Macsec 128 bit to Macsec 256 bit

shlomoi · ‎02-23-2025

Hi
We are using 128 bit MACSEC encryption for our remote site.
We recently purchased a new license of dna advantage for the router And we want to move to 256-bit encryption.
This is the definition we have today on the MACSEC 128 port:

interface TenGigabitEthernet1/1/10
description "Macsec port "
switchport mode trunk
switchport nonegotiate
macsec replay-protection window-size 100
cts manual
no propagate sgt
sap pmk XXXXXX mode-list gcm-encrypt

storm-control broadcast level 0.50
storm-control action trap
channel-group 10 mode active

Is it necessary to change the settings ? or just add this command to the router
license boot level network advantage addon dna advantage

If anyone has an example of a MACSEC 256 BIT port

Thanks

Georg Pauwen · ‎02-23-2025

Hello,

after license activation (I think you need to reboot the router for the new license to be active), you need to change the command:

sap pmk XXXXXX mode-list gcm-encrypt

to sap pmk XXXXXX mode-list gcm-encrypt-256

shlomoi · ‎02-23-2025

Hi thanks but the command
does not exist
Maybe I need to upgrade version?
I'm running 17.05.01

Thanks

Georg Pauwen · ‎02-23-2025

Hello, you are trying to run this on a C9300 ? My bad, I thought you were talking about Nexus. Either way, I am not sure the 'gcm-encrypt-256' is available at all on the C9300...I will check...

shlomoi · ‎02-24-2025

Hi ,
Yes I am trying on 9300

Thanks