Configuring MACsec Fallback Key
Command or Action
Step 8
(Optional) copy running-config startup-config
Example:
switch(config-macseckeychain-macseckey)# copy
running-config startup-config
Configuring MACsec Fallback Key
Beginning with Cisco NX-OS Release 9.2(1), you can configure a fallback key on the device to initiate a
backup session if the primary session fails as a result of a key/key name (CKN) mismatch or a finite key
duration between the switch and peer.
Before you begin
Make sure that MACsec is enabled and a primary and fallback keychain and key ID are configured. See
Configuring a MACsec Keychain and
SUMMARY STEPS
1. configure terminal
2. interface name
3. macsec keychain keychain-name policy policy-name fallback-keychain keychain-name
4. (Optional) copy running-config startup-config
DETAILED STEPS
Command or Action
Step 1
configure terminal
Example:
switch# configure terminal
switch(config)#
Step 2
interface name
Example:
switch(config)# interface ethernet 1/1
switch(config-if)#
Step 3
macsec keychain keychain-name policy policy-name
fallback-keychain keychain-name
Example:
switch(config-if)# macsec keychain kc2 policy abc
fallback-keychain fb_kc2
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
508
Purpose
Copies the running configuration to the startup
configuration.
Keys.
Purpose
Enters the global configuration mode.
Specifies the interface that you are configuring. You can
specify the interface type and identity. For an Ethernet port,
use ethernet slot/port.
Specifies the fallback keychain to use after a MACsec
session failure due to a key/key ID mismatch or a key
expiration. The fallback key ID should not match any key
ID from a primary keychain.
Fallback keychain configuration for each interface can be
changed on the corresponding interface, without removing
the MACsec configuration, by reissuing the same command
with the fallback keychain name changed.
Configuring MACsec