Configuring MACsec

Although the MACsec configuration options outlined in this section are always visible, they cannot be applied unless an active license is present on the device and MACsec is enabled. MACsec licenses are required on a per-device basis. Each device in a stack requires a separate MACsec license.

These steps are required to configure MACsec security on a link or a group of connected ports.
  1. Enter the dot1x-mka level from the global configuration level, and enable MACsec for the device.
  2. Configure the MACsec Key Agreement (MKA) group.
  3. Configure required parameters for the group, including frame validation, confidentiality, replay protection, and actions to be taken when MACsec requirements are not met.
  4. Enable MKA on each participating interface.
  5. Apply the configured MKA group on the participating interface.
    Note: If an MKA group is not applied to an enabled MACsec interface, or if parameters within the applied group have not been configured, default values are applied to the interface. Configured parameters are visible in show command output; default parameters are not always visible. Refer to the Ruckus FastIron Command Reference Guide for default values for each command.
  6. Configure the Connectivity Association Key (CAK) and Connectivity Association Key Name (CKN) on each interface.