CKN for participant: 7B8784F16F85ED8F9D0130AA9B93D0F0
Key server
MI (MN)
Live peers
Potential peers
Principal actor
MKA session status
Confidentiality offset: 0 bytes
Current SAK status
Current SAK AN
Current SAK KI (KN)
Previous SAK status
Previous SAK AN
Previous SAK KI (KN)
Live peer list:
MI
FCA71854FCAE51398EC2DA79
Device-oriented MACsec configuration example
Network requirements
As shown in
To secure data transmission between the two devices by MACsec, perform the following tasks on
Device A and Device B, respectively:
•
Set the MACsec confidentiality offset to 30 bytes.
•
Enable MACsec replay protection, and set the replay protection window size to 100.
•
Set the MACsec validation mode to strict.
•
Configure the CAK name (CKN) and the CAK as E9AC and 09DB3EF1, respectively.
Figure 162 Network diagram
GE1/0/1
Device A
Configuration procedure
1.
Configure Device A:
# Enter system view.
<DeviceA> system-view
# Enter GigabitEthernet 1/0/1 interface view.
[DeviceA] interface gigabitethernet 1/0/1
# Enable MACsec desire on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] macsec desire
# Set the MKA key server priority to 5.
[DeviceA-GigabitEthernet1/0/1] mka priority 5
# Configure the CKN as E9AC and the CAK as 09DB3EF1 in plain text.
[DeviceA-GigabitEthernet1/0/1] mka psk ckn E9AC cak simple 09DB3EF1
# Set the MACsec confidentiality offset to 30 bytes.
: No
: D3F6D374598C8FD1F1819D6C (78)
: 1
: 0
: Yes
: Secured
: Rx & Tx
: 0
: FCA71854FCAE51398EC2DA7900000001 (1)
: N/A
: N/A
: N/A
MN
71
Figure
162, Device A is the MACsec key server.
GE1/0/1
Priority
Capability
0
3
Device B
583
Rx-SCI
A0872B3602000003