banner



Home  ›  How To Clear Config On Cisco Switch Port

How To Clear Config On Cisco Switch Port

Written By Tuesday, November 30, 2021 Add Comment Edit

You must only configure MACsec encryption on the WAN ISL ports that run between the sites. You must configure MACsec after applying the correct RCF file.

Licensing requirements for MACsec

MACsec requires a security license. For a complete explanation of the Cisco NX-OS licensing scheme and how to obtain and apply for licenses, see the Cisco NX-OS Licensing Guide

Enabling Cisco MACsec Encryption WAN ISLs in MetroCluster IP configurations

You can enable MACsec encryption for Cisco 9336C switches on the WAN ISLs in a MetroCluster IP configuration.

  1. Enter the global configuration mode: configure terminal 

    IP_switch_A_1# configure terminal IP_switch_A_1(config)#

  2. Enable MACsec and MKA on the device: feature macsec 

    IP_switch_A_1(config)# feature macsec

  3. Copy the running configuration to the startup configuration: copy running-config startup-config 

    IP_switch_A_1(config)# copy running-config startup-config

Disabling Cisco MACsec Encryption WAN ISLs in MetroCluster IP configurations

You might need to disable MACsec encryption for Cisco 9336C switches on the WAN ISLs in a MetroCluster IP configuration.

  1. Enter the global configuration mode: configure terminal 

    IP_switch_A_1# configure terminal IP_switch_A_1(config)#

  2. Disable the MACsec configuration on the device: macsec shutdown 

    IP_switch_A_1(config)# macsec shutdown
    Note Selecting the no option restores the MACsec feature.

  3. Select the interface that you already configured with MACsec.

    You can specify the interface type and identity. For an Ethernet port, use ethernet slot/port.

    IP_switch_A_1(config)# interface ethernet 1/15 switch(config-if)#

  4. Remove the keychain, policy and fallback-keychain configured on the interface to remove the MACsec configuration: no macsec keychain keychain-name policy policy-name fallback-keychain keychain-name 

    IP_switch_A_1(config-if)# no macsec keychain kc2 policy abc fallback-keychain fb_kc2

  5. Repeat steps 3 and 4 on all interfaces where MACsec is configured.

  6. Copy the running configuration to the startup configuration: copy running-config startup-config 

    IP_switch_A_1(config)# copy running-config startup-config

Configuring a MACsec key chain and keys

You can create a MACsec key chain or keys on your configuration.

Key Lifetime and Hitless Key Rollover

A MACsec keychain can have multiple pre-shared keys (PSKs), each configured with a key ID and an optional lifetime. A key lifetime specifies at which time the key activates and expires. In the absence of a lifetime configuration, the default lifetime is unlimited. When a lifetime is configured, MKA rolls over to the next configured pre-shared key in the keychain after the lifetime is expired. The time zone of the key can be local or UTC. The default time zone is UTC. A key can roll over to a second key within the same keychain if you configure the second key (in the keychain) and configure a lifetime for the first key. When the lifetime of the first key expires, it automatically rolls over to the next key in the list. If the same key is configured on both sides of the link at the same time, then the key rollover is hitless (that is, the key rolls over without traffic interruption).

Fallback Key

A MACsec session can fail due to a key/key name (CKN) mismatch or a finite key duration between the switch and a peer. If a MACsec session does fail, a fallback session can take over if a fallback key is configured. A fallback session prevents downtime due to primary session failure and allows a user time to fix the key issue causing the failure. A fallback key also provides a backup session if the primary session fails to start. This feature is optional.

  1. Enter the global configuration mode: configure terminal 

    IP_switch_A_1# configure terminal IP_switch_A_1(config)#

  2. To hide the encrypted key octet string, replace the string with a wildcard character in the output of the show running-config and show startup-config commands:

    IP_switch_A_1(config)# key-chain macsec-psk no-show

    NOTE:

    The octet string is also hidden when you save the configuration to a file.

    By default, PSK keys are displayed in encrypted format and can easily be decrypted. This command applies only to MACsec key chains.

  3. Create a MACsec key chain to hold a set of MACsec keys and enter MACsec key chain configuration mode: key chain name macsec 

    IP_switch_A_1(config)# key chain 1 macsec IP_switch_A_1(config-macseckeychain)#

  4. Create a MACsec key and enter MACsec key configuration mode: key key-id

    The range is from 1 to 32 hex digit key-string, and the maximum size is 64 characters.

    IP_switch_A_1 switch(config-macseckeychain)# key 1000 IP_switch_A_1 (config-macseckeychain-macseckey)#

  5. Configure the octet string for the key: key-octet-string octet-string cryptographic-algorithm AES_128_CMAC | AES_256_CMAC 

    IP_switch_A_1(config-macseckeychain-macseckey)# key-octet-string abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789 cryptographic-algorithm AES_256_CMAC
    Note The octet-string argument can contain up to 64 hexadecimal characters. The octet key is encoded internally, so the key in clear text does not appear in the output of theshow running-config macsec command.

