Cisco Nexus 9000 Series Configuration Manual page 533
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
Configuring MACsec
Command or Action
switch# configure terminal
switch(config)#
Step 2
(Optional) [no] key-chain macsec-psk no-show
Example:
switch(config)# key-chain macsec-psk no-show
Step 3
key chain name macsec
Example:
switch(config)# key chain 1 macsec
switch(config-macseckeychain)#
Step 4
key key-id
Example:
switch(config-macseckeychain)# key 1000
switch(config-macseckeychain-macseckey)#
Step 5
key-octet-string octet-string cryptographic-algorithm
{AES_128_CMAC | AES_256_CMAC}
Example:
switch(config-macseckeychain-macseckey)#
key-octet-string
abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
cryptographic-algorithm AES_256_CMAC
Step 6
send-lifetime start-time duration duration
Example:
switch(config-macseckeychain-macseckey)#
send-lifetime 00:00:00 Oct 04 2016 duration 100000
Step 7
(Optional) show key chain name
Example:
switch(config-macseckeychain-macseckey)# show key
chain 1
Purpose
Hides the encrypted key octet string in the output of the
show running-config and show startup-config commands
by replacing the string with a wildcard character. By default,
PSK keys are displayed in encrypted format and can be
easily decrypted. This command applies only to MACsec
keychains.
Note
The octet string is also hidden when you save
the configuration to a file.
Creates a MACsec keychain to hold a set of MACsec keys
and enters MACsec keychain configuration mode.
Creates a MACsec key and enters MACsec key
configuration mode. The range is from 1 to 32 octets, and
the maximum size is 64.
The key must consist of an even number of
Note
characters.
Configures the octet string for the key. The octet-string
argument can contain up to 64 hexadecimal characters. The
octet key is encoded internally, so the key in clear text does
not appear in the output of the show running-config macsec
command.
Note
MACsec peers must run the same Cisco NX-OS
release in order to use the AES_128_CMAC
cryptographic algorithm. To interoperate between
previous releases and Cisco NX-OS Release
7.0(3)I7(2) or a later release, you must use keys
with the AES_256_CMAC cryptographic
algorithm.
Configures a send lifetime for the key. By default, the device
treats the start time as UTC.
The start-time argument is the time of day and date that the
key becomes active. The duration argument is the length
of the lifetime in seconds. The maximum length is
2147483646 seconds (approximately 68 years).
Displays the keychain configuration.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Configuring a MACsec Keychain and Keys
507
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
