Configuring Mka Pre-Shared Key - Cisco Catalyst 4500 Series Software Configuration Manual
Cisco ios xe release 3.9.xe and cisco ios release 15.2(5)ex
Hide thumbs
Also See for Catalyst 4500 Series:
- Administration manual (1814 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Configuring MACsec and MACsec Key Agreement
Configuring MKA Pre-Shared Key
To configure MACsec Key Agreement (MKA) pre-shared key, perform this task:
Command
Step 1
configure terminal
Step 2
key chain key-chain-name [macsec]
Step 3
key hex-string
Step 4
cryptographic-algorithm
[aes-128-cmac | aes-256-cmac]
Step 5
key-string {[0 | 6] pre-shared-key
| 7 | pre-shared-key}
Step 6
lifetime {local hh:mm:ss |
hh:mm:ss} day month year {duration
seconds | hh:mm:ss day month |
infinite}
Step 7
end
Step 8
copy running-config startup-config
This example shows how to configure MKA pre-shared key:
Switch# configure terminal
Switch(config)# key chain keychain1 macsec
Switch(config-keychain-macsec)# key 0001
Switch(config-keychain-macsec-key)# cryptographic-algorithm aes-128-cmac
Switch(config-keychain-macsec-key)# key-string 0 pwd
Switch(config-keychain-macsec-key)# lifetime local 16:00:00 Nov 9 2014 duration 6000
Switch(config-keychain-macsec-key)# end
Switch# copy running-config startup-config
Example: Connectivity Association Key Rekey
The connectivity Association Key (CAK) is a long-lived master key that is used to generate all other keys
needed for MKA/MACsec.
The CAK rekey happens in the following cases:
•
•
We recommend that you configure keys such that there is an overlap between the lifetime of the keys so
Note
that CAK rekey is successful and there is a seamless transition between the keys/CA (without any traffic
loss or session restart.)
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
48-10
Purpose
Enters global configuration mode.
Configures a key chain and enters keychain MACsec configuration mode.
Configures a key and enters keychain-MACsec key configuration mode.
•
Sets the cryptographic encryption algorithm.
Sets the pre-shared key for a key string.
•
Sets a lifetime for the MACsec key.
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
When moving from Key 01 to Key 02 within the Key Chain K1.
When moving from one Key Chain K1 to another Key Chain K2.
The key ID and the key string should not be all
Note
zeros.
The key ID must be an even-digit-sized hex-string.
The key-string should be a 32 or 64-digit hex-string, that is in sync
with the cryptographic algorithm that is configured.
Chapter 48
Configuring MACsec Encryption
Advertisement
Chapters
Table of Contents
Troubleshooting
