Configure MACSec

This module describes how to configure Media Access Control Security (MACSec) encryption on the NCS 5500 Network Convergence System Routers. MACSec is a Layer 2 IEEE 802.1AE standard for encrypting packets between two MACSec-capable routers.

Understanding MACsec Encryption

Security breaches can occur at any layer of the OSI model. At Layer 2, some of the common breaches are MAC address spoofing, ARP spoofing, Denial of Service (DoS) attacks against a DHCP server, and VLAN hopping.

MACsec secures data on physical media, making it impossible for data to be compromised at higher layers. As a result, MACsec encryption takes priority over any other encryption method such as IPsec and SSL at higher layers. MACsec is configured on the Customer Edge (CE) router interfaces that connect to Provider Edge (PE) routers and on all the provider router interfaces.

MKA Authentication Process

MACsec provides the secure MAC Service on a frame-by-frame basis, using GCM-AES algorithm. MACsec uses the MACsec Key Agreement protocol (MKA) to exchange session keys, and manage encryption keys.

The MACsec encryption process is illustrated in the following figure and description.

Figure 1. MKA Encryption Process


Step 1: When a link is first established between two routers, they become peers. Mutual peer authentication takes place by configuring a Pre-shared Key (PSK).

Step 2: On successful peer authentication, a connectivity association is formed between the peers, and a secure Connectivity Association Key Name (CKN) is exchanged. After the exchange, the MKA ICV is validated with a Connectivity Association Key (CAK), which is effectively a secret key.

Step 3: A key server is selected between the routers, based on the configured key server priority. Lower the priority value, higher the preference for the router to become the key server. If no value is configured, the default value of 16 is taken to be the key server priority value for the router. Lowest priority value configures that router as the key server, while the other router functions as a key client. The following rules apply to key server selection:
  • Numerically lower values of key server priority and SCI are accorded the highest preference.

  • Each router selects a peer advertising the highest preference as its key server provided that peer has not selected another router as its key server or is not willing to function as the key server.

  • In the event of a tie for highest preferred key server, the router with the highest priority SCI is chosen as key server (KS).

Step 4: A security association is formed between the peers. The key server generates and distributes the Secure Association Key (SAK) to the key client (peer). Each secure channel is supported by an overlapped sequence of Security Associations (SA). Each SA uses a new Secure Association Key (SAK).

Step 5: Encrypted data is exchanged between the peers.

MACsec Frame Format

The MACsec header in a frame consists of three components as illustrated in the following figure.

Figure 2. MACsec Frame Format
  • SecTAG: The security tag is 8-16 bytes in length and identifies the SAK to be used for the frame. With Secure Channel Identifier (SCI) encoding, the security tag is 16 bytes in length, and without the encoding, 8 bytes in length (SCI encoding is optional).The security tag also provides replay protection when frames are received out of sequence.

  • Secure Data: This is the data in the frame that is encrypted using MACsec and can be 2 or more octets in length.

  • ICV: The ICV provides the integrity check for the frame and is usually 8-16 bytes in length, depending on the cipher suite. Frames that do not match the expected ICV are dropped at the port.

Advantages of Using MACsec Encryption

  • Data Integrity Check: Integrity check value (ICV) is used to perform integrity check. The ICV is sent with the protected data unit and is recalculated and compared by the receiver to detect data modification.

  • Data Encryption: Enables a port to encrypt outbound frames and decrypt MACsec-encrypted inbound frames.

  • Replay Protection: When frames are transmitted through the network, there is a strong possibility of frames getting out of the ordered sequence. MACsec provides a configurable window that accepts a specified number of out-of-sequence frames.

  • Support for Clear Traffic: If configured accordingly, data that is not encrypted is allowed to transit through the port.

Hardware Support for MACsec

The MACsec technology is supported only on 36-port 100 GE line cards.


Note

MACsec is supported only on the QSFP28 or SFP28 ports (in 10G to 100G speeds, and not 1G speed).


Release History for MACSec Hardware Support

Table 1. Release History for MACSec Hardware Support

Release

Description

MACsec PSK

A pre-shared key includes a connectivity association key name (CKN) and a connectivity association key (CAK). A pre-shared key is exchanged between two devices at each end of a point-to-point link to enable MACsec using static CAK security mode. The MACsec Key Agreement (MKA) protocol is enabled after the pre-shared keys are successfully verified and exchanged. The pre-shared keys, the CKN and CAK, must match on both ends of a link.

For more information on MACsec PSK configuration, see Step 3 of the Applying MACsec Configuration on an Interface section.

Fallback PSK

Fallback is a session recovery mechanism when primary PSK fails to bring up secured MKA session. It ensures that a PSK is always available to perform MACsec encryption and decryption.

  • In CAK rollover of primary keys, if latest active keys are mismatched, system performs a hitless rollover from current active key to fallback key, provided the fallback keys match.

  • If a session is up with fallback, and primary latest active key configuration mismatches are rectified between peers, system performs a hitless rollover from fallback to primary latest active key.


Note

A valid Fallback PSK (CKN and CAK) must be configured with infinite lifetime. If the fallback PSK is configured with CAK mismatch, the only recovery mechanism is to push a new set of PSK configurations (both on fallback PSK keychain and primary PSK chain in that order) on all the association members.


The following is a sample syslog for session secured with fallback PSK:

%L2-MKA-5-SESSION_SECURED_WITH_FALLBACK_PSK : (Hu0/1/0/0) MKA session secured, CKN:ABCD

For more information on MACsec fallback PSK configuration, see Step 3 of the Applying MACsec Configuration on an Interface section.

Configuring and Verifying MACsec Encryption

MACsec can be configured on physical ethernet interfaces or interface bundles (link bundles), as explained in this section.

The following section describes procedures for configuring and verifying MACsec configuration in the described deployment modes.

Prior to configuring MACsec on a router interface the MACsec keychain must be defined. If you apply the MACsec keychain on the router without specifying a MACsec policy, the default policy is applied. A default MACsec policy is pre-configured with default values. If you need to change any of the pre-configured values, create a different MACsec policy.

Configuring MACsec involves the following steps:

  1. Creating a MACsec keychain

  2. Creating a user-defined MACsec policy

  3. Applying MACsec configuration on physical interfaces

Creating a MACsec Keychain

A MACsec keychain is a collection of keys used to authenticate peers needing to exchange encrypted information. While creating a keychain, we define the key(s), key string with password, the cryptographic algorithm, and the key lifetime.

MACsec Keychain Keyword

Description

Key

The MACsec key or the CKN can be up to 64 characters in length. The key must be of an even number of characters. Entering an odd number of characters will exit the MACsec configuration mode.

Key-string

The MACsec key-string or the CAK can be either 32 characters or 64 characters in length (32 for AES-128, 64 for AES-256).

Lifetime

This field specifies the validity period of a key. It includes a start time, and an expiry time. We recommend you to set the value for expiry time as infinite.

Guidelines for Configuring MACsec Keychain

MACsec keychain management has the following configuration guidelines:

  • To establish MKA session, ensure that the MACsec key (CKN) and key-string (CAK) match at both ends.

  • MKA protocol uses the latest active key available in the Keychain. This key has the latest Start Time from the existing set of currently active keys. You can verify the values using the show key chain keychain-name command.

  • Deletion or expiry of current active key brings down the MKA session resulting in traffic hit. We recommend you to configure the keys with infinite lifetime. If fallback is configured, traffic is safeguarded using fallback on expiry or deletion of primary-keychain active key.

  • To achieve successful key rollover (CAK-rollover), the new key should be configured such that it is the latest active key, and kicks-in before the current key expires.

  • We recommend an overlap of at least one minute for hitless CAK rollover from current key to new key.

  • Start time and Expiry time can be configured with future time stamps, which allows bulk configuration for daily CAK rotation without any intervention of management agent.

  • With NC55-MPA-12T-S MPA, you might experience a traffic drop in these scenarios:

    • A commit replace scenario where multiple MACsec configurations are applied across ports.

    • A process restart (say, in a SMU installation scenario) which results in MACsec rekeying on all the ports.

    • If there are multiple MACsec ports with the same rekey timeout.

SUMMARY STEPS

  1. Enter the global configuration mode and provide a name for the MACsec keychain; for example, mac_chain.
  2. Enter the MACsec mode.
  3. Provide a name for the MACsec key.
  4. Enter the key string and the cryptographic algorithm to be used for the key.
  5. Enter the validity period for the MACsec key (CKN) also known as the lifetime period.
  6. Commit your configuration.

DETAILED STEPS


Step 1

Enter the global configuration mode and provide a name for the MACsec keychain; for example, mac_chain.

Example:

 

RP/0/RP0/CPU0:router(config)# key chain mac_chain 

Step 2

Enter the MACsec mode.

Example:

 

RP/0/RP0/CPU0:router(config-mac_chain)#macsec 

Step 3

Provide a name for the MACsec key.

The key can be up to 64 characters in length. The key must be of an even number of characters. Entering an odd number of characters will exit the MACsec configuration mode.

