Configure a MACsec Cipher Suite on a Port

Procedure

  1. Enter GigabitEthernet Interface Configuration mode:

    enable

    configure terminal

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  2. Configure a MACsec encryption cipher suite:

    macsec cipher-suite {gcm-aes-128 | gcm-aes-256}

    The default cipher suite is GCM-AES-128.

    Ensure that you configure the same cipher suite on both MACsec peers.

  3. Verify the configuration:

    show macsec status {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

Example

Configure the 256–bit MACsec cipher suite on the port 1/3 and verify the configuration.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 1/3
Switch:1(config-if)#macsec cipher-suite gcm-aes-256

Switch:1#show macsec status 1/3

===================================================================================
                                   MACSEC Port Status
===================================================================================
      MACSEC Encryption Replay  Replay   Encryption Cipher CA  MKA-Profile MKA 
PortId Status Status    Protect Protect                                    Connect
                                W'dow    Offset     Suite  Name  Name      Status
-----------------------------------------------------------------------------------
1/3   enabled disabled enabled  50 ipv4Offset(30) AES-256 mkanka extreme   pending

The system displays the following error message if you attempt to configure a cipher suite on a port that is not MACsec capable. 

Switch:1>enable
Switch:1(config)#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 1/2 
Switch:1(config-if)#macsec cipher suite gcm-aes-256 

Error: port 1/2, Port is not MACSec capable. No MACSec configurations allowed on port

The system displays the following error message if your hardware does not support the MACsec 256-bit cipher suite.

VSP-4900-48P:1>enable
VSP-4900-48P:1(config)#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
VSP-4900-48P:1(config)#interface gigabitEthernet 1/12
VSP-4900-48P:1(config-if)#macsec cipher-suite gcm-aes-256 

Error: port 1/12, MACSec cipher-suite cannot be modified on port. Cipher-suite is by default AES-128

Variable Definitions

The following table defines parameters for the macsec cipher-suite command.

Variable

Definition

{gcm-aes-128 | gcm-aes-256}

Configures the cipher suite for encrypting traffic with MACsec.

The supported cipher suites are:

  • AES-GCM-128, with a maximum key length of 128 bits

  • AES-GCM--256, with a maximum key length of 256 bits

The default is the AES-GCM-128 cipher suite.
9037803-01 Rev AA