Configure MACsec encryption on Cisco 9336C switches

Contributors netapp-folivia netapp-thomi netapp-martyh

If desired, you can configure MACsec encryption on the WAN ISL ports that run between the sites. You must configure MACsec after applying the correct RCF file.

Note MACsec encryption can only be applied to the WAN ISL ports.

Configure MACsec encryption on Cisco 9336C switches

You must only configure MACsec encryption on the WAN ISL ports that run between the sites. You must configure MACsec after applying the correct RCF file.

Licensing requirements for MACsec

MACsec requires a security license. For a complete explanation of the Cisco NX-OS licensing scheme and how to obtain and apply for licenses, see the Cisco NX-OS Licensing Guide

Enable Cisco MACsec Encryption WAN ISLs in MetroCluster IP configurations

You can enable MACsec encryption for Cisco 9336C switches on the WAN ISLs in a MetroCluster IP configuration.

Steps
  1. Enter global configuration mode:

    configure terminal

    IP_switch_A_1# configure terminal
    IP_switch_A_1(config)#
  2. Enable MACsec and MKA on the device:

    feature macsec

    IP_switch_A_1(config)# feature macsec
  3. Copy the running configuration to the startup configuration:

    copy running-config startup-config

    IP_switch_A_1(config)# copy running-config startup-config

Configure a MACsec key chain and keys

You can create a MACsec key chain or keys on your configuration.

Key Lifetime and Hitless Key Rollover

A MACsec keychain can have multiple pre-shared keys (PSKs), each configured with a key ID and an optional lifetime. A key lifetime specifies at which time the key activates and expires. In the absence of a lifetime configuration, the default lifetime is unlimited. When a lifetime is configured, MKA rolls over to the next configured pre-shared key in the keychain after the lifetime is expired. The time zone of the key can be local or UTC. The default time zone is UTC. A key can roll over to a second key within the same keychain if you configure the second key (in the keychain) and configure a lifetime for the first key. When the lifetime of the first key expires, it automatically rolls over to the next key in the list. If the same key is configured on both sides of the link at the same time, then the key rollover is hitless (that is, the key rolls over without traffic interruption).

Steps
  1. Enter the global configuration mode:

    configure terminal

    IP_switch_A_1# configure terminal
    IP_switch_A_1(config)#
  2. To hide the encrypted key octet string, replace the string with a wildcard character in the output of the show running-config and show startup-config commands:

    IP_switch_A_1(config)# key-chain macsec-psk no-show
    Note The octet string is also hidden when you save the configuration to a file.

    By default, PSK keys are displayed in encrypted format and can easily be decrypted. This command applies only to MACsec key chains.

  3. Create a MACsec key chain to hold a set of MACsec keys and enter MACsec key chain configuration mode:

    key chain name macsec

    IP_switch_A_1(config)# key chain 1 macsec
    IP_switch_A_1(config-macseckeychain)#
  4. Create a MACsec key and enter MACsec key configuration mode:

    key key-id

    The range is from 1 to 32 hex digit key-string, and the maximum size is 64 characters.

    IP_switch_A_1 switch(config-macseckeychain)# key 1000
    IP_switch_A_1 (config-macseckeychain-macseckey)#
  5. Configure the octet string for the key:

    key-octet-string octet-string cryptographic-algorithm AES_128_CMAC | AES_256_CMAC

    IP_switch_A_1(config-macseckeychain-macseckey)# key-octet-string abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
    cryptographic-algorithm AES_256_CMAC
    Note The octet-string argument can contain up to 64 hexadecimal characters. The octet key is encoded internally, so the key in clear text does not appear in the output of the show running-config macsec command.
  6. Configure a send lifetime for the key (in seconds):

    send-lifetime start-time duration duration

    IP_switch_A_1(config-macseckeychain-macseckey)# send-lifetime 00:00:00 Oct 04 2020 duration 100000

    By default, the device treats the start time as UTC. The start-time argument is the time of day and date that the key becomes active. The duration argument is the length of the lifetime in seconds. The maximum length is 2147483646 seconds (approximately 68 years).

