Cisco Nexus 9000 Series Configuration Manual page 529

Configuring MACsec
• When you disable the MACsec feature immediately after a sw-over, some sessions end up pending while
some peers are in a secure state.
• MKA is the only supported key exchange protocol for MACsec. The Security Association Protocol (SAP)
is not supported.
• Link-level flow control (LLFC) and priority flow control (PFC) are not supported with MACsec.
• Multiple MACsec peers (different SCI values) for the same interface are not supported.
• You can retain the MACsec configuration when you disable MACsec using the macsec shutdown
command.
• MACsec sessions are liberal in accepting packets from a key server whose latest Rx and latest Tx flags
have been retired after Tx SA installation for the first time. The MACsec session then converges into a
secure state.
• Beginning with Cisco NX-OS Release 9.2(1), the following configurations are allowed:
• Beginning with Cisco Nexus Release 9.2(1), MACsec is supported on the Cisco Nexus 93180YC-FX
and the Cisco Nexus 93108TC-FX switches.
Keychain restrictions:
• You cannot overwrite the octet string for a MACsec key. Instead, you must create a new key or a new
keychain.
• A new key in the keychain is configured when you enter end or exit. The default timeout for editor
mode is 6 seconds. If the key is not completely configured with the key octet string and/or the send
lifetime within the 6-second window, incomplete information may be used to bring up the MACsec
session and could result in the session being stuck in an Authorization Pending state. If the MACsec
sessions are not converged after the configuration is complete, you might be advised to shut/no shut the
ports.
• For a given keychain, key activation times should overlap to avoid any period of time when no key is
activated. If a time period occurs during which no key is activated, session negotiation fails and traffic
drops can occur. The key with the latest start time among the currently active keys takes precedence for
a MACsec key rollover.
Fallback restrictions:
• If a MACsec session is secured on an old primary key, it does not go to a fallback session in case of
mismatched latest active primary key. So the session remains secured on the old primary key and will
show as rekeying on the old CA under status. And the MACsec session on the new key on primary PSK
will be in init state.
• Use only one key with infinite lifetime in the fallback key chain. Multiple keys are not supported.
• The key ID (CKN) used in the fallback key chain must not match any of the key IDs (CKNs) used in the
primary key chain.
• Once configured, fallback configuration on an interface cannot be removed, unless the complete MACsec
configuration on the interface is removed.
• Allowing MACSec policy to be modified while the policy is referenced by an interface.
• Allowing different MACsec policies across different lanes of a breakout port.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Guidelines and Limitations for MACsec
503