MAC Security (MACsec) now supports a non-default cipher suite (GCM-AES-256), as well as the default MACsec cipher suite (GCM-AES-128). These ciphers suites use 128-bit and 256-bit secure association keys (SAKs), respectively.
Note
The MACsec feature requires the installation of the MAC Security feature pack license.Platform | Ports | LRM/MACsec Adapter Required? |
---|---|---|
Summit X460-G2-24p-24hp, X460-G2-24t-24ht switches | Half-duplex, 1G ports (25–48) | No |
All other SFP/SFP+ ports * | Yes | |
Summit X450-G2, X460-G2, X670-G2, and ExtremeSwitching X440-G2, X590, X620, and X690 series switches | SFP/SFP+ ports * | Yes |
ExtremeSwitching X465 |
X465-24W: ports 1–24 X465-48T, X465-48P, X465-48W: ports 1–48 X465-24MU-24W: ports 25–48 VIM5-4XE: all 4 ports VIM5-4YE in X465-24MU, X465-24MU-24W switches: all 4 ports VIM5-4YE in X465-24W, X465-48T, X465-48P, X465-48W: first 2 ports only |
No |
Note: * For Summit
X460-G2 series switches, the VIM-2X option does not support the
LRM/MACsec Adapter.
|
configure macsec cipher-suite [gcm-aes-128 | gcm-aes-256] ports port_list
The following show commands now display associated 256-cipher information:
show macsec { connectivity-association {ca_name}
show macsec ports port-list configuration
show macsec ports port-list detail
The following command now supports 128-bit and 256-bit connectivity association keys (CAK). The GCM-AES-256 cipher suite requires a 256-bit CAK:
configure macsec connectivity-association ca_name [pre-shared-key {ckn ckn} cak {encrypted} cak | ports [port_list] [enable | disable]]