Configuring a MACsec Cipher Suite on a Port
Note
Configuring a MACsec cipher suite is optional and is not supported on all hardware platforms. For more information on the physical hardware restrictions, see your hardware documentation.
Procedure
Example
Configure the 256–bit MACsec cipher suite on the port 1/2 and verify the configuration.
Switch:1>enable Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#interface gigabitEthernet 1/2 Switch:1(config-if)#macsec cipher-suite gcm-aes-256
Switch:1>show macsec status 1/3 ==================================================================================================== MACSEC Port Status ==================================================================================================== MACSEC Encryption Replay Replay Encryption Cipher CA MKA-Profile PortId Status Status Protect Protect W'dow Offset Suite Name Name ---------------------------------------------------------------------------------------------------- 1/3 enabled disabled disabled -- none AES-128 SMLTCONN mkapro1
The system displays the following error message if you attempt to configure a cipher suite on a port that is not MACsec capable.
Switch:1>enable Switch:1(config)#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#interface gigabitEthernet 1/2 Switch:1(config-if)#macsec cipher suite gcm-aes-256 Error: port 1/2, Port is not MACSec capable. No MACSec configurations allowed on port
The system displays the following error message if your hardware does not support the MACsec 256-bit cipher suite.
Switch:1>enable Switch:1(config)#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#interface gigabitEthernet 5/1 Switch:1(config-if)#macsec cipher-suite gcm-aes-256 Error: port 5/1, MACSec cipher-suite cannot be modified on port. Cipher-suite is by default AES-128
Variable Definitions
The following table defines parameters for the macsec cipher-suite command.
Variable |
Definition |
---|---|
{gcm-aes-128 | gcm-aes-256} |
Configures the cipher suite for encrypting traffic with MACsec. The supported cipher suites are:
The default is the AES-GCM-128 cipher suite. |