Example:


RP/0/RP0/CPU0:router(config-mac_chain-MacSec)#key 1234abcd5678

You can also configure a fall-back pre-shared key(PSK) to ensure that a PSK is always available to perform MACsec encryption and decryption. The fallback PSK along with the primary PSK ensures that the session remains active even if the primary PSK is mismatched or there is no active key for the primary PSK.

The configured key is the CKN that is exchanged between the peers.

Note 
If you are configuring MACsec to interoperate with a MACsec server that is running software prior to Cisco IOS XR Release 6.1.3, then ensure that the MACsec key length is of 64 characters. You can add extra zero characters to the MACsec key so that the length of 64-characters is achieved. If the key length is lesser than 64 characters, authentication will fail.
Step 4

Enter the key string and the cryptographic algorithm to be used for the key.

Example:

The key string is the CAK that is used for ICV validation by the MKA protocol.

! For AES 128-bit encryption 

RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)# 
key-string 12345678123456781234567812345678 cryptographic-algorithm AES-128-CMAC

! For AES 256-bit encryption

RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)# 
key-string 1234567812345678123456781234567812345678123456781234567812345678 cryptographic
-algorithm AES-256-CMAC

Note 
In this example, we have used the AES 256-bit encryption algorithm, and therefore, the key string is 64 hexadecimal characters in length. A 256-bit encryption algorithm uses a larger key that requires more rounds of hacking to be cracked. 256-bit algorithms provide better security against large mass security attacks, and include the security provided by 128-bit algorithms.
Step 5

Enter the validity period for the MACsec key (CKN) also known as the lifetime period.

The lifetime period can be configured, with a duration in seconds, as a validity period between two dates (for example, Jan 01 2014 to Dec 31 2014), or with infinite validity.

The key is valid from the time you configure (in HH:MM:SS format). Duration is configured in seconds.

Example:



RP/0/RP0/CPU0:router(config- mac_chain-MacSec-1234abcd5678)#lifetime 05:00:00 01 
January 2015 duration 1800

An example of configuring the lifetime for a defined period:


RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)#lifetime 05:00:00 20 
february 2015 12:00:00 30 september 2015

An example of configuring the lifetime as infinite:



RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)#lifetime 
05:00:00 01 January 2015 infinite

Note 
When a key has expired, the MACsec session is torn down and running the show macsec mka session command does not display any information. If you run the show macsec mka interface detail command, the output displays *** No Active Keys Present *** in the PSK information.
Step 6

Commit your configuration.

Example:

RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678#commit

This completes the configuration of the MACsec keychain.

Securing the MACsec Pre-shared Key (PSK) Using Type 6 Password Encryption

Using the Type 6 password encryption feature, you can securely store MACsec plain text key string (CAK) in Type 6 encrypted format.

The primary key is the password or key used to encrypt all plain text MACsec key strings (CAK) in the router configuration with the use of an Advance Encryption Standard (AES) symmetric cipher. The primary key is not stored in the router configuration and cannot be seen or obtained in any way while connected to the router.

The Type 6 password encryption is effective only if a primary key is configured. The Type 6 Password Encryption is currently available on NCS-55A1-36H-SE-S Router.

Configuring a Primary Key and Enabling the Type 6 Password Encryption Feature

You can configure a primary key for Type 6 encryption and enable the Advanced Encryption Standard (AES) password encryption feature for securing the MACsec keys (key string/CAK).

SUMMARY STEPS

  1. key config-key password-encryption [delete]
  2. configure terminal
  3. [no] password6 encryption aes
  4. commit

DETAILED STEPS

  Command or Action Purpose
Step 1

key config-key password-encryption [delete]

Example:

Configuring a Primary Key
Router# key config-key password-encryption
New password Requirements: Min-length 6, Max-length 64 
Characters restricted to [A-Z][a-z][0-9] 
Enter new key : 
Enter confirm key :

Example:

Modifying the Primary Key
Router# key config-key password-encryption 
New password Requirements: Min-length 6, Max-length 64 
Characters restricted to [A-Z][a-z][0-9] 
Enter old key : 
Enter new key : 
Enter confirm key :

Example:

Deleting the Primary Key
Router# key config-key password-encryption delete

Configuring a Primary Key

Configures a primary key to be used with the Type 6 password encryption feature. The primary key can contain between 6 and 64 alphanumeric characters.

Modifying the Primary Key

If a primary key is already configured, you are prompted to enter the current primary key before entering a new primary key.

Modifying a primary key would re-encrypt all the existing Type 6 format key strings with the new primary key. If Type 6 key strings are present, ensure that the password6 configuration aes command is present to enable re-encryption with the new primary key. Otherwise, the primary key update operation fails.

Deleting the Primary Key

You can use the delete form of this command to delete the primary key at any time.

Note 

Before deleting the primary key, password6 encryption aes command needs to be disabled using the no password6 encryption aes command followed by configuring the commit command.

Caution 

Primary key deletion would bring down MACSec traffic if MKA sessions were up with Type 6 keys. To avoid traffic disruptions, configure a new set of PSK key pairs [key (CKN) and key string (CAK)] with latest timestamps with the lifetime of infinite validity on both the peers and ensure the successful CAK rekey to the newly configured CKN and CAK.

Step 2

configure terminal

Example:

Router# configure terminal 
Router(config)#

Enters global configuration mode.

Step 3

[no] password6 encryption aes

Example:

Router(config)# password6 encryption aes

Enables or disables the Type 6 password encryption feature.

If you enable the Type 6/AES password encryption feature before configuring a primary key, password encryption will not take place.

Step 4

commit

Example:

Router(config)# commit

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Example

Configuring MACSec Pre-shared Key (PSK)

Before you begin

Ensure that you have configured a primary key using the key config-key password-encryption command and enabled the Type 6 encryption feature using the password6 encryption aes command.

SUMMARY STEPS

  1. configure terminal
  2. key chain key chain name macsec
  3. key hex string of even length and max 64 bytes
  4. key-string hex string of length 32 bytes or 64 bytes cryptographic-algorithm {aes-128-cmac | aes-256-cmac}
  5. lifetime {hh:mm:ss} {1-31} month year infinite
  6. commit
  7. show running-config key chain keychain name

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:

Router# configure terminal 
Router(config)#

Enters global configuration mode.

Step 2

key chain key chain name macsec

Example:

Router(config)# key chain kc1 macsec
Router(config-kc1-MacSec)#

Configures a key chain with the MACsec submode.

Step 3

key hex string of even length and max 64 bytes

Example:

Router(config-kc1-MacSec)# key 1111
Router(config-kc1-MacSec-1111)# 

Configures MACsec CKN as hex string of even length upto 64 bytes.

Caution 

Configuring a hex string of odd number length exits from the MACsec submode. In that case, repeat from Step2 to enter the MACsec submode again.

Step 4

key-string hex string of length 32 bytes or 64 bytes cryptographic-algorithm {aes-128-cmac | aes-256-cmac}

Example:

Configuring 32 byte hex CAK
Router(config-kc1-MacSec-1111)# 
key-string 12345678901234567890123456789022
 cryptographic-algorithm  aes-128-cmac

Example:

Configuring 64 byte hex CAK
Router(config-kc1-MacSec-1111)# 
key-string 
1234567890123456789012345678902212345678901234567890123456789022 
cryptographic-algorithm aes-256-cmac

Configures a plain text CAK of 32 byte hex string or 64 byte hex string with corresponding MKA (control plane) cryptographic algorithm (aes-128-cmac/ aes-256-cmac).

Step 5

lifetime {hh:mm:ss} {1-31} month year infinite

Example:

Router(config-kc1-MacSec-1111)#
lifetime 00:00:00 1 january 2017 infinite

Configures a valid lifetime for MACsec PSK.

Note 

Without configuring a valid lifetime, MACsec PSK will be an inactive key.

Step 6

commit

Example:

Router(config)# commit

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 7

show running-config key chain keychain name

Example:

Router# show running-config key chain kc1
key chain kc1
 macsec
  key 1111
     key-string password6
     5d63525a58594657565e6845446842465965554862424c5
     95d696554694a424c59655f504a575e6648484c484b4646
     535d49675e535a60644e6045654a655f666858414142
       cryptographic-algorithm aes-128-cmac
         lifetime 00:00:00 january 01 2017 infinite
  !
 !
!

[Optional] Displays the Type 6 encrypted key string.

Example

Creating a User-Defined MACsec Policy

SUMMARY STEPS

  1. Enter the global configuration mode, and enter a name (mac_policy) for the MACsec policy.
  2. Configure the cipher suite to be used for MACsec encryption.
  3. Configure the confidentiality offset for MACsec encryption.
  4. Enter the key server priority.
  5. Configure the security policy parameters, either Must-Secure or Should-Secure.
  6. Configure data delay protection under MACsec policy.
  7. Configure the replay protection window size.
  8. Configure the ICV for the frame arriving on the port.
  9. Commit your configuration and exit the global configuration mode.
  10. Confirm the MACsec policy configuration.

