Fortinet white logo
Fortinet white logo

MACsec

MACsec

Media Access Control security (MACsec) secures each switch-to-switch link by encrypting all network traffic within an Ethernet LAN.

MACsec uses the static connectivity association key (CAK) mode. You specify the connectivity association key (CAK) and the connectivity association name (CKN) for the pre-shared key in the MACsec profile and then apply the profile to a switch port.

Notes:
  • SNMP is not supported.

  • The port-security-mode must be set to macsec for each interface that you want to apply MACsec to.

  • The MACsec profile must be applied at the port level.

  • For this release, FortiSwitchOS supports static CAK mode. Dynamic CAK mode and static secure association key (SAK) mode are not supported.

To use MACsec:
  1. Create a MACsec profile.

  2. Apply the MACsec profile to a port.

  3. View the MACsec details.

  4. Optional. Clear or reset the MACsec statistics.

Creating the MACsec profile

To create a MACsec profile:

config switch macsec profile

edit <MACsec_profile_name>

set cipher_suite GCM_AES_128

set confident-offset {0 | 30 | 50}

set encrypt-traffic {enable | disable}

set include-macsec-sci {enable | disable}

set include-mka-icv-ind enable

set macsec-mode static-cak

set macsec-validate strict

set mka-priority <0-255>

set replay-protect {enable | disable}

set replay-window <0-16777215>

set status {enable | disable}

config mka-psk

edit <pre-shared key name>

set crypto-algAES_128_CMAC

set mka-cak <string>

set mka-ckn <string>

set status active

next

end

config traffic-policy

edit <traffic_policy_name>

set security-policy must-secure

set status enable

next

end

next

end

Variable

Description

Default

<profile_name> Enter a name for the MACsec profile. No default
cipher_suite GCM_AES_128 Only the GCM-AES-128 cipher suite is available currently for encryption. GCM_AES_128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic confidentiality offset. Selecting 0 means that all of the MACsec traffic is encrypted. Selecting 30 or 50 bytes means that the first 30 or 50 bytes of MACsec traffic are not encrypted. 0
encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | disable} Enable or disable whether to include the MACsec transmit secure channel identifier (SCI). enable
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) indicator is always included. enable
macsec-mode static-cak The MACsec mode is always static connectivity association key (CAK). static-cak
macsec-validate strict The MACsec validation is always strict. strict
mka-priority <0-255> Enter the MACsec MKA priority. 255
replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay protection drops packets that arrive out of sequence, depending on the replay-window value. disable
replay-window <0-16777215>

Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats.

32
status {enable | disable} Enable or disable this MACsec profile. enable
config mka-psk Configure the MACsec MKA pre-shared key.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key configuration. No default
crypto-alg AES_128_CMAC Only the AES_128_CMAC algorithm is available for encrypting the pre-shared key. AES_128_CMAC
mka-cak <string>

Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes long.

No default
mka-ckn <string>

Enter the string of hexadecimal digits for the connectivity association name (CKN). The string can be 1-byte to 64-bytes long.

No default
status active

The status of the pre-shared key pair is always active.

active

config traffic-policy

Configure the MACsec traffic policy.

<traffic_policy_name>

Enter a name for this MACsec traffic policy.

No default

security-policy must-secure

The policy must secure traffic for MACsec.

must-secure

status enable

The status of this MACsec traffic policy is always enabled.

enable

For example:

config switch macsec profile

edit "2"

set cipher_suite GCM_AES_128

set confident-offset 0

set encrypt-traffic enable

set include-macsec-sci enable

set include-mka-icv-ind enable

set macsec-mode static-cak

set macsec-validate strict

set mka-priority 199

config mka-psk

edit "2"

set crypto-alg AES_128_CMAC

set mka-cak "0123456789ABCDEF0123456789ABCDEE"

set mka-ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333436"

set status active

next

end

set replay-protect disable

set replay-window 32

set status enable

config traffic-policy

edit "2"

set security-policy must-secure

set status enable

next

end

next

end

Applying the MACsec profile to a port

To apply the MACsec profile to a port:

config switch interface

edit <port_name>

config port-security

set port-security-mode macsec

set macsec-profile <MACsec_profile_name>

end

next

end

For example:

config switch interface

edit port49

set native-vlan 50

set stp-state disabled

set auto-discovery-fortilink enable

set snmp-index 49

config port-security

set port-security-mode macsec

set macsec-profile "macsec_profile1"

end

next

end

Viewing the MACsec details

You can view the MACsec status and the MACsec traffic statistics for a specific port:

  • diagnose switch macsec status <port_name>

  • diagnose switch macsec statistics <port_name>

You can view the creation and deletion of secure associations:

diagnose debug kernel level 8

Clearing or resetting the MACsec statistics

You can clear all MACsec statistics on a single interface:

execute macsec clearstat interface <interface_name>

You can reset the MACsec session on a single interface:

execute macsec reset interface <interface_name>

For example:

execute macsec clearstat interface port15

execute macsec reset interface port15

MACsec

MACsec

Media Access Control security (MACsec) secures each switch-to-switch link by encrypting all network traffic within an Ethernet LAN.

