C H A P T E; Configuring Macsec; About Macsec - Cisco Nexus 9000 Series Configuration Manual

Configuring MACsec

This document describes how to configure MACsec on Cisco NX-OS devices.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

About MACsec

Media Access Control Security (MACsec) an IEEE 802.1AE along with MACsec Key Agreement (MKA)
protocol provide secure communications on Ethernet links. It offers the following :
• Provides line rate encryption capabilities.
• Helps to ensure data confidentiality by providing strong encryption at Layer 2.
• Provides integrity checking to help ensure that data cannot be modified in transit.
• Can be selectively enabled using a centralized policy to help ensure that it is enforced where required
• Encrypts packets on a hop-by-hop basis at Layer 2, allowing the network to inspect, monitor, mark, and
About MACsec, on page 501
Licensing Requirements for MACsec, on page 502
Guidelines and Limitations for MACsec, on page 502
Enabling MACsec, on page 504
Disabling MACsec, on page 505
Configuring a MACsec Keychain and Keys, on page 506
Configuring MACsec Fallback Key, on page 508
Configuring a MACsec Policy, on page 509
Rotating PSKs, on page 511
About Configurable EAPOL Destination and Ethernet Type, on page 511
Verifying the MACsec Configuration, on page 513
Displaying MACsec Statistics, on page 515
Configuration Example for MACsec, on page 518
XML Examples, on page 519
MIBs, on page 527
Related Documentation, on page 528
while allowing non-MACsec-capable components to access the network.
forward traffic according to your existing policies (unlike end-to-end Layer 3 encryption techniques that
hide the contents of packets from the network devices they cross).
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
25
C H A P T E R
501