Reset Search



How to configure the LRM/MACsec adapter on a capable EXOS switch for basic secure operation

« Go Back


TitleHow to configure the LRM/MACsec adapter on a capable EXOS switch for basic secure operation
How to configure the LRM/MACsec adapter on a capable EXOS switch for basic secure operation
  • EXOS
  • LRM/MACsec adapter
  • LRM/MACsec capable switch
First connect the LRM/MACsec adapter via both of the "host ports" using the supplied host-cables to the LRM/MACsec capable switch that has the LRM/MACsec feature pack license applied and runs 30.1 or higher.
Also connect at least one of the links on the LRM/MACsec adapter to another adapter or MACsec capable switch to which you want to enable the secure communication.

Next create the MACsec connectivity-association via the following command:
create macsec connectivity-association ca_name pre-shared-key ckn ckn cak [encrypted encrypted_cak | cak]
  • The pre-shared-key (PSK) contains the credentials used for MKA authentication and for key exchange
  • The CKN (CAK Name) is a public (non-secret) 1-32 octet key name
  • The CAK (Connectivity Association Key) is a private 128-bit key
  • The CAK is indirectly used to encrypt secrets within the MKA protocol packets (MKPDUs)
  • The customer should generate their own random or pseudo random 128-bit (32-octet) key
  • CLI will never display the original CAK, only an obfuscated version of it!   i.e., "show config macsec"
  • CKN and CAK must be identical on both sides of a connection!

Lastly enable MACsec on the port by using the following command: 
configure macsec connectivity-association ca_name [pre-shared-key {ckn ckn} cak {encrypted} cak] | ports [port_list] [enable | disable]
  • Used to enable MACsec on a port (or to optionally modify the PSK)
  • Single CA can be applied to multiple ports
  • Once enabled, all traffic will be blocked
  • After successful MKA exchange, all traffic will be encrypted
Additional notes
The following is an example of an adapter being connected to port 49 and 50 on an x450-G2, with port 1 of the adapter being connected to another LRM/MACsec adapter:
The chosen ca_name is "test", the ckn is "testing" and the cak is "0x12345678909876543212345678909876".
create macsec connectivity-association test pre-shared-key ckn testing cak 0x12345678909876543212345678909876
config macsec connectivity-association test ports 49 enable

This needs to be configured on both sides and we can see that the secure tunnel is established:

X450G2-48t-10G4.11 # show macsec
MACsec Capable with External Adapter:     49-52
  LRM/MACsec Adapter Present:             49-50
Valid MACsec License:                     49-52
MACsec Capable, Present and Licensed:     49-50
MACsec Configured:                        49
MKA Active:                               49           (Transmitting MKPDUs)
Connect Status
  Pending:                                None         (No connectivity)
  Secure:                                 49           (Secured connectivity: MKA with MACsec)




Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255