configure macsec cipher-suite

configure macsec cipher-suite [gcm-aes-128 | gcm-aes-256] ports port_list

Description

Configures the preferred cipher suite for MAC Security (MACsec).

Syntax Description

cipher-suite Selects provisioning MACsec cipher suite to be used if elected as key server.
gcm-aes-128 Galois/Counter Mode of AES-128 symmetric block cipher (Default).
gcm-aes-256 Galois/Counter Mode of AES-256 symmetric block.
ports Specifies configuring ports.
port_list Lists which ports to configure the selected cipher suite on.

Default

The cipher suite gcm-aes-128 is selected by default.

Usage Guidelines

Table 1. Cipher Support
GCM-AES-256 and GCM-AES-128
Ports with LRM/MACsec Adapter

ExtremeSwitching 5320, 5420, 5720 on all ports.

ExtremeSwitching 5520 on all ports, except 5520-VIM-4X and 24X 10G ports.

If GCM-AES-256 is desired between two switches using the LRM/MACsec Adapter, you need to issue this command on at least the key server side, but preferably on both sides.

If the port is elected as MKA key server, then the configured cipher suite is used to protect all port traffic. If the peer port is elected as MKA key server, then the peer chooses which cipher suite to use.

Example

The following example selects the gcm-aes-256 cipher suite on ports 22, 30–33:
# configure macsec cipher-suite gcm-aes-256 22,30-33
The following example selects the gcm-aes-128 cipher suite on port 30:
# configure macsec cipher-suite gcm-aes-128 30

History

This command was first available in ExtremeXOS 30.2.

Platform Availability

This command is available on the following platforms.

Note

Note

The MACsec feature requires the installation of the MAC Security feature pack license.
Platform Ports
ExtremeSwitching 5320 All ports of all models except stacking ports.
ExtremeSwitching 5420 All ports of all models except stacking ports.
ExtremeSwitching 5520 All ports, except 5520-VIM-4X and 5520-24X 10G ports
ExtremeSwitching 5720 All ports of all models except stacking ports.