EasyManua.ls Logo

Cisco Nexus 9000 Series - Enabling Macsec

Cisco Nexus 9000 Series
562 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
MACsec policy restrictions:
BPDU packets might be transmitted before a MACsec session becomes secure.
Layer 2 Tunneling Protocol (L2TP) restrictions:
MACsec is not supported on ports configured for dot1q tunneling or L2TP.
L2TP does not work if STP is enabled on trunk ports for non-native VLANs.
Statistics restrictions:
Few CRC errors should occur during the transition between MACsec and non-MACsec mode (regular
port shut/no shut).
Secy statistics are cumulative and polled every 30 seconds .
The IEEE8021-SECY-MIB OIDs secyRxSAStatsOKPkts, secyTxSAStatsProtectedPkts, and
secyTxSAStatsEncryptedPkts can carry only up to 32 bits of counter values, but the traffic may exceed
32 bits.
Interoperability restrictions:
Interoperability with other peer switches (other Cisco and non-Cisco switches) is supported only with
the XPN cipher suite.
MACsec peers must run the same Cisco NX-OS release in order to use the AES_128_CMAC cryptographic
algorithm. For interoperability between previous releases and Cisco NX-OS Release 9.2(1), you must
use keys with the AES_256_CMAC cryptographic algorithm.
For interoperability between previous releases and Cisco NX-OS Release 9.2(1), pad the MACsec key
with zeros if it is less than 32 octets.
On any Cisco NX-OS box , you can configure only one unique combination of an alternate MAC address
and Ethernet type on all interfaces.
Within the same slice of the forwarding engine, EAPOL ethertype and dot1q etherype cannot have the
same value.
For enabling EAPOL configuration, the range of ethernet type between 0 to 0x599 is invalid.
While configuring EAPOL packets, the following combinations must not be used:
Mac address 0100.0ccd.cdd0 with any ethertype
Any mac address with Ether types: 0xfff0, 0x800, 0x86dd
The default destination MAC address, 0180.c200.0003 with the default Ethernet type, 0x888e
The N9K-X9736C-FX , N9K-C93180YC-FX, and N9K-C93108TC-FX platform switches do not support
MACsec on 1G ports. MACsec is not supported on any port on a mac block that has 1G ports on it.
Enabling MACsec
Before you can access the MACsec and MKA commands, you must enable the MACsec feature.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
504
Configuring MACsec
Enabling MACsec

Table of Contents

Other manuals for Cisco Nexus 9000 Series

Preview: Manual
Manual30 pages
Preview: Troubleshooting Guide
Troubleshooting Guide126 pages
Preview: Hardware Installation Guide
Hardware Installation Guide74 pages
Preview: Quick Start Configuration Guide
Quick Start Configuration Guide6 pages
Preview: Installation
Installation12 pages
Preview: Installing
Installing8 pages

Related product manuals