  7. Copy the running configuration to the startup configuration:

    copy running-config startup-config

    IP_switch_A_1(config)# copy running-config startup-config
  8. Displays the keychain configuration:

    show key chain name

    IP_switch_A_1(config-macseckeychain-macseckey)# show key chain 1

Configure a MACsec policy

Steps
  1. Enter global configuration mode:

    configure terminal

    IP_switch_A_1# configure terminal
    IP_switch_A_1(config)#
  2. Create a MACsec policy:

    macsec policy name

    IP_switch_A_1(config)# macsec policy abc
    IP_switch_A_1(config-macsec-policy)#
  3. Configure one of the following ciphers, GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, or GCM-AES-XPN-256:

    cipher-suite name

    IP_switch_A_1(config-macsec-policy)# cipher-suite GCM-AES-256
  4. Configure the key server priority to break the tie between peers during a key exchange:

    key-server-priority number

    switch(config-macsec-policy)# key-server-priority 0
  5. Configure the security policy to define the handling of data and control packets:

    security-policy security policy

    Choose a security policy from the following options:

    • must-secure — packets not carrying MACsec headers are dropped

    • should-secure — packets not carrying MACsec headers are permitted (this is the default value)

    IP_switch_A_1(config-macsec-policy)# security-policy should-secure
  6. Configure the replay protection window so the secured interface does not accept a packet that is less than the configured window size: window-size number

    Note The replay protection window size represents the maximum out-of-sequence frames that MACsec accepts and are not discarded. The range is from 0 to 596000000.
    IP_switch_A_1(config-macsec-policy)# window-size 512
  7. Configure the time in seconds to force an SAK rekey:

    sak-expiry-time time

    You can use this command to change the session key to a predictable time interval. The default is 0.

    IP_switch_A_1(config-macsec-policy)# sak-expiry-time 100
  8. Configure one of the following confidentiality offsets in the layer 2 frame where encryption begins:

    conf-offsetconfidentiality offset

    Choose from the following options:

    • CONF-OFFSET-0.

    • CONF-OFFSET-30.

    • CONF-OFFSET-50.

      IP_switch_A_1(config-macsec-policy)# conf-offset CONF-OFFSET-0
      Note This command might be necessary for intermediate switches to use packet headers (dmac, smac, etype) like MPLS tags.
  9. Copy the running configuration to the startup configuration:

    copy running-config startup-config

    IP_switch_A_1(config)# copy running-config startup-config
  10. Display the MACsec policy configuration:

    show macsec policy

    IP_switch_A_1(config-macsec-policy)# show macsec policy

Enable Cisco MACsec encryption on the interfaces

  1. Enter global configuration mode:

    configure terminal

    IP_switch_A_1# configure terminal
    IP_switch_A_1(config)#
  2. Select the interface that you configured with MACsec encryption.

    You can specify the interface type and identity. For an Ethernet port, use ethernet slot/port.

    IP_switch_A_1(config)# interface ethernet 1/15
    switch(config-if)#
  3. Add the keychain and policy to be configured on the interface to add the MACsec configuration:

    macsec keychain keychain-name policy policy-name

    IP_switch_A_1(config-if)# macsec keychain 1 policy abc
  4. Repeat steps 1 and 2 on all interfaces where MACsec encryption is to be configured.

  5. Copy the running configuration to the startup configuration:

    copy running-config startup-config

    IP_switch_A_1(config)# copy running-config startup-config

Disable Cisco MACsec Encryption WAN ISLs in MetroCluster IP configurations

You might need to disable MACsec encryption for Cisco 9336C switches on the WAN ISLs in a MetroCluster IP configuration.

Steps
  1. Enter global configuration mode:

    configure terminal

    IP_switch_A_1# configure terminal
    IP_switch_A_1(config)#
  2. Disable the MACsec configuration on the device:

    macsec shutdown

    IP_switch_A_1(config)# macsec shutdown
    Note Selecting the “no” option restores the MACsec feature.
  3. Select the interface that you already configured with MACsec.

    You can specify the interface type and identity. For an Ethernet port, use ethernet slot/port.

    IP_switch_A_1(config)# interface ethernet 1/15
    switch(config-if)#
  4. Remove the keychain and policy configured on the interface to remove the MACsec configuration:

    no macsec keychain keychain-name policy policy-name

    IP_switch_A_1(config-if)# no macsec keychain 1 policy abc
  5. Repeat steps 3 and 4 on all interfaces where MACsec is configured.

  6. Copy the running configuration to the startup configuration:

    copy running-config startup-config

    IP_switch_A_1(config)# copy running-config startup-config

Verifying the MACsec configuration

Steps
  1. Repeat all of the previous procedures on the second switch within the configuration to establish a MACsec session.

  2. Run the following commands to verify that both switches are successfully encrypted:

    1. Run: show macsec mka summary

    2. Run: show macsec mka session

    3. Run: show macsec mka statistics

      You can verify the MACsec configuration using the following commands:

      Command

      Displays information about…​

      show macsec mka session interface typeslot/port number

      The MACsec MKA session for a specific interface or for all interfaces

      show key chain name

      The key chain configuration

      show macsec mka summary

      The MACsec MKA configuration

      show macsec policy policy-name

      The configuration for a specific MACsec policy or for all MACsec policies