MACsec is supported on Cisco Nexus N9K-C93240YC-FX2, N9K-C9336C-FX2, N9K-C93108TC-FX, and
N9K-C93180YC-FX platform switches and the N9K-X9736C-FX and N9K-X9732C-EXM line cards.
Key Lifetime and Hitless Key Rollover
A MACsec keychain can have multiple pre-shared keys (PSKs), each configured with a key ID and an optional
lifetime. A key lifetime specifies at which time the key activates and expires. In the absence of a lifetime
configuration, the default lifetime is unlimited. When a lifetime is configured, MKA rolls over to the next
configured pre-shared key in the keychain after the lifetime is expired. The time zone of the key can be local
or UTC. The default time zone is UTC.
To configure a MACsec keychain, see
Configuring a MACsec Keychain and Keys, on page 506
A key can roll over to a second key within the same keychain by configuring the second key (in the keychain)
and configuring a lifetime for the first key. When the lifetime of the first key expires, it automatically rolls
over to the next key in the list. If the same key is configured on both sides of the link at the same time, then
the key rollover is hitless (that is, the key rolls over without traffic interruption).
Fallback Key
A MACsec session can fail due to a key/key name (CKN) mismatch or a finite key duration between the
switch and a peer. If a MACsec session does fail, a fallback session can take over if a fallback key is configured.
A fallback session prevents downtime due to primary session failure and allows a user time to fix the key
issue causing the failure. A fallback key also provides a backup session if the primary session fails to start.
This feature is optional.
To configure a MACsec fallback key, see
Configuring MACsec Fallback Key, on page 508
Licensing Requirements for MACsec
License Requirement
Product
MACsec requires a Security license. For a complete
explanation of the Cisco NX-OS licensing scheme
and how to obtain and apply licenses, see the
Cisco
NX-OS Licensing Guide
.
Cisco NX-OS
Guidelines and Limitations for MACsec
MACsec has the following guidelines and limitations:
• MACsec is supported on the following interface types:
• Layer 2 switchports (access and trunk)
• Layer 3 routed interfaces (no subinterfaces)
• Layer 2 and Layer 3 port channels (no subinterfaces)
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
502
Configuring MACsec
Key Lifetime and Hitless Key Rollover