configure macsec cipher-suite

configure macsec cipher-suite [gcm-aes-128 | gcm-aes-256] ports port_list


Configures the preferred cipher suite for MAC Security (MACsec).

Syntax Description

cipher-suite Selects provisioning MACsec cipher suite to be used if elected as key server.
gcm-aes-128 Galois/Counter Mode of AES-128 symmetric block cipher (Default).
gcm-aes-256 Galois/Counter Mode of AES-256 symmetric block.
ports Specifies configuring ports.
port_list Lists which ports to configure the selected cipher suite on.


The cipher suite gcm-aes-128 is selected by default.

Usage Guidelines

Table 1. Cipher Support
GCM-AES-128 Only GCM-AES-256 and GCM-AES-128
Ports with LRM/MACsec Adapter
ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht switches ports 25–28 without LRM/MACsec Adapter
ExtremeSwitching X465 series switches front panel 1G ports (non-multi-rate ports)

ExtremeSwitching X465 series switches ports on MACsec-capable VIMs without LRM/MACsec Adapter.

ExtremeSwitching X465-24XE switches front panel ports without LRM/MACsec Adapter.

ExtremeSwitching 5320 and 5420 on all ports.

ExtremeSwitching 5520 on all ports, except 5520-VIM-4X and 24X 10G ports.

If GCM-AES-256 is desired between two switches using the LRM/MACsec Adapter, you need to issue this command on at least the key server side, but preferably on both sides.

If the port is elected as MKA key server, then the configured cipher suite is used to protect all port traffic. If the peer port is elected as MKA key server, then the peer chooses which cipher suite to use.


The following example selects the gcm-aes-256 cipher suite on ports 22, 30–33:
# configure macsec cipher-suite gcm-aes-256 22,30-33
The following example selects the gcm-aes-128 cipher suite on port 30:
# configure macsec cipher-suite gcm-aes-128 30


This command was first available in ExtremeXOS 30.2.

Platform Availability

This command is available on the following platforms.



The MACsec feature requires the installation of the MAC Security feature pack license.
Platform Ports LRM/MACsec Adapter Required?
ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht switches Half-duplex, 1G ports (25–48) No
All other SFP/SFP+ ports * Yes
ExtremeSwitching X450-G2, X460-G2, X670-G2, X440-G2, X590, X620, X690, and X695 series switches SFP/SFP+ ports * Yes
ExtremeSwitching X465

X465-24W, X465-24XE: ports 1–24

X465-48T, X465-48P, X465-48W, X465i-48W: ports 1–48

X465-24MU-24W: ports 25–48

VIM5-4XE: all 4 ports

VIM5-4YE in X465-24MU, X465-24MU-24W switches: all 4 ports

VIM5-4YE in X465-24W, X465-48T, X465-48P, X465-48W, X464.24S, X465-24S, X465i-48W: first 2 ports only

ExtremeSwitching 5320 All ports of all models except stacking ports. No
ExtremeSwitching 5420 All ports of all models except stacking ports. No
ExtremeSwitching 5520 All ports, except 5520-VIM-4X and 24X 10G ports No
Note: * For ExtremeSwitching X460-G2 series switches, the VIM-2X option does not support the LRM/MACsec Adapter.