Device-Oriented Macsec Configuration Example - HPE FlexNetwork 5510 HI Series Security Configuration Manual

Device-oriented MACsec configuration example

Network requirements
As shown in
To secure data transmission between the two devices by MACsec, perform the following tasks on
Device A and Device B, respectively:
•
Set the MACsec confidentiality offset to 30 bytes.
•
Enable MACsec replay protection, and set the replay protection window size to 100.
•
Set the MACsec validation mode to strict.
•
Configure the CAK name (CKN) and the CAK as E9AC and 09DB3EF1, respectively.
Figure 143 Network diagram
GE1/0/1
Device A
Configuration procedure
1. Configure Device A:
# Enter system view.
<DeviceA> system-view
# Enter GigabitEthernet 1/0/1 interface view.
[DeviceA] interface gigabitethernet 1/0/1
# Enable MACsec desire on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] macsec desire
# Set the MKA key server priority to 5.
[DeviceA-GigabitEthernet1/0/1] mka priority 5
# Configure the CKN as E9AC and the CAK as 09DB3EF1 in plain text.
[DeviceA-GigabitEthernet1/0/1] mka psk ckn E9AC cak simple 09DB3EF1
# Set the MACsec confidentiality offset to 30 bytes.
[DeviceA-GigabitEthernet1/0/1] macsec confidentiality-offset 30
# Enable MACsec replay protection.
[DeviceA-GigabitEthernet1/0/1] macsec replay-protection enable
# Set the MACsec replay protection window size to 100.
[DeviceA-GigabitEthernet1/0/1] macsec replay-protection window-size 100
# Set the MACsec validation mode to strict.
[DeviceA-GigabitEthernet1/0/1] macsec validation mode strict
# Enable MKA on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] mka enable
[DeviceA-GigabitEthernet1/0/1] quit
2. Configure Device B:
# Enter system view.
<DeviceB> system-view
# Enter GigabitEthernet 1/0/1 interface view.
[DeviceB] interface gigabitethernet 1/0/1
# Enable MACsec desire on GigabitEthernet 1/0/1.
[DeviceB-GigabitEthernet1/0/1] macsec desire
Figure 143, Device A is the MACsec key server.
GE1/0/1
Device B
473