (MKPDU). This configuration is necessary for MACsec to interoperate with routers that run software prior to IOS XR version 6.1.3. This configuration is also important in a service provider WAN setup where MACsec interoperates with other vendor MACsec implementations that expect ICV indicator to be present in the MKPDU.

https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/62x/b-system-security-cg-ncs5500-62x/b-system-security-cg-ncs5500-62x_chapter_0101.html

Other than that the PSK configuration you listed looks good. If you're interested take a look at this doc.

https://community.cisco.com/t5/networking-documents/configuring-macsec-switch-to-switch-with-pre-shared-key/ta-p/4280159

Tim

View solution in original post

Timothy Glen · ‎02-17-2021