DETAILED STEPS


Step 1

Enter the global configuration mode, and enter a name (mac_policy) for the MACsec policy.

Example:

RP/0/RP0/CPU0:router# configure 
RP/0/RP0/CPU0:router(config)# macsec-policy mac_policy
Step 2

Configure the cipher suite to be used for MACsec encryption.

Example:


RP/0/RP0/CPU0:router(config-mac_policy)# cipher-suite GCM-AES-XPN-256
RP/0/RP0/CPU0:router(config-mac_policy)#GCM-AES-128 
GCM-AES-256 
GCM-AES-XPN-128 
GCM-AES-XPN-256 
Note 
In this example, we have used the GCM-AES-XPN-256 encryption algorithm. A 256-bit encryption algorithm uses a larger key that requires more rounds of hacking to be cracked. 256-bit algorithms provide better security against large mass security attacks, and include the security provided by 128-bit algorithms. Extended Packet Numbering (XPN) is used to reduce the number of key rollovers while data is sent over high speed links. It is therefore highly recommended to use GCM-AES-XPN-256 encryption algorithm for higher data ports.
Step 3

Configure the confidentiality offset for MACsec encryption.

Example:

RP/0/RP0/CPU0:router(config-mac_policy)# conf-offset CONF-OFFSET-30
Note 

We recommend to change the offset value of the conf-offset <offset_value> command (MACsec encryption command) in Cisco NCS 5500 fixed port routers only when the port is in admin down state (that is, when the interface is shut down). Changing the offset value otherwise may result in traffic loss.

Step 4

Enter the key server priority.

You can enter a value between 0-255. Lower the value, higher the preference to be selected as the key server.

In this example, a value of 0 configures the router as the key server, while the other router functions as a key client. The key server generates and maintains the SAK between the two routers. The default key server priority value is 16.

Example:

RP/0/RP0/CPU0:router(config-mac_policy)# key-server-priority 0
Step 5

Configure the security policy parameters, either Must-Secure or Should-Secure.

Must-Secure: Must-Secure imposes only MACsec encrypted traffic to flow. Hence, until MKA session is not secured, traffic will be dropped.

Example:

RP/0/RP0/CPU0:router(config-mac_policy)# security-policy must-secure

Should-Secure: Should-Secure allows unencrypted traffic to flow until MKA session is secured. After the MKA session is secured, Should-Secure policy imposes only encrypted traffic to flow.

Example:

RP/0/RP0/CPU0:router(config-mac_policy)# security-policy should-secure
Table 2. MACsec Security Policies

MKA

Secured MKA Session

Unsecured MKA Session

Security Policy

Must-secure

Encrypted traffic

Traffic drop (no Tx and no Rx)

Should-secure

Encrypted traffic

Plain text or unencrypted traffic

Step 6

Configure data delay protection under MACsec policy.

Data delay protection allows MKA participants to ensure that the data frames protected by MACsec are not delayed by more than 2 seconds. Each SecY uses MKA to communicate the lowest PN used for transmission with the SAK within two seconds. Traffic delayed longer than 2 seconds are rejected by the interfaces enabled with delay protection.

By default, the data delay protection feature is disabled. Configuring the delay-protection command under MACsec-policy attached to MACsec interface will enable the data delay protection feature on that interface.

Example:

RP/0/RP0/CPU0:router# configure terminal
RP/0/RP0/CPU0:router(config)# macsec-policy mp1
RP/0/RP0/CPU0:router(config-macsec-policy)# delay-protection 
RP/0/RP0/CPU0:router(config-macsec-policy)# commit

Verification:

The following show command output verifies that the data delay protection feature is enabled.

Example:

RP/0/RP0/CPU0:router# show macsec mka session interface GigabitEthernet 0/1/0/1 detail
MKA Policy Name         : mp1
Key Server Priority     : 16
Delay Protection        : TRUE
Replay Window Size      : 64
Confidentiality Offset  : 0
Algorithm Agility       : 80C201
SAK Cipher Suite        : (NONE)
MACsec Capability       : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired          : YES
Step 7

Configure the replay protection window size.

Example:

RP/0/RP0/CPU0:router(config-mac_policy)# window-size 64

This dictates the maximum out-of-sequence frames that are accepted. You can configure a value between 0 and 1024.

Step 8

Configure the ICV for the frame arriving on the port.

Example:


RP/0/RP0/CPU0:router(config-mac_policy)# include-icv-indicator 

This parameter configures inclusion of the optional ICV Indicator as part of the transmitted MACsec Key Agreement PDU (MKPDU). This configuration is necessary for MACsec to interoperate with routers that run software prior to IOS XR version 6.1.3. This configuration is also important in a service provider WAN setup where MACsec interoperates with other vendor MACsec implementations that expect ICV indicator to be present in the MKPDU.

Step 9

Commit your configuration and exit the global configuration mode.

Example:

RP/0/RP0/CPU0:router(config-mac_policy)# exit
RP/0/RP0/CPU0:router(config)# commit
RP/0/RP0/CPU0:router(config)# exit
Step 10

Confirm the MACsec policy configuration.

Example:



RP/0/RP0/CPU0:router# show running-config macsec-policy

macsec-policy mac_policy 
conf-offset CONF-OFFSET-30 
security-policy must-secure
window-size 64
cipher-suite GCM-AES-XPN-256
key-server-priority 0
include-icv-indicator 




This completes the configuration of the MACsec policy.

Note

  • Small packets might be dropped when Data Delay Protection (DDP) is enabled on many MACsec enabled interfaces of a scaled setup. To avoid this, enable DDP only on the interfaces which are absolutely necessary.

  • For Cisco NCS 5500 Series Routers to interoperate with Cisco ASR9000 Series Routers that are older than Release 6.2.3, configure a user defined MACsec policy with the policy-exception lacp-in-clear command to bring up the MKA sessions over bundle interfaces running in LACP modes.


MACsec SAK Rekey Interval

From Cisco IOS XR Software Release 6.3.3 and later, you can set a timer value to rekey the MACsec secure association key (SAK) at a specified interval. This periodic refresh of SAK ensures that data encryption key is frequently updated. The configuration is effective on the node acting as a key server.

To set the rekey interval, use the sak-rekey-interval command in macsec-policy configuration mode. The timer ranges from 60 to 2,592,000 seconds, the default being OFF.

Configuration Example


Router#configure
Router(config)#macsec-policy test-policy
Router(config-macsec-policy)#sak-rekey-interval 120
Router(config-macsec-policy)#commit

Running Configuration


macsec-policy test-policy
 sak-rekey-interval 120
 !

Associated Command

sak-rekey-interval

Applying MACsec Configuration on an Interface

The MACsec service configuration is applied to the host-facing interface of a CE router.

Guidelines for MACsec Interface Configuration

Following are the guidelines for configuring MACsec interface:

  • Configure different keychains for primary and fallback PSKs.

  • We do not recommend to update both primary and fallback PSKs simultaneously, because fallback PSK is intended to recover MACsec session on primary key mismatch.

  • Although the MACsec eapol destination-address broadcast-address command under the interface configuration mode is present and configurable on Cisco NCS 5500 Series Routers, the functionality is not yet supported.

Before you begin


Note

Under the IS-IS instance, use the lsp-mtu command to configure the maximum transmission unit (MTU) size of link-state packets (LSPs) on each router where MACsec is enabled. The LSP MTU should be set to 32 bytes less than the interface MTU, to account for MACsec overhead.

SUMMARY STEPS

  1. Enter the global configuration mode.
  2. Enter the interface configuration mode.
  3. Apply the MACsec configuration on an interface.
  4. Commit your configuration.

DETAILED STEPS


Step 1

Enter the global configuration mode.

Example:

RP/0/RP0/CPU0:router# configure
Step 2

Enter the interface configuration mode.

Example:

RP/0/RP0/CPU0:router(config)# interface Te0/3/0/1/4
Step 3

Apply the MACsec configuration on an interface.

MACsec PSK Configuration

To apply MACsec PSK configuration on an interface, use the following command.

Example:



RP/0/RP0/CPU0:router(config-if)# macsec psk-keychain mac_chain policy mac_policy
RP/0/RP0/CPU0:router(config-if)# exit

To apply MACsec configuration on a physical interface without the MACsec policy, use the following command.

Example:


RP/0/RP0/CPU0:router(config-if)# macsec psk-keychain script_key_chain2
RP/0/RP0/CPU0:router(config-if)# exit

MACsec Fallback PSK Configuration

To apply MACsec configuration on a physical interface with a fallback PSK, use the following command.

Example:


RP/0/RP0/CPU0:router(config-if)# macsec psk-keychain mac_chain fallback-psk-keychain fallback_mac_chain policy mac_policy
RP/0/RP0/CPU0:router(config-if)# exit

It is optional to configure a fallback PSK. If a fallback PSK is configured, the fallback PSK along with the primary PSK ensures that the session remains active even if the primary PSK is mismatched, or there is no active key for the primary PSK.

