Configure a MACsec Cipher Suite on a Port

Note

Note

Configuring a MACsec cipher suite is optional and is not supported on all hardware platforms. For more information on the physical hardware restrictions, see your hardware documentation.

Procedure

  1. Enter GigabitEthernet Interface Configuration mode:

    enable

    configure terminal

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  2. Configure a MACsec encryption cipher suite:

    macsec cipher-suite {gcm-aes-128 | gcm-aes-256}

    The default cipher suite is GCM-AES-128.

    Ensure that you configure the same cipher suite on both MACsec peers.

  3. Verify the configuration:

    show macsec status {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

Example

Configure the 256–bit MACsec cipher suite on the port 1/3 and verify the configuration.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 1/3
Switch:1(config-if)#macsec cipher-suite gcm-aes-256
Switch:1#show macsec status 1/3

===================================================================================
                                   MACSEC Port Status
===================================================================================
      MACSEC Encryption Replay  Replay   Encryption Cipher CA  MKA-Profile MKA 
PortId Status Status    Protect Protect                                    Connect
                                W'dow    Offset     Suite  Name  Name      Status
-----------------------------------------------------------------------------------
1/3   enabled disabled enabled  50 ipv4Offset(30) AES-256 mkanka extreme   pending

The system displays the following error message if you attempt to configure a cipher suite on a port that is not MACsec capable.

Switch:1>enable
Switch:1(config)#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 1/2 
Switch:1(config-if)#macsec cipher suite gcm-aes-256 

Error: port 1/2, Port is not MACSec capable. No MACSec configurations allowed on port

The system displays the following error message if your hardware does not support the MACsec 256-bit cipher suite.

Switch:1>enable
Switch:1(config)#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 5/1   
Switch:1(config-if)#macsec cipher-suite gcm-aes-256 

Error: port 5/1, MACSec cipher-suite cannot be modified on port. Cipher-suite is by default AES-128

Variable Definitions

The following table defines parameters for the macsec cipher-suite command.

Variable

Definition

{gcm-aes-128 | gcm-aes-256}

Configures the cipher suite for encrypting traffic with MACsec.

The supported cipher suites are:

  • AES-GCM-128, with a maximum key length of 128 bits

  • AES-GCM--256, with a maximum key length of 256 bits

The default is the AES-GCM-128 cipher suite.