Enabling Macsec Desire; Configuring A Preshared Key - HPE FlexNetwork 10500 Series Security Configuration Manual

Enabling MACsec desire

The MACsec desire feature expects MACsec protection for outbound frames. The key server
determines whether MACsec protects the outbound frames.
MACsec protects the outbound frames of a port when the following requirements are met:
•
The key server is MACsec capable.
•
Both the local participant and its peer are MACsec capable.
•
A minimum of one participant is enabled with MACsec desire.
To enable MACsec desire:
Step
1. Enter system view.
2. Enter interface view.
3. Enable MACsec desire.

Configuring a preshared key

In device-oriented mode, configure a preshared key as the CAK to be used during MKA negotiation.
To successfully establish an MKA session between two devices, make sure the connected MACsec
ports are configured with the same preshared key.
A user-configured preshared key has higher priority than the 802.1X-generated CAK. To ensure a
successful MKA session establishment, do not configure a preshared key in client-oriented mode.
To configure a preshared key:
Step
1. Enter system view.
2. Enter interface view.
3. Set a preshared key.
Command
system-view
interface interface-type
interface-number
macsec desire
Command
system-view
interface interface-type
interface-number
mka psk ckn name cak { cipher |
simple } string
572
Remarks
N/A
N/A
By default, the port does not
expect MACsec protection for
outbound frames.
Remarks
N/A
N/A
By default, no MKA preshared key
exists.
The MACsec cipher suite
supported by the device requires
that the CKN and CAK each must
be 32 characters long. If the
configured CKN or CAK is not 32
characters long, the system
performs the following operations
when it runs the cipher suite:
•
Automatically increases the
length of the CKN or CAK by
zero padding if the CKN or
CAK contains less than 32
characters.
•
Uses only the first 32
characters if the CKN or CAK
contains more than 32
characters.