Does Nexus switch breakout port support MACsec?

yuanqiao58820 · ‎04-29-2023

According to the configuration guide

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_011100.htm...

that N9K-X9736C-FX line card support both breakout cable and MACsec function.

We would like to have a secure link between two switches. The link between N9K switch and a new Nexus switch might be a 1 GE or 10GE speed provided by local ISP.

Can I configure MACsec on a breakout port with remote Nexus switch's 10GE port or a breakout port?

Reza Sharifi · ‎04-29-2023

As long as the other switch you are trying to connect to support MACsec, it should work. When using a breakout cable, MACsec policy applies to all ports and not just to one of them. Have a look at this config example between 2 switches.

https://community.cisco.com/t5/networking-knowledge-base/configuring-macsec-switch-to-switch-with-pre-shared-key/ta-p/4436093

HTH

Flavio Miranda · ‎04-29-2023

Hi

As per the link you share, yes, you can. They mention, however, this restriction here:

"All breakout ports should have the same MACsec policy. However, the breakout ports can have different keychains. We do not support having some breakout ports with one MACsec policy and others with different MACsec policy. A port cannot be without a MACsec policy. If you do not configure a policy on an interface, by default, the system-default-macsec-policy is applied."

yuanqiao58820 · ‎06-14-2023

Just one more question regarding this issue:

Is there any obstacle to configure MACsec between Nexus and catalyst Switches?

Many thanks in advance.