Nexus 7009 MacSec: SAP PMK not allowed on this interface

Haldorf Sunsets · ‎02-09-2017

Hi

We have two nexus 7009 in two geographically separated datacenters. The two datacenters are connected with a DWDM 2x10Gbit/s L2 etherchannel trunk.
Now we want to encrypt the traffic between the datacenters, and are looking into implementing MACSEC on our nexus 7009 switches. We are trying to keep the configuration as easy as possible, without using a radius server.

In datacenter1, we have a nexus 7009 with N7K-SUP2 and N7K-F248XP-25E, running nx-os version 6.2 (12)
In datacenter2, we have a nexus 7009 with N7K-SUP2 and N7K-F348XP-25, running nx-os version 6.2 (12)

On the nexuses, we enabled the features dot1x and cts.
We then configured one of the trunk interfaces with the following commands:
cts manual
sap pmk <secretkey> <--- This command failed with the following error:
ERROR: SAP PMK not allowed on this interface since port does not support MacSec
..we tried several ports, both in the range 30-35, and 41-48, but got the same error.

Is there something missing in our configuration, or is there any sw/hw restrictions in the nexus 7k that is causing this issue?

Haldorf Sunsets · ‎03-10-2017

*bump*

Any suggestions? :)

ct2012 · ‎09-26-2018

Hi Haldorf,

Did you obtain any information? Could you share the final configuration?
I want to implement the same scenario and i have the same issue.

QRO7706_CORE_01(config-if-cts-manual)# sap pmk ******
ERROR: SAP PMK not allowed on this interface since port does not support MacSec

Thanks in advance!!.