Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
2
Helpful
2
Replies

MACSEC Cisco 9K cipher

Go to solution
sammanai
Level 1
Level 1

‎01-06-2024 03:27 AM

Hi,

I seek advice regarding MACSEC Cisco 9K cipher recommendation to be used?

Thanks,

Sam

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎01-06-2024 03:36 AM

from cisco doc. 
The default MACsec cipher suite in the MKA policy will always be "GCM-AES-128". If the device supports both "GCM-AES-128" and "GCM-AES-256" ciphers, it is highly recommended to define and use a user defined MKA policy to include both 128 and 256 bits ciphers or only 256 bits cipher, as may be required.

MHM

View solution in original post

Go to solution
M02@rt37
VIP
VIP

‎01-06-2024 04:25 AM

Hello @sammanai 

The default MACsec cipher suite "GCM-AES-128" is a strong choice, you have the option to define a user-defined MKA policy.

If your device supports both "GCM-AES-128" and "GCM-AES-256," and based on Cisco recommendation, you may consider defining a user-defined MKA policy that includes both 128-bit and 256-bit ciphers. This allows you to have flexibility in selecting the appropriate level of encryption based on your specific security requirements.

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-5/system-security/configuration/guide/b-system-security-cg-asr9000-75x/implementing-macsec-encryption.html

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

2 Replies 2

Go to solution
MHM Cisco World
VIP
VIP

‎01-06-2024 03:36 AM

from cisco doc. 
The default MACsec cipher suite in the MKA policy will always be "GCM-AES-128". If the device supports both "GCM-AES-128" and "GCM-AES-256" ciphers, it is highly recommended to define and use a user defined MKA policy to include both 128 and 256 bits ciphers or only 256 bits cipher, as may be required.

MHM

Go to solution
M02@rt37
VIP
VIP

‎01-06-2024 04:25 AM

Hello @sammanai 

The default MACsec cipher suite "GCM-AES-128" is a strong choice, you have the option to define a user-defined MKA policy.

If your device supports both "GCM-AES-128" and "GCM-AES-256," and based on Cisco recommendation, you may consider defining a user-defined MKA policy that includes both 128-bit and 256-bit ciphers. This allows you to have flexibility in selecting the appropriate level of encryption based on your specific security requirements.

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-5/system-security/configuration/guide/b-system-security-cg-asr9000-75x/implementing-macsec-encryption.html

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
Customers Also Viewed These Support Documents