Configure a MACsec Cipher Suite on a Port
Procedure
Example
Configure the 256–bit MACsec cipher suite on the port 1/3 and verify the configuration.
Switch:1>enable Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#interface gigabitEthernet 1/3 Switch:1(config-if)#macsec cipher-suite gcm-aes-256
Switch:1#show macsec status 1/3 =================================================================================== MACSEC Port Status =================================================================================== MACSEC Encryption Replay Replay Encryption Cipher CA MKA-Profile MKA PortId Status Status Protect Protect Connect W'dow Offset Suite Name Name Status ----------------------------------------------------------------------------------- 1/3 enabled disabled enabled 50 ipv4Offset(30) AES-256 mkanka extreme pending
The system displays the following error message if you attempt to configure a cipher suite on a port that is not MACsec capable.
Switch:1>enable Switch:1(config)#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#interface gigabitEthernet 1/2 Switch:1(config-if)#macsec cipher suite gcm-aes-256 Error: port 1/2, Port is not MACSec capable. No MACSec configurations allowed on port
The system displays the following error message if your hardware does not support the MACsec 256-bit cipher suite.
Variable Definitions
The following table defines parameters for the macsec cipher-suite command.
Variable |
Definition |
---|---|
{gcm-aes-128 | gcm-aes-256} |
Configures the cipher suite for encrypting traffic with MACsec. The supported cipher suites are:
The default is the AES-GCM-128 cipher suite. |