Step 4

Commit your configuration.

Example:

RP/0/RP0/CPU0:router(config)# commit

MACsec Policy Exceptions

By default, the MACsec security policy uses must-secure option, that mandates data encryption. Hence, the packets cannot be sent in clear-text format. To optionally bypass the MACsec encryption or decryption for Link Aggregation Control Protocol (LACP) packets, and to send the packets in clear-text format, use the policy-exception lacp-in-clear command in macsec-policy configuration mode. This functionality is beneficial in scenarios such as, in a network topology with three nodes, where bundles are terminated at the middle node, whereas MACsec is terminated at the end nodes.

This MACsec policy exception is also beneficial in interoperability scenarios where the node at the other end expects the data packets to be in clear text.

How to Create MACsec Policy Exception

Configuration Example

Using the policy-exception command:


Router#configure
Router(config)#macsec-policy test-macsec-policy
Router(config-macsec-policy)#policy-exception lacp-in-clear 
Router(config-macsec-policy)#commit

Running Configuration

With the policy-exception command:


Router#show run macsec-policy test-macsec-policy
macsec-policy test-macsec-policy
  policy-exception lacp-in-clear
  security-policy should-secure
  include-icv-indicator
  sak-rekey-interval seconds 120
!

Associated Commands

  • policy-exception lacp-in-clear

Verifying MACsec Encryption on IOS XR

MACsec encryption on IOS XR can be verified by running relevant commands in the Privileged Executive Mode. The verification steps are the same for MACsec encryption on L2VPN or L3VPN network.

To verify if MACsec encryption has been correctly configured, follow these steps.

SUMMARY STEPS

  1. Verify the MACsec policy configuration.
  2. Verify the MACsec configuration on the respective interface.
  3. Verify whether the interface of the router is peering with its neighbor after MACsec configuration. The MACsec PSK validation detects inconsistency or mismatch of primary and fallback keys (CAK) being used by MKA, allowing operators to rectify the mismatch.
  4. Verify whether the MKA session is secured with MACsec on the respective interface.
  5. Verify the MACsec session counter statistics.

DETAILED STEPS


Step 1

Verify the MACsec policy configuration.

Example:



RP/0/RP0/CPU0:router#show macsec policy mac_policy

============================================================================

Policy      Cipher         Key-Svr     Window  Conf

name        Suite          Priority    Size    Offset

=============================================================================

mac_policy GCM-AES-XPN-256  0          64      30

If the values you see are different from the ones you configured, then check your configuration by running the show run macsec-policy command.

Step 2

Verify the MACsec configuration on the respective interface.

You can verify the MACsec encryption on the configured interface bundle (MPLS network).

Example:



RP/0/RP0/CPU0:router#show macsec mka summary

NODE: node0_0_CPU0

==================================================================
Interface     Status    Cipher Suite      KeyChain
==================================================================

Fo0/0/0/1/0   Secured   GCM-AES-XPN-256   mac_chain

Total MACSec Sessions : 1
     Secured Sessions : 1
     Pending Sessions : 0

RP/0/RP0/CPU0:router# show macsec mka session interface Fo0/0/0/1/0  
===================================================================================
      Interface         Local-TxSCI       # Peers         Status         Key-Server
===================================================================================
    Fo0/0/0/1/0      d46d.5023.3709/0001      1           Secured          YES

The Status field in the output confirms that the respective interface is Secured. If MACsec encryption is not successfully configured, you will see a status such as Pending or Init.

Run the show run macsec-policy command in the privileged executive mode to troubleshoot the configuration entered.

Step 3

Verify whether the interface of the router is peering with its neighbor after MACsec configuration. The MACsec PSK validation detects inconsistency or mismatch of primary and fallback keys (CAK) being used by MKA, allowing operators to rectify the mismatch.

Example:

The show macsec mka session interface interface detail command carries the Peer Validation status in the Peer CAK field. The values of this field can be either Match or Mismatch.

The following show command output verifies that the primary and fallback keys (CAK) are matched on both peer ends.

  • RP/0/RP0/CPU0:router#show macsec mka session detail
    Peers Status:
      Last Tx MKPDU          : 2017 Sep 02 11:24:52.369
      Peer Count             : 1
      RxSCI                  : 008A960060900001
      MI                     : C2213E81C953A202C08DB999
      Peer CAK         : Match
      Latest Rx MKPDU        : 2017 Sep 02 11:24:53.360
    Fallback Data:
      CKN                    : ABCD
      MI                     : 84E724B4BA07CE414FEA84EF
      MN                     : 8
      Peers Status:
        Last Tx MKPDU        : 2017 Sep 02 11:24:52.369
        Peer Count           : 1
        RxSCI                : 008A960060900001
        MI                   : D2B902453F90389BD3385F84
        Peer CAK       : Match
        Latest Rx MKPDU      : 2017 Sep 02 11:24:53.360
  • Syslog

    %L2-MKA-6-MKPDU_ICV_SUCCESS: (Hu0/5/0/1), ICV verification success for RxSCI(008a.9600.6090/0001), CKN(1000) 
    %L2-MKA-6-FALLBACK_PSK_MKPDU_ICV_SUCCESS: (Hu0/5/0/1), ICV verification success for RxSCI(008a.9600.6090/0001), CKN(FFFF)

The following show command output verifies that the primary and fallback keys (CAK) are mismatched on both peer ends.

  • RP/0/RP0/CPU0:router#show macsec mka session detail
    Peers Status:
    Last Tx MKPDU          : 2017 Sep 02 11:24:52.369
    Peer Count             : 1
    RxSCI                  : 008A960060900001
    MI                     : C2213E81C953A202C08DB999
    Peer CAK         : Mismatch
    Latest Rx MKPDU        : 2017 Sep 02 11:24:53.360
    Fallback Data:
    CKN                    : ABCD
    MI                     : 84E724B4BA07CE414FEA84EF
    MN                     : 8
    Peers Status:
      Last Tx MKPDU         : 2017 Sep 02 11:24:52.369
      Peer Count            : 1
      RxSCI                 : 008A960060900001
      MI                    : D2B902453F90389BD3385F84
      Peer CAK        : Mismatch
      Latest Rx MKPDU       : 2017 Sep 02 11:24:53.360
    
  • Syslog

    %L2-MKA-3-MKPDU_ICV_FAILURE: (Hu0/5/0/1), ICV verification failed for RxSCI(008a.9600.6090/0001), CKN(1111)
    %L2-MKA-3-FALLBACK_PSK_MKPDU_ICV_FAILURE: (Hu0/5/0/1), ICV verification failed for RxSCI(008a.9600.6090/0001), CKN(9999)

The #Peers field in the following output confirms the presence of the peer you have configured on the physical interface, Fo0/0/0/1/0. If the number of peers is not reflected accurately in this output, run the show run command and verify the peer configuration on the interface.


RP/0/RP0/CPU0:router#show macsec mka session

NODE: node0_0_CPU0

================================================================
Interface    Local-TxSCI           # Peers   Status  Key-Server
================================================================

Fo0/0/0/1/0  001d.e5e9.aa39/0005      1      Secured  YES

Note 
If the MKA session status is shown as Secured with 0 (Zero) peer count, this means that the link is locally secured (Tx). This is because of MKA peer loss caused by No Rx Packets (MKA Packet) from that peer.
Step 4

Verify whether the MKA session is secured with MACsec on the respective interface.

Example:

RP/0/RP0/CPU0:router#show macsec mka session interface Fo0/0/0/1/0 detail 
MKA Detailed Status for MKA Session
===================================
Status: SECURED - Secured MKA Session with MACsec

Local Tx-SCI            : 6219.8864.e338/0001
Local Tx-SSCI           : 1
Interface MAC Address   : 6219.8864.e338
MKA Port Identifier     : 1
Interface Name          : Hu0/5/0/26
CAK Name (CKN)          : 2222000000000000000000000000000000000000000000000000000000000000
CA Authentication Mode  : PRIMARY-PSK
Keychain                : kc
Member Identifier (MI)  : 89766F3FE9445FDCDD714CCE
Message Number (MN)     : 25711
Authenticator           : NO
Key Server              : NO
MKA Cipher Suite        : AES-256-CMAC

Latest SAK Status       : Rx & Tx
Latest SAK AN           : 0
Latest SAK KI (KN)      : E3D39135831AFBCDA7AA9DBB00000001 (1)
Old SAK Status          : FIRST-SAK
Old SAK AN              : 0
Old SAK KI (KN)         : FIRST-SAK (0)

SAK Transmit Wait Time  : 0s (Not waiting for any peers to respond)
SAK Retire Time         : 0s (No Old SAK to retire)
Time to SAK Rekey       : NA
MKA Policy Name         : *DEFAULT POLICY*
Key Server Priority     : 16
Replay Window Size      : 64
Confidentiality Offset  : 0
Algorithm Agility       : 80C201
SAK Cipher Suite        : 0080C20001000004 (GCM-AES-XPN-256)
MACsec Capability       : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired          : YES