  6. Configure a send lifetime for the key (in seconds): send-lifetime start-time duration duration 

    IP_switch_A_1(config-macseckeychain-macseckey)# send-lifetime 00:00:00 Oct 04 2020 duration 100000

    By default, the device treats the start time as UTC. The start-time argument is the time of day and date that the key becomes active. The duration argument is the length of the lifetime in seconds. The maximum length is 2147483646 seconds (approximately 68 years).

  7. Copy the running configuration to the startup configuration: copy running-config startup-config 

    IP_switch_A_1(config)# copy running-config startup-config

  8. Displays the keychain configuration: show keychain name 

    IP_switch_A_1(config-macseckeychain-macseckey)# show key chain 1

Configuring a MACsec policy

  1. Enter the global configuration mode: configure terminal 

    IP_switch_A_1# configure terminal IP_switch_A_1(config)#

  2. Create a MACsec policy: macsec policy name 

    IP_switch_A_1(config)# macsec policy abc IP_switch_A_1(config-macsec-policy)#

  3. Configure one of the following ciphers, GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, or GCM-AES-XPN-256: cipher-suite name 

    IP_switch_A_1(config-macsec-policy)# cipher-suite GCM-AES-256

  4. Configure the key server priority to break the tie between peers during a key exchange: key-server-priority number 

    switch(config-macsec-policy)# key-server-priority 0

  5. Configure the security policy to define the handling of data and control packets: security-policy security policy

    Choose a security policy from the following options:

    • must-secure — packets not carrying MACsec headers are dropped

    • should-secure — packets not carrying MACsec headers are permitted (this is the default value)

    IP_switch_A_1(config-macsec-policy)# security-policy should-secure

  6. Configure the replay protection window so the secured interface does not accept a packet that is less than the configured window size: window-size number

    Note The replay protection window size represents the maximum out-of-sequence frames that MACsec accepts and are not discarded. The range is from 0 to 596000000. 
    IP_switch_A_1(config-macsec-policy)# window-size 512

  7. Configure the time in seconds to force an SAK rekey: sak-expiry-time time

    You can use this command to change the session key to a predictable time interval. The default is 0.

    IP_switch_A_1(config-macsec-policy)# sak-expiry-time 100

  8. Configure one of the following confidentiality offsets in the layer 2 frame where encryption begins: conf-offsetconfidentiality offset

    Choose from the following options:

    • CONF-OFFSET-0.

    • CONF-OFFSET-30.

    • CONF-OFFSET-50.

    IP_switch_A_1(config-macsec-policy)# conf-offset CONF-OFFSET-0

    + NOTE: This command might be necessary for intermediate switches to use packet headers (dmac, smac, etype) like MPLS tags.

  9. Copy the running configuration to the startup configuration: copy running-config startup-config 

    IP_switch_A_1(config)# copy running-config startup-config

  10. Display the MACsec policy configuration: show macsec policy 

    IP_switch_A_1(config-macsec-policy)# show macsec policy

Verifying the MACsec configuration

  1. Repeat all of the previous procedures on the second switch within the configuration to establish a MACsec session.

  2. Run the following commands to verify that both switches are successfully encrypted:

    1. Run: show macsec mka summary

    2. Run: show macsec mka session

    3. Run: show macsec mka statistics

    You can verify the MACsec configuration using the following commands:

    +

    Command Displays information about…​

    show macsec mka session interface typeslot/port number

    The MACsec MKA session for a specific interface or for all interfaces

    show key chain name

    The key chain configuration

    show macsec mka summary

    The MACsec MKA configuration

    show macsec policy policy-name

    The configuration for a specific MACsec policy or for all MACsec policies

Configuring a MACsec fallback key on a WAN ISL port

You can configure a fallback key to initiate a backup session if the primary session fails as a result of a key/key name (CKN) mismatch or a finite key duration between the switch and peer.

  1. Enter the global configuration mode: configure terminal 

    IP_switch_A_1# configure terminal IP_switch_A_1(config)#

  2. Specify the interface that you are configuring.

    You can specify the interface type and identity. For an Ethernet port, use ethernet slot/port 

    IP_switch_A_1(config)# interface ethernet 1/15 switch(config-if)#

  3. Specify the fallback key chain for use after a MACsec session failure due to a key/key ID mismatch or a key expiration: macsec keychain keychain-name policy policy-name fallback-keychain keychain-name

    Note You should configure the fallback-keychain using the steps, Configuring a MACsec key chain and keys before proceeding with this step. 
    IP_switch_A_1(config-if)# macsec keychain kc2 policy abc fallback-keychain fb_kc2

  4. Repeat the previous steps to configure additional WAN ISL ports with MACsec.

  5. Copy the running configuration to the startup configuration: copy running-config startup-config 

    IP_switch_A_1(config)# copy running-config startup-config

How To Clear Config On Cisco Switch Port

Source: https://docs.netapp.com/us-en/ontap-metrocluster/install-ip/task_switch_config_cisco.html

Posted by: malavereceepland.blogspot.com

0 Response to "How To Clear Config On Cisco Switch Port"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel