Configure MACsec Encryption on a Port

Use the following procedure to enable or disable encryption on a MACsec capable port. The default is disabled.

About this task

If you disable encryption, MACsec forwards traffic in clear text. You can view that data that is not encrypted in the Ethernet frame that travels across the link. Even if you disable encryption the MACsec header applies to the frame and integrity checks make sure that traffic has not been tampered with.

Procedure

  1. Enter GigabitEthernet Interface Configuration mode:

    enable

    configure terminal

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...][slot/all][all]}

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  2. Configure MACsec encryption on the port using one of the following commands:
    • To enable MACsec, use macsec encryption enable
    • To disable MACsec, use no macsec encryption enable

Example

Configure MACsec encryption on a port:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabit 1/2
Switch:1(config-if)#macsec encryption enable