# of MACsec Capable Live Peers           : 1
# of MACsec Capable Live Peers Responded : 0

Live Peer List:
  MI                        MN          Rx-SCI (Peer)        SSCI KS-Priority
  ---------------------------------------------------------------------------
RP/0/RP0/CPU0:router#show macsec mka session interface Fo0/0/0/1/0 detail Tue May 18 13:23:29.935 UTC
Tue May 18 13:23:29.935 UTC

MKA Detailed Status for MKA Session
===================================
Status: Secured - Secured MKA Session with MACsec

Local Tx-SCI                    : 008a.96d6.194c/0001
Local Tx-SSCI                   : 2
Interface MAC Address           : 008a.96d6.194c
MKA Port Identifier             : 1
Interface Name                  : Hu0/2/0/11
CAK Name (CKN)                  : 2111
CA Authentication Mode          : PRIMARY-PSK
Keychain                        : test1
Member Identifier (MI)          : 69B39E87B3CBA673401E9891
Message Number (MN)             : 352
Authenticator                   : NO
Key Server                      : YES
MKA Cipher Suite                : AES-128-CMAC
Configured MACSec Cipher Suite  : GCM-AES-XPN-128
Key Distribution Mode           : SAK

Latest SAK Status               : Rx & Tx
Latest SAK AN                   : 0
Latest SAK KI (KN)              : 69B39E87B3CBA673401E989100000001 (1)
Old SAK Status                  : FIRST-SAK
Old SAK AN                      : 0
Old SAK KI (KN)                 : FIRST-SAK (0)

SAK Transmit Wait Time          : 0s (Not waiting for any peers to respond)
SAK Retire Time                 : 0s (No Old SAK to retire)
Time to SAK Rekey               : 456s
Time to exit suspension         : NA

MKA Policy Name                 : P12
Key Server Priority             : 20
Delay Protection                : TRUE
Replay Window Size              : 100
Include ICV Indicator           : TRUE
Confidentiality Offset          : 0
Algorithm Agility               : 80C201
SAK Cipher Suite                : 0080C20001000003 (GCM-AES-XPN-128)
MACsec Capability               : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired                  : YES

# of MACsec Capable Live Peers           : 1
# of MACsec Capable Live Peers Responded : 1

# of MACSec Suspended Peers              : 0

Live Peer List:
-------------------------------------------------------------------------------
           MI                  MN             Rx-SCI          SSCI  KS-Priority 
-------------------------------------------------------------------------------
42A78BD6243539E917B8C6B2      290       7061.7bea.1df4/0001    1        20      

Potential Peer List:
-------------------------------------------------------------------------------
          MI                  MN             Rx-SCI          SSCI  KS-Priority 
-------------------------------------------------------------------------------

Suspended Peer List:
-------------------------------------------------------------------------------
       Rx-SCI          SSCI  
-------------------------------------------------------------------------------

Peers Status:
Last Tx MKPDU          : 2021 May 18 13:23:29.588
Peer Count             : 1
          
 RxSCI                  : 70617BEA1DF40001
  MI                    : 42A78BD6243539E917B8C6B2
  Peer CAK              : Match
  Latest Rx MKPDU       : 2021 May 18 13:23:29.847

MKA Detailed Status for MKA Session
===================================
Status: Active - Marked Peer as Live (Waiting for SAK generation/distribution)

Local Tx-SCI                    : 008a.96d6.194c/0001
Local Tx-SSCI                   : 2
Interface MAC Address           : 008a.96d6.194c
MKA Port Identifier             : 1
Interface Name                  : Hu0/2/0/11
CAK Name (CKN)                  : 2000
CA Authentication Mode          : FALLBACK-PSK
Keychain                        : test1f
Member Identifier (MI)          : 8F59AD6021FA3E2D5F9E6231
Message Number (MN)             : 350
Authenticator                   : NO
Key Server                      : YES
MKA Cipher Suite                : AES-128-CMAC
Configured MACSec Cipher Suite  : GCM-AES-XPN-128
Key Distribution Mode           : SAK

Latest SAK Status               : Rx & Tx
Latest SAK AN                   : 0
Latest SAK KI (KN)              : 69B39E87B3CBA673401E989100000001 (1)
Old SAK Status                  : FIRST-SAK
Old SAK AN                      : 0
Old SAK KI (KN)                 : FIRST-SAK (0)

SAK Transmit Wait Time          : 0s (Not waiting for any peers to respond)
SAK Retire Time                 : 0s (No Old SAK to retire)
Time to SAK Rekey               : 456s
Time to exit suspension         : NA

MKA Policy Name                 : P12
Key Server Priority             : 20
Delay Protection                : TRUE
Replay Window Size              : 100
Include ICV Indicator           : TRUE
Confidentiality Offset          : 0
Algorithm Agility               : 80C201
SAK Cipher Suite                : 0080C20001000003 (GCM-AES-XPN-128)
MACsec Capability               : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired                  : YES

# of MACsec Capable Live Peers           : 1
# of MACsec Capable Live Peers Responded : 0

# of MACSec Suspended Peers              : 0

Live Peer List:
-------------------------------------------------------------------------------
           MI                  MN             Rx-SCI          SSCI  KS-Priority 
-------------------------------------------------------------------------------
1BB9428C721F6EE3E538C942      288       7061.7bea.1df4/0001    1        20      

Potential Peer List:
-------------------------------------------------------------------------------
           MI                  MN             Rx-SCI          SSCI  KS-Priority 
-------------------------------------------------------------------------------

Suspended Peer List:
-------------------------------------------------------------------------------
       Rx-SCI          SSCI  
-------------------------------------------------------------------------------

Peers Status:
Last Tx MKPDU          : 2021 May 18 13:23:29.587
Peer Count             : 1

RxSCI                  : 70617BEA1DF40001
  MI                    : 1BB9428C721F6EE3E538C942
  Peer CAK              : Match
  Latest Rx MKPDU       : 2021 May 18 13:23:29.847

RP/0/RP0/CPU0:router#

The Status field in the output verifies if the MKA session is secured with MACsec encryption. The output also displays information about the interface and other MACsec parameters.

Step 5

Verify the MACsec session counter statistics.

Example:



RP/0/RP0/CPU0:router# show macsec mka statistics interface Fo0/0/0/1/0 


MKA Statistics for Session on interface (Fo0/0/0/1/0)
=======================================================
Reauthentication Attempts.. 0

CA Statistics
Pairwise CAKs Derived... 0
Pairwise CAK Rekeys..... 0
Group CAKs Generated.... 0
Group CAKs Received..... 0

SA Statistics
SAKs Generated.......... 3
SAKs Rekeyed............ 2
SAKs Received........... 0
SAK Responses Received.. 3

MKPDU Statistics
MKPDUs Transmitted...... 5425
"Distributed SAK".. 8
"Distributed CAK".. 0
MKPDUs Validated & Rx... 4932
"Distributed SAK".. 0
"Distributed CAK".. 0

MKA IDB Statistics
MKPDUs Tx Success.......... 5425
MKPDUs Tx Fail............. 0
MKPDUS Tx Pkt build fail... 0
MKPDUs Rx CA Not found..... 0
MKPDUs Rx Error............ 0
MKPDUs Rx Success.......... 4932

MKPDU Failures
   MKPDU Rx Validation (ICV).............. 0
   MKPDU Rx Bad Peer MN................... 0
   MKPDU Rx Non-recent Peerlist MN........ 0
   MKPDU Rx Drop SAKUSE, KN mismatch...... 0
   MKPDU Rx Drop SAKUSE, Rx Not Set....... 0
   MKPDU Rx Drop SAKUSE, Key MI mismatch.. 0
   MKPDU Rx Drop SAKUSE, AN Not in Use.... 0
   MKPDU Rx Drop SAKUSE, KS Rx/Tx Not Set. 0

SAK Failures
   SAK Generation................... 0
   Hash Key Generation.............. 0
   SAK Encryption/Wrap.............. 0
   SAK Decryption/Unwrap............ 0

The counters display the MACsec PDUs transmitted, validated, and received. The output also displays transmission errors, if any.


This completes the verification of MACsec encryption on the IOS-XR.

Verifying MACsec Encryption on NCS 5500

MACsec encryption on the router hardware can be verified by running relevant commands in the Privileged Executive Mode.

To verify if MACsec encryption has been correctly configured, follow these steps.

SUMMARY STEPS

  1. Verify the MACsec encryption and hardware interface descriptor block (IDB) information on the interface.
  2. Use the IDB handle retrieved from Step 1 to verify the platform hardware information.
  3. Use the Transmitter SA retrieved from Step 2 to verify the MACsec SA information programmed in the hardware.
  4. Verify the MACsec Secure Channel (SC) information programmed in the hardware.

DETAILED STEPS


Step 1

Verify the MACsec encryption and hardware interface descriptor block (IDB) information on the interface.