MACsec uses the static connectivity association key (CAK) mode. You specify the connectivity association key (CAK) and the connectivity association name (CKN) for the pre-shared key in the MACsec profile and then apply the profile to a switch port.

Notes:
  • SNMP is not supported.

  • The port-security-mode must be set to macsec for each interface that you want to apply MACsec to.

  • The MACsec profile must be applied at the port level.

  • For this release, FortiSwitchOS supports static CAK mode. Dynamic CAK mode and static secure association key (SAK) mode are not supported.

To use MACsec:
  1. Create a MACsec profile.

  2. Apply the MACsec profile to a port.

  3. View the MACsec details.

  4. Optional. Clear or reset the MACsec statistics.

Creating the MACsec profile

To create a MACsec profile:

config switch macsec profile

edit <MACsec_profile_name>

set cipher_suite GCM_AES_128

set confident-offset {0 | 30 | 50}

set encrypt-traffic {enable | disable}

set include-macsec-sci {enable | disable}

set include-mka-icv-ind enable

set macsec-mode static-cak

set macsec-validate strict

set mka-priority <0-255>

set replay-protect {enable | disable}

set replay-window <0-16777215>

set status {enable | disable}

config mka-psk

edit <pre-shared key name>

set crypto-algAES_128_CMAC

set mka-cak <string>

set mka-ckn <string>

set status active

next

end

config traffic-policy

edit <traffic_policy_name>

set security-policy must-secure

set status enable

next

end

next

end

Variable

Description

Default

<profile_name> Enter a name for the MACsec profile. No default
cipher_suite GCM_AES_128 Only the GCM-AES-128 cipher suite is available currently for encryption. GCM_AES_128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic confidentiality offset. Selecting 0 means that all of the MACsec traffic is encrypted. Selecting 30 or 50 bytes means that the first 30 or 50 bytes of MACsec traffic are not encrypted. 0
encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | disable} Enable or disable whether to include the MACsec transmit secure channel identifier (SCI). enable
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) indicator is always included. enable
macsec-mode static-cak The MACsec mode is always static connectivity association key (CAK). static-cak
macsec-validate strict The MACsec validation is always strict. strict
mka-priority <0-255> Enter the MACsec MKA priority. 255
replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay protection drops packets that arrive out of sequence, depending on the replay-window value. disable
replay-window <0-16777215>

Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats.

32
status {enable | disable} Enable or disable this MACsec profile. enable
config mka-psk Configure the MACsec MKA pre-shared key.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key configuration. No default
crypto-alg AES_128_CMAC Only the AES_128_CMAC algorithm is available for encrypting the pre-shared key. AES_128_CMAC
mka-cak <string>

Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes long.

No default
mka-ckn <string>

Enter the string of hexadecimal digits for the connectivity association name (CKN). The string can be 1-byte to 64-bytes long.

No default
status active

The status of the pre-shared key pair is always active.

active

config traffic-policy

Configure the MACsec traffic policy.

<traffic_policy_name>

Enter a name for this MACsec traffic policy.

No default

security-policy must-secure

The policy must secure traffic for MACsec.

must-secure

status enable

The status of this MACsec traffic policy is always enabled.

enable

For example:

config switch macsec profile

edit "2"

set cipher_suite GCM_AES_128

set confident-offset 0

set encrypt-traffic enable

set include-macsec-sci enable

set include-mka-icv-ind enable

set macsec-mode static-cak

set macsec-validate strict

set mka-priority 199

config mka-psk

edit "2"

set crypto-alg AES_128_CMAC

set mka-cak "0123456789ABCDEF0123456789ABCDEE"

set mka-ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333436"

set status active

next

end

set replay-protect disable

set replay-window 32

set status enable

config traffic-policy

edit "2"

set security-policy must-secure

set status enable

next

end

next

end

Applying the MACsec profile to a port

To apply the MACsec profile to a port:

config switch interface

edit <port_name>

config port-security

set port-security-mode macsec

set macsec-profile <MACsec_profile_name>

end

next

end

For example:

config switch interface

edit port49

set native-vlan 50

set stp-state disabled

set auto-discovery-fortilink enable

set snmp-index 49

config port-security

set port-security-mode macsec

set macsec-profile "macsec_profile1"

end

next

end

Viewing the MACsec details

You can view the MACsec status and the MACsec traffic statistics for a specific port:

  • diagnose switch macsec status <port_name>

  • diagnose switch macsec statistics <port_name>

You can view the creation and deletion of secure associations:

diagnose debug kernel level 8

Clearing or resetting the MACsec statistics

You can clear all MACsec statistics on a single interface:

execute macsec clearstat interface <interface_name>

You can reset the MACsec session on a single interface:

execute macsec reset interface <interface_name>

For example:

execute macsec clearstat interface port15

execute macsec reset interface port15