[no] macsec
config>port>ethernet>dot1x
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
This command configures MACsec functionality for the port.
When MACsec is configured on an Ethernet port, the oper MTU of the port is reduced by 32 bytes; for example, a configured MTU of 9212 results in an oper MTU of 9180 for a MACsec-enabled port. When a service or IP interface uses a MACsec-enabled port, an appropriate MTU value must be manually configured.
The no form of this command disables MACsec functionality for the port.
ca-name ca-name
no ca-name
config>port>ethernet>dot1x>macsec
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
This command configures the CA linked to the MACsec port. The CA provides the MACsec parameter that is used or is negotiated with other peers.
The no form of this command removes the CA from the MACsec port.
Specifies the CA to use for the MACsec port, up to 32 characters.
eapol-destination-address mac
no eapol-destination-address
config>port>ethernet>dot1x>macsec
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
This command configures the destination MAC address of the EAPoL to the unicast address of the MACsec peer, so that the EAPoL and MKA signaling is unicast between two peers.
The EAPoL destination MAC address uses a destination multicast MAC address of 01:80:C2:00:00:03. Some networks cannot tunnel these packets over the network or consume them, causing the MKA session to fail.
The no form of this command reverts to the default value.
no eapol-destination-address
Specifies the destination MAC address used by the EAPoL MKA packets of the specified port. The 48-bit MAC address is in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff, where aa, bb, cc, dd, ee, and ff are hexadecimal numbers.
[no] exclude-protocol {protocol-name}
config>port>ethernet>dot1x>macsec
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
This command configures the protocols for which packets are not secured with MACsec when MACsec is enabled on a port. When this command is enabled in a CA that is attached to an interface, MACsec is not enabled for all packets of the specified protocols that are sent and received on the link.
When this command is enabled on a port where MACsec is configured, packets of the specified protocols are sent and received in clear text.
no exclude-protocol
Specifies the protocol name.
max-peer max-peer
no max-peer
config>port>ethernet>dot1x>macsec
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
This command configures the maximum number of peers allowed for the specified MACsec instance.
The peer establishment is a race condition and operates on a first-come-first-served basis. For a security zone, only 32 peers are supported.
The no form of this command reverts to the default value.
no max-peer
Specifies the maximum number of peers supported on this port.
[no] rx-must-be-encrypted
config>port>ethernet>dot1x>macsec
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
This command specifies that all non-MACsec-secured traffic that is received on the port is dropped.
When this command is disabled, all arriving traffic is accepted, regardless of whether traffic is MACsec-secured.
This command is available only at the NULL port level and does not have per-VLAN granularity.
The no form of this command disables the command.
rx-must-be-encrypted
[no] shutdown
config>port>ethernet>dot1x>macsec
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
This command shuts down MACsec functionality, including MKA negotiation, for the port. In the shutdown state, the port is not MACsec capable and all PDUs are transmitted and expected without encryption and authentication.
A valid CA that is different from another CA configured on a sub-port of this port, and also a max-peer value larger than 0, must be configured. In MACsec-enabled mode, packets are sent in clear text until the MKA session is up, and if the rx-must-be-encrypted command is configured on the port, all incoming packets without MACsec are dropped.
The no form of this command sets the port to MACsec-enabled mode.
shutdown