Example:


RP/0/RP0/CPU0:router# show macsec ea idb interface Fo0/0/0/1/0


IDB Details:
if_sname : Fo0/0/0/1/0
if_handle : 0x3480
Replay window size : 64
Local MAC : 00:1d:e5:e9:aa:39
Rx SC Option(s) : Validate-Frames Replay-Protect
Tx SC Option(s) : Protect-Frames Always-Include-SCI
Security Policy : MUST SECURE
Sectag offset : 8
Rx SC 1
Rx SCI : 001de5e9b1bf0019
Peer MAC : 00:1d:e5:e9:b1:bf
Stale : NO
SAK Data
SAK[0] : ***
SAK Len : 32
HashKey[0] : ***
HashKey Len : 16
Conf offset : 30
Cipher Suite : GCM-AES-XPN-256
CtxSalt[0] : 83 c3 7b ad 7b 6f 63 16 09 8f f3 d2
Rx SA Program Req[0]: 2015 Oct 09 15:20:53.082
Rx SA Program Rsp[0]: 2015 Oct 09 15:20:53.092

Tx SC
Tx SCI : 001de5e9aa39001a
Active AN : 0
Old AN : 255
Next PN : 1, 0, 0, 0
SAK Data
SAK[0] : ***
SAK Len : 32
HashKey[0] : ***
HashKey Len : 16
Conf offset : 30
Cipher Suite : GCM-AES-XPN-256
CtxSalt[0] : 83 c3 7b ae 7b 6f 63 16 09 8f f3 d2
Tx SA Program Req[0]: 2015 Oct 09 15:20:55.053
Tx SA Program Rsp[0]: 2015 Oct 09 15:20:55.064

The if_handle field provides the IDB instance location.

The Replay window size field displays the configured window size.

The Security Policy field displays the configured security policy.

The Local Mac field displays the MAC address of the router.

The Peer Mac field displays the MAC address of the peer. This confirms that a peer relationship has been formed between the two routers.

Step 2

Use the IDB handle retrieved from Step 1 to verify the platform hardware information.

Example:



RP/0/RP0/CPU0:router# show macsec platform hardware 
idb location 0/0/CPU0 | b 3480

if_handle : 0x00003480
NPPort : 099 [0x063]
LdaPort : 016 [0x010] SerdesPort : 000 [0x000]
NetSoftPort : 061 [0x03d] SysSoftPort : 062 [0x03e]
Active AN : 0x00000000 Idle AN : 0x000000ff
Match-All Tx SA : 0x80010001 Match-All Rx SA : 0x00010001
Match-All Tx Flow : 0x80000003 Match-All Rx Flow : 0x00000003
Bypass Tx SA : 0x80000000 Bypass Rx SA : 0x00000000
Tx SA[0] : 0x80020002 Tx Flow[0] : 0x8000000c
Tx SA[1] : 0xffffffff Tx Flow[1] : 0xffffffff
Tx SA[2] : 0xffffffff Tx Flow[2] : 0xffffffff
Tx SA[3] : 0xffffffff Tx Flow[3] : 0xffffffff
Rx SA[0] : 0x00020002 Rx Flow[0] : 0x0000000c
Rx SA[1] : 0xffffffff Rx Flow[1] : 0xffffffff
Rx SA[2] : 0xffffffff Rx Flow[2] : 0xffffffff
Rx SA[3] : 0xffffffff Rx Flow[3] : 0xffffffff

Step 3

Use the Transmitter SA retrieved from Step 2 to verify the MACsec SA information programmed in the hardware.

Example:



RP/0/RP0/CPU0:router# show macsec platform hardware sa 
0x80020002 interface Fo0/0/0/1/0 location 0/0/CPU0

MACsec HW SA Details:
Action Type : 0x00000003
Direction : Egress
Dest Port : 0x00000000
Conf Offset : 00000030
Drop Type : 0x00000002
Drop NonResvd : 0x00000000
SA In Use : YES
ConfProtect : YES
IncludeSCI : YES
ProtectFrame : YES
UseEs : NO
UseSCB : NO
SCI : 00 1d e5 e9 aa 39 00 05
Replay Window : 64 MacsecCryptoAlgo : 7
Direction : Egress AN : 0
AES Key Len : 256 X-Packet Number : 0x0000000000000000
CtxSalt : f8d88dc3e1c5e6a94ca2299

The output displays the details of the encryption, such as the AES key, the Auth key, and other parameters.

Step 4

Verify the MACsec Secure Channel (SC) information programmed in the hardware.

Example:



RP/0/RP0/CPU0:router# show macsec platform hardware msc 
interface Fo0/0/0/1/0 location 0/0/CPU0


MACsec HW Cfg Details:
Mode : 0x5
Counter Clear on Read : 0x0
SA Fail Mask : 0xffff
Global SecFail Mask : 0xffffffff
Latency : 0xff
StaticBypass : 0x0
Should secure : 0x0
Global Frame Validation : 0x2
Ctrl Pkt CC Bypass : 0x1
NonCtrl Pkt CC Bypass : 0x1
Sequence Number Threshold : 0xbfffffb8
Sequence Number Threshold 64bit : 0x000002fffffffffd
Non Matching Non Control Pkts Programming
      Untagged : Bypass: 0x0 DestPort : 0x2, DropType : 0x2
      Tagged : Bypass: 0x0 DestPort : 0x2, DropType : 0x2
      BadTagged : Bypass: 0x0 DestPort : 0x2, DropType : 0x2
      KayTagged : Bypass: 0x0 DestPort : 0x2, DropType : 0x2
Non Matching Control Pkts Programming
      Untagged : Bypass: 0x1 DestPort : 0x2, DropType : 0xffffffff
      Tagged : Bypass: 0x0 DestPort : 0x2, DropType : 0x2
      BadTagged : Bypass: 0x0 DestPort : 0x2, DropType : 0x2
      KayTagged : Bypass: 0x0 DestPort : 0x2, DropType : 0x2

This completes the verification of MACsec encryption on the router hardware.

This completes the configuration and verification of MACsec encryption.

MACsec SecY Statistics

The following methods are used to query MACsec SecY statistics such as, encryption, decryption, and the hardware statistics.

  • CLI

  • SNMP MIB

Querying SNMP Statistics Using CLI

The following example shows how to query SNMP statistics using a CLI. Use the show macsec secy statistics interface interface name command to display the MACsec SecY statistics details.

Router# show macsec secy statistics interface GigabitEthernet 0/1/0/0 SC
Interface Statistics
    InPktsUntagged     :  0
    InPktsNoTag        :  1
    InPktsBadTag       :  2
    InPktsUnknownSCI   :  3
    InPktsNoSCI        :  4
    InPktsOverrun      :  5
    InOctetsValidated  :  6
    InOctetsDecrypted  :  7
    OutPktsUntagged    :  8
    OutPktsTooLong     :  9
    OutOctetsProtected :  10
    OutOctetsEncrypted :  11
SC Statistics
  TxSC Statistics
    OutPktsProtected   : 12
    OutPktsEncrypted   : 13
    OutOctetsProtected : 14
    OutOctetsEncrypted : 15
    OutPktsTooLong     : 16
    TxSA Statistics
      TxSA 0: 
        OutPktsProtected : 17
        OutPktsEncrypted : 18
        NextPN           : 19
      TxSA 1: 
        OutPktsProtected : 20
        OutPktsEncrypted : 21
        NextPN           : 22
      TxSA 2: 
        OutPktsProtected : 23
        OutPktsEncrypted : 24
        NextPN           : 25
      TxSA 3: 
        OutPktsProtected : 26
        OutPktsEncrypted : 27
        NextPN           : 28
    RxSC Statistics
     RxSC 1: 0
      InPktsUnchecked     : 29
      InPktsDelayed       : 30
      InPktsLate          : 31
      InPktsOK            : 32
      InPktsInvalid       : 33
      InPktsNotValid      : 34
      InPktsNotUsingSA    : 35
      InPktsUnusedSA      : 36
      InPktsUntaggedHit   : 37
      InOctetsValidated   : 38
      InOctetsDecrypted   : 39
    RxSA Statistics
      RxSA 0: 
        InPktsUnusedSA      : 44
        InPktsNotUsingSA    : 43
        InPktsNotValid      : 42
        InPktsInvalid       : 41
        InPktsOK            : 40
        NextPN              : 45
      RxSA 1: 
        InPktsUnusedSA      : 50
        InPktsNotUsingSA    : 49
        InPktsNotValid      : 48
        InPktsInvalid       : 47
        InPktsOK            : 46
        NextPN              : 51
      RxSA 2: 
        InPktsUnusedSA      : 56
        InPktsNotUsingSA    : 55
        InPktsNotValid      : 54
        InPktsInvalid       : 53
        InPktsOK            : 52
        NextPN              : 57
      RxSA 3: 
        InPktsUnusedSA      : 62
        InPktsNotUsingSA    : 61
        InPktsNotValid      : 60
        InPktsInvalid       : 59
        InPktsOK            : 58
        NextPN              : 63

Note

Ideally, while displaying the MACsec SecY statistics, the hardware does not account the MKPDUs (MACsec control plane packets) in the InPktsNoTag counter. Whereas, for NC55-MPA-12T-S MPA, the MKPDU packets are considered as untagged packets, and are accounted in the InPktsNoTag counter. Hence, unlike for other PIDs, the InPktsNoTag counter increments for incoming MKPDUs in addition to untagged packets, for both Should-Secure and Must-Secure policy modes.


