Skip to content

Commit 43e3356

Browse files
Merge pull request #115090 from osamazia/router-samples-macsec
add macsec
2 parents 0bea2b8 + 15b6121 commit 43e3356

File tree

1 file changed

+26
-6
lines changed

1 file changed

+26
-6
lines changed

articles/expressroute/expressroute-config-samples-routing.md

Lines changed: 26 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -171,8 +171,8 @@ Configure your router to advertise select prefixes to Microsoft by using the fol
171171
policy-statement <Policy_Name> {
172172
term 1 {
173173
from protocol OSPF;
174-
route-filter
175-
<Prefix_to_be_advertised/Subnet_Mask> exact;
174+
route-filter;
175+
<Prefix_to_be_advertised/Subnet_Mask> exact;
176176
then {
177177
accept;
178178
}
@@ -182,7 +182,7 @@ Configure your router to advertise select prefixes to Microsoft by using the fol
182182
protocols {
183183
bgp {
184184
group <Group_Name> {
185-
export <Policy_Name>
185+
export <Policy_Name>;
186186
peer-as 12076;
187187
neighbor <IP#2_used_by_Azure>;
188188
}
@@ -201,7 +201,7 @@ You can use route maps and prefix lists to filter prefixes propagated into your
201201
policy-statement <MS_Prefixes_Inbound> {
202202
term 1 {
203203
from {
204-
prefix-list MS_Prefixes;
204+
prefix-list MS_Prefixes;
205205
}
206206
then {
207207
accept;
@@ -212,8 +212,8 @@ You can use route maps and prefix lists to filter prefixes propagated into your
212212
protocols {
213213
bgp {
214214
group <Group_Name> {
215-
export <Policy_Name>
216-
import <MS_Prefixes_Inbound>
215+
export <Policy_Name>;
216+
import <MS_Prefixes_Inbound>;
217217
peer-as 12076;
218218
neighbor <IP#2_used_by_Azure>;
219219
}
@@ -236,6 +236,26 @@ Configure BFD under the protocol BGP section only.
236236
}
237237
}
238238

239+
### Configure MACSec
240+
For MACSec configuration, Connectivity Association Key (CAK) and Connectivity Association Key Name (CKN) must match with configured values via PowerShell commands.
241+
242+
security {
243+
macsec {
244+
connectivity-association <Connectivity_Association_Name> {
245+
cipher-suite gcm-aes-xpn-128;
246+
security-mode static-cak;
247+
pre-shared-key {
248+
ckn <Connectivity_Association_Key_Name>;
249+
cak <Connectivity_Association_Key>; ## SECRET-DATA
250+
}
251+
}
252+
interfaces {
253+
<Interface_Number> {
254+
connectivity-association <Connectivity_Association_Name>;
255+
}
256+
}
257+
}
258+
}
239259

240260
## Next steps
241261
See the [ExpressRoute FAQ](expressroute-faqs.md) for more details.

0 commit comments

Comments
 (0)