Configure a MACsec Cipher Suite on a Port
Procedure
-
Enter GigabitEthernet Interface
Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}
Note
If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.
Example
Configure the 256–bit MACsec cipher suite on the port 1/3 and verify the configuration.
Switch:1>enable Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#interface gigabitEthernet 1/3 Switch:1(config-if)#macsec cipher-suite gcm-aes-256
Switch:1#show macsec status 1/3
===================================================================================
MACSEC Port Status
===================================================================================
MACSEC Encryption Replay Replay Encryption Cipher CA MKA-Profile MKA
PortId Status Status Protect Protect Connect
W'dow Offset Suite Name Name Status
-----------------------------------------------------------------------------------
1/3 enabled disabled enabled 50 ipv4Offset(30) AES-256 mkanka extreme pending
The system displays the following error message if you attempt to configure a cipher suite on a port that is not MACsec capable.
Switch:1>enable Switch:1(config)#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#interface gigabitEthernet 1/2 Switch:1(config-if)#macsec cipher suite gcm-aes-256 Error: port 1/2, Port is not MACSec capable. No MACSec configurations allowed on port
The system displays the following error message if your hardware does not support the MACsec 256-bit cipher suite.
Variable Definitions
The following table defines parameters for the macsec cipher-suite command.
|
Variable |
Definition |
|---|---|
|
{gcm-aes-128 | gcm-aes-256} |
Configures the cipher suite for encrypting traffic with MACsec. The supported cipher suites are:
The default is the AES-GCM-128 cipher suite. |