MACsec SNMP MIB (IEEE8021-SECY-MIB)

The IEEE8021-SECY-MIB provides Simple Network Management Protocol (SNMP) access to the MAC security entity (SecY) MIB running with IOS XR MACsec-enabled line cards. The IEEE8021-SECY-MIB is used to query on the SecY data, encryption, decryption, and the hardware statistics. The SecY MIB data is queried only on the Controlled Port.

The object ID of the IEEE8021-SECY-MIB is 1.0.8802.1.1.3. The IEEE8021-SECY-MIB contains the following tables that specifies the detailed attributes of the MACsec Controlled Port interface index.

Table 3. IEEE8021-SECY-MIB Table

Tables

OID

secyIfTable

1.0.8802.1.1.3.1.1.1

secyTxSCTable

1.0.8802.1.1.3.1.1.2

secyTxSATable

1.0.8802.1.1.3.1.1.3

secyRxSCTable

1.0.8802.1.1.3.1.1.4

secyRxSATable

1.0.8802.1.1.3.1.1.5

secyCipherSuiteTable

1.0.8802.1.1.3.1.1.6

secyTxSAStatsTable

1.0.8802.1.1.3.1.2.1

secyTxSCStatsTable

1.0.8802.1.1.3.1.2.2

secyRxSAStatsTable

1.0.8802.1.1.3.1.2.3

secyRxSCStatsTable

1.0.8802.1.1.3.1.2.4

secyStatsTable

1.0.8802.1.1.3.1.2.5

For more information, see the SecY IEEE MIB at the following URL:

http://www.ieee802.org/1/files/public/MIBs/IEEE8021-SECY-MIB-200601100000Z.txt

secyIfTable

The following table represents the system level information for each interface supported by the MAC security entity. The index tuple for this table is secyIfInterfaceIndex.

Table 4. secyIfTable

Object

Object identifier

secyIfInterfaceIndex

1.0.8802.1.1.3.1.1.1.1.1

secyIfMaxPeerSCs

1.0.8802.1.1.3.1.1.1.1.2

secyIfRxMaxKeys

1.0.8802.1.1.3.1.1.1.1.3

secyIfTxMaxKeys

1.0.8802.1.1.3.1.1.1.1.4

secyIfProtectFramesEnable

1.0.8802.1.1.3.1.1.1.1.5

secyIfValidateFrames

1.0.8802.1.1.3.1.1.1.1.6

secyIfReplayProtectEnable

1.0.8802.1.1.3.1.1.1.1.7

secyIfReplayProtectWindow

1.0.8802.1.1.3.1.1.1.1.8

secyIfCurrentCipherSuite

1.0.8802.1.1.3.1.1.1.1.9

secyIfAdminPt2PtMAC

1.0.8802.1.1.3.1.1.1.1.10

secyIfOperPt2PtMAC

1.0.8802.1.1.3.1.1.1.1.11

secyIfIncludeSCIEnable

1.0.8802.1.1.3.1.1.1.1.12

secyIfUseESEnable

1.0.8802.1.1.3.1.1.1.1.13

secyIfUseSCBEnable

1.0.8802.1.1.3.1.1.1.1.14

secyTxSCTable

The following table provides information about the status of each transmitting SC supported by the MAC security entity. The index tuple for this table is secyIfInterfaceIndex.

Table 5. secyTxSCTable

Object

Object identifier

secyTxSCI

1.0.8802.1.1.3.1.1.2.1.1

secyTxSCState

1.0.8802.1.1.3.1.1.2.1.2

secyTxSCEncodingSA

1.0.8802.1.1.3.1.1.2.1.3

secyTxSCEncipheringSA

1.0.8802.1.1.3.1.1.2.1.4

secyTxSCCreatedTime

1.0.8802.1.1.3.1.1.2.1.5

secyTxSCStartedTime

1.0.8802.1.1.3.1.1.2.1.6

secyTxSCStoppedTime

1.0.8802.1.1.3.1.1.2.1.7

secyTxSATable

The following table provides information about the status of each transmitting SA supported by the MAC security entity. The index tuple for this table is: {secyIfInterfaceIndex, secyTxSA}.

Table 6. secyTxSATable

Object

Object identifier

secyTxSA

1.0.8802.1.1.3.1.1.3.1.1

secyTxSAState

1.0.8802.1.1.3.1.1.3.1.2

secyTxSANextPN

1.0.8802.1.1.3.1.1.3.1.3

secyTxSAConfidentiality

1.0.8802.1.1.3.1.1.3.1.4

secyTxSASAKUnchanged

1.0.8802.1.1.3.1.1.3.1.5

secyTxSACreatedTime

1.0.8802.1.1.3.1.1.3.1.6

secyTxSAStartedTime

1.0.8802.1.1.3.1.1.3.1.7

secyTxSAStoppedTime

1.0.8802.1.1.3.1.1.3.1.8

secyRxSCTable

The following table provides information about the status of each receiving SC supported by the MAC security entity. The index tuple for this table is: {secyIfInterfaceIndex, secyRxSCI}.

Table 7. secyRxSCTable

Object

Object identifier

secyRxSCI

1.0.8802.1.1.3.1.1.4.1.1

secyRxSCState

1.0.8802.1.1.3.1.1.4.1.2

secyRxSCCurrentSA

1.0.8802.1.1.3.1.1.4.1.3

secyRxSCCreatedTime

1.0.8802.1.1.3.1.1.4.1.4

secyRxSCStartedTime

1.0.8802.1.1.3.1.1.4.1.5

secyRxSCStoppedTime

1.0.8802.1.1.3.1.1.4.1.6

secyRxSATable

The following table provides information about the status of each receiving SA supported by the MAC security entity. The index tuple for this table is: {secyIfInterfaceIndex, secyRxSCI, secyRxSA}.

Table 8. secyRxSATable

Object

Object identifier

secyRxSA

1.0.8802.1.1.3.1.1.5.1.1

secyRxSAState

1.0.8802.1.1.3.1.1.5.1.2

secyRxSANextPN

1.0.8802.1.1.3.1.1.5.1.3

secyRxSASAKUnchanged

1.0.8802.1.1.3.1.1.5.1.4

secyRxSACreatedTime

1.0.8802.1.1.3.1.1.5.1.5

secyRxSAStartedTime

1.0.8802.1.1.3.1.1.5.1.6

secyRxSAStoppedTime

1.0.8802.1.1.3.1.1.5.1.7

secyCipherSuiteTable

The following table is a list of selectable cipher suites for the MAC security entity. The index tuple for this table is: {secyCipherSuiteIndex}.

Table 9. secyCipherSuiteTable

Object

Object identifier

secyCipherSuiteIndex

1.0.8802.1.1.3.1.1.6.1.1

secyCipherSuiteId

1.0.8802.1.1.3.1.1.6.1.2

secyCipherSuiteName

1.0.8802.1.1.3.1.1.6.1.3

secyCipherSuiteCapability

1.0.8802.1.1.3.1.1.6.1.4

secyCipherSuiteProtection

1.0.8802.1.1.3.1.1.6.1.5

secyCipherSuiteProtectionOffset

1.0.8802.1.1.3.1.1.6.1.6

secyCipherSuiteDataLengthChange

1.0.8802.1.1.3.1.1.6.1.7

secyCipherSuiteICVLength

1.0.8802.1.1.3.1.1.6.1.8

secyCipherSuiteRowStatus

1.0.8802.1.1.3.1.1.6.1.9

secyTxSAStatsTable

The following table that contains the statistics objects for each transmitting SA in the MAC security entity.

Table 10. secyTxSAStatsTable

Object

Object identifier

secyTxSAStatsProtectedPkts

1.0.8802.1.1.3.1.2.1.1.1

secyTxSAStatsEncryptedPkts

1.0.8802.1.1.3.1.2.1.1.2

secyTxSCStatsProtectedPkts

1.0.8802.1.1.3.1.2.2.1.1

secyTxSCStatsEncryptedPkts

1.0.8802.1.1.3.1.2.2.1.4

secyTxSCStatsOctetsProtected

1.0.8802.1.1.3.1.2.2.1.10

secyTxSCStatsOctetsEncrypted

1.0.8802.1.1.3.1.2.2.1.11

secyTxSCStatsTable

The following table that contains the statistics objects for each transmitting SC in the MAC security entity.

