hit counter script

Cisco Nexus 9000 Series Configuration Manual page 536

Nx-os security configuration guide, release 9.x
Hide thumbs Also See for Nexus 9000 Series:
Table of Contents

Advertisement

Configuring a MACsec Policy
Command or Action
Step 2
macsec policy name
Example:
switch(config)# macsec policy abc
switch(config-macsec-policy)#
Step 3
cipher-suite name
Example:
switch(config-macsec-policy)# cipher-suite
GCM-AES-256
Step 4
key-server-priority number
Example:
switch(config-macsec-policy)# key-server-priority
0
Step 5
security-policy name
Example:
switch(config-macsec-policy)# security-policy
should-secure
Step 6
window-size number
Example:
switch(config-macsec-policy)# window-size 512
Step 7
sak-expiry-time time
Example:
switch(config-macsec-policy)# sak-expiry-time 100
Step 8
conf-offset name
Example:
switch(config-macsec-policy)# conf-offset
CONF-OFFSET-0
Step 9
(Optional) show macsec policy
Example:
switch(config-macsec-policy)# show macsec policy
Step 10
(Optional) copy running-config startup-config
Example:
switch(config-macsec-policy)# copy running-config
startup-config
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
510
Purpose
Creates a MACsec policy.
Configures one of the following ciphers: GCM-AES-128,
GCM-AES-256, GCM-AES-XPN-128, or
GCM-AES-XPN-256.
Configures the key server priority to break the tie between
peers during a key exchange. The range is from 0 (highest)
and 255 (lowest), and the default value is 16.
Configures one of the following security policies to define
the handling of data and control packets:
• must-secure—Packets not carrying MACsec headers
will be dropped.
• should-secure—Packets not carrying MACsec
headers will be permitted. This is the default value.
Configures the replay protection window such that the
secured interface will not accept any packet that is less
than the configured window size. The range is from 0 to
596000000.
Configures the time in seconds to force an SAK rekey.
This command can be used to change the session key to a
predictable time interval. The default is 0.
Configures one of the following confidentiality offsets in
the Layer 2 frame, where encryption begins:
CONF-OFFSET-0, CONF-OFFSET-30, or
CONF-OFFSET-50. This command might be necessary
for intermediate switches to use packet headers {dmac,
smac, etype} like MPLS tags.
Displays the MACsec policy configuration.
Copies the running configuration to the startup
configuration.
Configuring MACsec

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents

Save PDF