MACsec configuration in ACI Fabric

Contents

Create MACsec Fabric parameters policy
Create a MACsec Keychain Policy
Create MACsec Fabric Interface Policy

Create MACsec Fabric parameters policy

Navigate to Fabric > Fabric Policies > Policies > Macsec right click on Parameters and click Create MACsec Fabric Parameter Policy:

Cipher suite:

128 bit GCM-AES Suite
256 bit GCM-AES Suite
128 bit GCM-AES Suite with Extended Packet Numbering
256 bit GCM-AES Suite with Extended Packet Numbering

The default is 256 bit GCM-AES Suite with Extended Packet Numbering.

The replay window size: it provides replay protection. Frames are accepted out-of-order within the designated window size. The range is from 0 to 4294967295. The default window size is 64.

Security Policy:

The MACsec security policy options:

Must Secure Mode: Allows only encrypted traffic on the link.
Should Secure Mode: Allows both clear and encrypted traffic on the link.

Before deploying MACsec in Must Secure Mode, the keychain must be deployed on the affected interface or the interface will go down.

Secure Association Key Expiry Time: The time (sec) after which the security association key will expire. The value can be disabled, or a range from 60 to 2592000. A value of disabled means that the security association key will never expire.

Create a MACsec Keychain Policy

Create a keychain policy and configure Key name and PSK:

Key Name	Used by MKA to determine which PSK was used for encrypting a received packet (up to 64 hexadecimal characters). The name must match the peer port definition.
Pre-Shared Key	Generates the key use for encrypting/decrypting the data packet (up to 64 hexadecimal characters). The name must match the peer port definition.
Start Time	Determines when the key entry should become valid.
End Time	Determines when the key entry is no longer valid.