MACsec enables wire-speed AES encryption. This wire-speed encryption comes with all Catalyst 9000 switches. MACsec is the protocol that performs bulk data encryption. MACsec requires MKA (MACsec Key Agreement). MKA is the process that is used for key generation and key exchange.
Refer to our network diagram and see that our Cat9300 switches are connected via GigabitEthernet1/0/1. Network Diagram
In this example we create the necessary MKA configuration, MKA policy to enable AES-256 encryption, and enable MACsec on the switchports. Configuring MACsec PSK is fairly simple for such a powerful encryption method.
MACsec can also use Certificates instead of PSK, but we aren't going to do that today. :-)
- View the MACsec Playbook using cat You will notice that this is a very long playbook with several tasks. Because all of these tasks are configured with NETCONF RPCs, putting them all into the same playbook is the most efficient. So now we will look at each of the RPCs in detail below.
- Run the Playbook
- Check the MKA Status on the Switch
- Check the MACsec Status on the Switch
cat playbooks/04-config-macsec-psk.yaml
This task will shutdown the interface. When making changes like this the interface should be shutdown.
This task will configure the MKA Keys, which will be attached to the interface later. The MKA Keys consist of a CKN (Connectivity Key Name) and a CAK (Connectivity Association Key). The CAK is the root of all other keys, including the SAK (Security Association Key), the actual key that does bulk data encryption.
ansible-playbook -i inventories/devnet-switches.yaml playbooks/04-config-macsec-psk.yaml --ask-vault-pass
show mka session
show macsec summary
