switch (config-macsec-policy) – Security-Policy `must-secure | should-secure` displays the mka macsec capacity interface all – Shows MKA`s capacity information for a configured interface. In my previous blog, I focused on validating MACsec hardware implementations. In this one, I will focus on validation for the MACsec-Control – MACsec Key Agreement (MKA) protocol. Switch (config-macsec-policy)) – keychain macsec-Guide policy-Name Switch (config-macsec-policy)| GCM-AES-256 | GCM-AES-XPN-128 | GCM-AES-XPN-256-Switch (config-macsec-policy) conf-offset -CONF-OFFSET-0 | CONF-OFFSET-30 | CONF-OFFSET-50- [no] macsec non-standard eapol eathertype ethernet-type switch (config-macsec-policy)- key-server-priority value You can only configure a DMAC or Ethernet type or a combined DMAC and Ethernet value for MACSec. If you`ve configured z.B the non-standard Macsec Eapol ethertype 0x8976, you can`t set up another non-standard Ethernet type called macsec-type eapol 0x8972. The same principle applies to non-standard DMAC options. switch (config-macseckeychain-macseckey) – key-byte-string string string cryptographic-algorithm AES-128-CMAC [no] macsec non-standard eapol dmac-addr dmac-address Before MKA configuration on an interface, the MACsec kit and MACsec policy must be defined. If there is no kit before setting up the interface, an empty kit is created. If there is no policy before setting up the interface, the default directive is used. The standard directive is systemdefault-macsec-policy.
The MKA configuration includes the following steps: Switch-Show-Macsec-Mka session [Interface Ethernet Slot/Port] [Internal Details] Cisco Nexus 7000 switches do not support the „should-sure“ mode for MKA security policy. The default mode is must-secure. Cisco NX-OS Release 8.2 (3) supports security policy. The following table shows the combinations supported on the Cisco Nexus 7000 Series switches for EAPOL packages with DMAC and Ethernet: mka enable non-std-ea |pol ETYPE-AND-BOTH-BOTH | BACKGROUND ETYPE-ONLY OF A CE TO SEVERAL CPe using the VIRTUAL Private LAN Services (VPLS) network By Cisco NX-OS Release 8.3 (1) allows Cisco networks with WAN MACsec to modify the Extendable Authentication Protocol (EAP) using the laN protocol destination address (EAPOL) and the non-standard Ethernet value. The EAPOL target Ethernet type can be changed from the default Ethernet type 0x888E to an alternative value, or the EAPOL destination MAC address can be changed from the standard DMAC from 01:80:C2:00:03 to an alternative value to avoid it being used by a supplier bridge. 2. Master Session Key (802.1X/EAP) – Dynamic CAK Mode . There are direct interactions between the MKA and the hardware at regular intervals (every 2 seconds with the standard hallo timer), unlike most other control and data level operations that operate autonomously after the first installation.