MACsec
Media Access Control security (MACsec) secures each switch-to-switch link by encrypting all network traffic within an Ethernet LAN.
MACsec uses the static connectivity association key (CAK) mode. You specify the connectivity association key (CAK) and the connectivity association name (CKN) for the pre-shared key in the MACsec profile and then apply the profile to a switch port.
Notes:
-
SNMP is not supported.
-
The
port-security-mode
must be set tomacsec
for each interface that you want to apply MACsec to. -
The MACsec profile must be applied at the port level.
-
For this release, FortiSwitchOS supports static CAK mode. Dynamic CAK mode and static secure association key (SAK) mode are not supported.
To use MACsec:
-
Create a MACsec profile.
-
Apply the MACsec profile to a port.
-
View the MACsec details.
-
Optional. Clear or reset the MACsec statistics.
Creating the MACsec profile
To create a MACsec profile:
config switch macsec profile
edit <MACsec_profile_name>
set cipher_suite GCM_AES_128
set confident-offset {0 | 30 | 50}
set encrypt-traffic {enable | disable}
set include-macsec-sci {enable | disable}
set include-mka-icv-ind enable
set macsec-mode static-cak
set macsec-validate strict
set mka-priority <0-255>
set replay-protect {enable | disable}
set replay-window <0-16777215>
set status {enable | disable}
config mka-psk
edit <pre-shared key name>
set crypto-algAES_128_CMAC
set mka-cak <string>
set mka-ckn <string>
set status active
next
end
config traffic-policy
edit <traffic_policy_name>
set security-policy must-secure
set status enable
next
end
next
end
Variable |
Description |
Default |
<profile_name> | Enter a name for the MACsec profile. | No default |
cipher_suite GCM_AES_128 | Only the GCM-AES-128 cipher suite is available currently for encryption. | GCM_AES_128 |
confident-offset {0 | 30 | 50} | Select the number of bytes for the MACsec traffic confidentiality offset. Selecting 0 means that all of the MACsec traffic is encrypted. Selecting 30 or 50 bytes means that the first 30 or 50 bytes of MACsec traffic are not encrypted. | 0 |
encrypt-traffic {enable | disable} | Enable or disable whether MACsec traffic is encrypted. | enable |
include-macsec-sci {enable | disable} | Enable or disable whether to include the MACsec transmit secure channel identifier (SCI). | enable |
include-mka-icv-ind enable | The MACsec Key Agreement (MKA) integrity check value (ICV) indicator is always included. | enable |
macsec-mode static-cak | The MACsec mode is always static connectivity association key (CAK). | static-cak |
macsec-validate strict | The MACsec validation is always strict. | strict |
mka-priority <0-255> | Enter the MACsec MKA priority. | 255 |
replay-protect {enable | disable} | Enable or disable MACsec replay protection. MACsec replay protection drops packets that arrive out of sequence, depending on the replay-window value. |
disable |
replay-window <0-16777215> |
Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats. |
32 |
status {enable | disable} | Enable or disable this MACsec profile. | enable |
config mka-psk | Configure the MACsec MKA pre-shared key. | |
<pre-shared key name> | Enter a name for this MACsec MKA pre-shared key configuration. | No default |
crypto-alg AES_128_CMAC | Only the AES_128_CMAC algorithm is available for encrypting the pre-shared key. | AES_128_CMAC |
mka-cak <string> |
Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes long. |
No default |
mka-ckn <string> |
Enter the string of hexadecimal digits for the connectivity association name (CKN). The string can be 1-byte to 64-bytes long. |
No default |
status active |
The status of the pre-shared key pair is always active. |
active |
config traffic-policy |
Configure the MACsec traffic policy. |
|
<traffic_policy_name> |
Enter a name for this MACsec traffic policy. |
No default |
security-policy must-secure |
The policy must secure traffic for MACsec. |
must-secure |
status enable |
The status of this MACsec traffic policy is always enabled. |
enable |
For example:
config switch macsec profile
edit "2"
set cipher_suite GCM_AES_128
set confident-offset 0
set encrypt-traffic enable
set include-macsec-sci enable
set include-mka-icv-ind enable
set macsec-mode static-cak
set macsec-validate strict
set mka-priority 199
config mka-psk
edit "2"
set crypto-alg AES_128_CMAC
set mka-cak "0123456789ABCDEF0123456789ABCDEE"
set mka-ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333436"
set status active
next
end
set replay-protect disable
set replay-window 32
set status enable
config traffic-policy
edit "2"
set security-policy must-secure
set status enable
next
end
next
end
Applying the MACsec profile to a port
To apply the MACsec profile to a port:
config switch interface
edit <port_name>
config port-security
set port-security-mode macsec
set macsec-profile <MACsec_profile_name>
end
next
end
For example:
config switch interface
edit port49
set native-vlan 50
set stp-state disabled
set auto-discovery-fortilink enable
set snmp-index 49
config port-security
set port-security-mode macsec
set macsec-profile "macsec_profile1"
end
next
end
Viewing the MACsec details
You can view the MACsec status and the MACsec traffic statistics for a specific port:
-
diagnose switch macsec status <port_name>
-
diagnose switch macsec statistics <port_name>
You can view the creation and deletion of secure associations:
diagnose debug kernel level 8
Clearing or resetting the MACsec statistics
You can clear all MACsec statistics on a single interface:
execute macsec clearstat interface <interface_name>
You can reset the MACsec session on a single interface:
execute macsec reset interface <interface_name>
For example:
execute macsec clearstat interface port15
execute macsec reset interface port15