Table 11. secyTxSCStatsTable

Object

Object identifier

secyTxSCStatsProtectedPkts

1.0.8802.1.1.3.1.2.2.1.1

secyTxSCStatsEncryptedPkts

1.0.8802.1.1.3.1.2.2.1.4

secyTxSCStatsOctetsProtected

1.0.8802.1.1.3.1.2.2.1.10

secyTxSCStatsOctetsEncrypted

1.0.8802.1.1.3.1.2.2.1.11

secyRxSAStatsTable

The following table that contains the statistics objects for each receiving SA in the MAC security entity.

Table 12. secyRxSAStatsTable

Object

Object identifier

secyRxSAStatsUnusedSAPkts

1.0.8802.1.1.3.1.2.3.1.1

secyRxSAStatsNoUsingSAPkts

1.0.8802.1.1.3.1.2.3.1.4

secyRxSAStatsNotValidPkts

1.0.8802.1.1.3.1.2.3.1.13

secyRxSAStatsInvalidPkts

1.0.8802.1.1.3.1.2.3.1.16

secyRxSAStatsOKPkts

1.0.8802.1.1.3.1.2.3.1.25

secyRxSCStatsTable

The following table that contains the statistics objects for each receiving SC in the MAC security entity.

Table 13. secyRxSCStatsTable

Object

Object identifier

secyRxSCStatsUnusedSAPkts

1.0.8802.1.1.3.1.2.4.1.1

secyRxSCStatsNoUsingSAPkts

1.0.8802.1.1.3.1.2.4.1.2

secyRxSCStatsLatePkts

1.0.8802.1.1.3.1.2.4.1.3

secyRxSCStatsNotValidPkts

1.0.8802.1.1.3.1.2.4.1.4

secyRxSCStatsInvalidPkts

1.0.8802.1.1.3.1.2.4.1.5

secyRxSCStatsDelayedPkts

1.0.8802.1.1.3.1.2.4.1.6

secyRxSCStatsUncheckedPkts

1.0.8802.1.1.3.1.2.4.1.7

secyRxSCStatsOKPkts

1.0.8802.1.1.3.1.2.4.1.8

secyRxSCStatsOctetsValidated

1.0.8802.1.1.3.1.2.4.1.9

secyRxSCStatsOctetsDecrypted

1.0.8802.1.1.3.1.2.4.1.10

secyStatsTable

The following table lists the objects for the statistics information of each Secy supported by the MAC security entity.

Table 14. secyStatsTable

Object

Object identifier

secyStatsTxUntaggedPkts

1.0.8802.1.1.3.1.2.5.1.1

secyStatsTxTooLongPkts

1.0.8802.1.1.3.1.2.5.1.2

secyStatsRxUntaggedPkts

1.0.8802.1.1.3.1.2.5.1.3

secyStatsRxNoTagPkts

1.0.8802.1.1.3.1.2.5.1.4

secyStatsRxBadTagPkts

1.0.8802.1.1.3.1.2.5.1.5

secyStatsRxUnknownSCIPkts

1.0.8802.1.1.3.1.2.5.1.6

secyStatsRxNoSCIPkts

1.0.8802.1.1.3.1.2.5.1.7

secyStatsRxOverrunPkts

1.0.8802.1.1.3.1.2.5.1.8

Obtaining the MACsec Controlled Port Interface Index

The ifindex of the controlled port can be obtained using the following commands:

  • snmpwalk command on IfMib[OID: 1.3.6.1.2.1.31.1.1.1]

    rtr1.0/1/CPU0/ $ snmpwalk -v2c -c public 10.0.0.1  1.3.6.1.2.1.31.1.1.1.1
    SNMPv2-SMI::mib-2.31.1.1.1.1.3 = STRING: "GigabitEthernet0/1/0/0"
    SNMPv2-SMI::mib-2.31.1.1.1.1.18 = STRING: "MACSecControlled0/1/0/0"
    SNMPv2-SMI::mib-2.31.1.1.1.1.19 = STRING: "MACSecUncontrolled0/1/0/0"
    
  • show snmp interface command

    Router#show  snmp interface 
    ifName : GigabitEthernet0/1/0/0  ifIndex : 3
    ifName : MACSecControlled0/1/0/0  ifIndex : 18
    ifName : MACSecUncontrolled0/1/0/0  ifIndex : 19
    

SNMP Query Examples

In the following examples, it is assumed that the configured SNMP community is public, and the management IP of the box is 10.0.0.1.

To perform SNMP walk on the entire SECY MIB for the router, use the following command:

snmpwalk -v2c -c public 10.0.0.1 1.0.8802.1.1.3

To query on the secyTxSCTable to get the TxSCI for interface Gi0/1/0/0, using the ifindex of MACsecControlled0/1/0/0 that is 18, use the following command:

snmpget -v2c -c public 10.0.0.1 iso.0.8802.1.1.3.1.1.2.1.1.18

Related Commands for MACsec

The following commands are available to verify the SNMP results.

Command

Description

show macsec mka session detail

Displays the details of all MACsec Key Agreement (MKA) sessions on the device.

show macsec mka interface detail

Verifies the MACsec MKA status on the interface.

show macsec ea idb interface

Verifies the MACsec encryption and hardware interface descriptor block (IDB) information on the interface.

Global MACsec Shutdown

The MACsec shutdown feature allows administrator to disable MACsec and re-enable it without modifying the existing MACsec configuration.

Enabling the macsec shutdown command, brings down all MACsec sessions on the MACsec-enabled interfaces and resets ports to non-macsec mode. The already existing MACsec configurations remain unaffected by enabling this feature.

Disabling the macsec shutdown command, brings up macsec sessions for the configured interfaces and enforces MACsec policy on the port. This feature is disabled by default.

Configure MACsec Shutdown

The following configuration enables the MACsec shutdown on a chassis:

RP/0/RP0/CPU0:router# configure terminal
RP/0/RP0/CPU0:router(config)# macsec shutdown

Warning

Configuring macsec shutdown command disables MACsec on all data ports, system wide. Execute clear command to erase cached configuration or commit command to continue.


Verify MACsec Shutdown

The show macsec mka session command displays a shutdown banner indicating that the MACsec shutdown is enabled.

RP/0/RP0/CPU0:router# show macsec mka session 
Fri Apr 13 11:56:57.409 IST

********** MACsec shutdown enabled **********
      

The show macsec mka interface detail command displays a shutdown banner and the interface-related information.

RP/0/RP0/CPU0:fretta-2#show macsec mka interface detail 
Fri Apr 13 11:57:02.685 IST
********** MACsec shutdown enabled **********

Number of interfaces on node node0_3_CPU0 : 1
----------------------------------------------------

    Interface Name           : HundredGigE0/3/0/8
    Interface Namestring     : HundredGigE0/3/0/8
    Interface short name     : Hu0/3/0/8
    Interface handle         : 0x1800170
    Interface number         : 0x1800170
    Interface MAC            : 008a.9622.a9d0
    Ethertype                : 888E
    MACsec Shutdown          : TRUE
    Config Received          : TRUE
    IM notify Complete       : TRUE
    Interface CAPS Add       : FALSE
    RxSA CAPS Add            : FALSE
    TxSA CAPS Add            : FALSE
    MKA PSK Info               
      Key Chain Name         : kc1
      MKA Cipher Suite       : AES-256-CMAC
      CKN                    : 12 34 56 
    MKA fallback_PSK Info
      fallback keychain Name : fb1
      MKA Cipher Suite       : AES-256-CMAC
      CKN                    : ff ff ff 
    Policy                   : *DEFAULT POLICY*

Syslog Messages for MACsec Shutdown

The following syslog messages are generated when MACsec shutdown is enabled.


%L2-MKA-5-MACSEC_SHUTDOWN_ENABLED : Shutdown ON, disable MACsec on all MACsec enabled ports
%L2-MKA-5-SESSION_STOP            : (Hu0/3/0/8) MKA session stopped, 
CKN                               : 123456 
%L2-MKA-4-SESSION_UNSECURED       : (Hu0/3/0/8) MKA Session was stopped and is not secured, 
CKN                               :123456 
%L2-MKA-5-MACSEC_DISABLED         : (Hu0/3/0/8), MACsec disabled (shutdown ON) 

The following syslog messages are generated when MACsec shutdown is disabled.

%L2-MKA-5-MACSEC_SHUTDOWN_DISABLED : Shutdown OFF, resume MACsec on all MACsec enabled ports
%L2-MKA-5-MACSEC_ENABLED                     : (Hu0/3/0/8), MACsec enabled with MUST_SECURE
%L2-MKA-5-SESSION_START                      : (Hu0/3/0/8) MKA session started
CKN                                          :  123456 
%L2-MKA-6-MKPDU_ICV_SUCCESS                  : (Hu0/3/0/8), ICV verification success for RxSCI(008a.9600.60b0/0001), CKN(123456)
%L2-MKA-6-FALLBACK_PSK_MKPDU_ICV_SUCCESS     : (Hu0/3/0/8), ICV verification success for RxSCI(008a.9600.60b0/0001), CKN(FFFFFF)
%L2-MKA-5-SESSION_SECURED                    : (Hu0/3/0/8) MKA session secured
 CKN                                         :  123456