Configuring MACsec encryption on Cisco 9336C switches

Contributors netapp-martyh Download PDF of this page

If desired, you can configure MACsec encryption on the WAN ISL ports that run between the sites. You must configure MACsec after applying the correct RCF file.

Note MACsec encryption can only be applied to the WAN ISL ports.

Licensing requirements for MACsec

MACsec requires a security license. For a complete explanation of the Cisco NX-OS licensing scheme and how to obtain and apply for licenses, see the Cisco NX-OS Licensing Guide

Enabling Cisco MACsec Encryption WAN ISLs in MetroCluster IP configurations

You can enable MACsec encryption for Cisco 9336C switches on the WAN ISLs in a MetroCluster IP configuration.

  1. Enter the global configuration mode: configure terminal

    IP_switch_A_1# configure terminal
    IP_switch_A_1(config)#
  2. Enable MACsec and MKA on the device: feature macsec

    IP_switch_A_1(config)# feature macsec
  3. Copy the running configuration to the startup configuration: copy running-config startup-config

    IP_switch_A_1(config)# copy running-config startup-config

Disabling Cisco MACsec Encryption

You might need to disable MACsec encryption for Cisco 9336C switches on the WAN ISLs in a MetroCluster IP configuration.

Note If you disable encryption, you must also delete your keys, as described in XXX.
  1. Enter the global configuration mode: configure terminal

    IP_switch_A_1# configure terminal
    IP_switch_A_1(config)#
  2. Disable the MACsec configuration on the device: macsec shutdown

    IP_switch_A_1(config)# macsec shutdown
    Note Selecting the no option restores the MACsec feature.
  3. Select the interface that you already configured with MACsec.

    You can specify the interface type and identity. For an Ethernet port, use ethernet slot/port.

    IP_switch_A_1(config)# interface ethernet 1/15
    switch(config-if)#
  4. Remove the keychain, policy and fallback-keychain configured on the interface to remove the MACsec configuration: no macsec keychain keychain-name policy policy-name fallback-keychain keychain-name

    IP_switch_A_1(config-if)# no macsec keychain kc2 policy abc fallback-keychain fb_kc2
  5. Repeat steps 3 and 4 on all interfaces where MACsec is configured.

  6. Copy the running configuration to the startup configuration: copy running-config startup-config

    IP_switch_A_1(config)# copy running-config startup-config

Configuring a MACsec key chain and keys

For details on configuring a MACsec key chain, see the Cisco documentation for your switch.