Configuring MACSec

Media Access Control Security (MACsec) an IEEE 802.1AE along with MACsec Key Agreement (MKA) protocol provide secure communications on Ethernet links. It offers the following :

• Provides line rate encryption capabilities.
• Helps to ensure data confidentiality by providing strong encryption at Layer 2.
• Provides integrity checking to help ensure that data cannot be modified in transit.
• Can be selectively enabled using a centralized policy to help ensure that it is enforced where required while allowing non-MACsec-capable components to access the network.
• Encrypts packets on a hop-by-hop basis at Layer 2, allowing the network to inspect, monitor, mark, and forward traffic according to your existing policies (unlike end-to-end Layer 3 encryption techniques that hide the contents of packets from the network devices they cross).

For more information, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-installation-and-configuration-guides-list.html/

Configuring a Macsec Policy

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy SampleString_123

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-SampleString_123

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Macsec Policy

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

no macsec policy SampleString_123

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-SampleString_123

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Displaying MACsec Statistics

Note: This example was added in Release 10.4(2).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

show macsec mka statistics

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecGlobalMacsecIf	sys/macsec/inst/globalmacsecif

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Shutdown

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec shutdown

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecEntity	sys/macsec
macsecInst	sys/macsec/inst

macsecInst Properties

The following table contains information about the macsecInst properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
macsecShutdown	macsec:MacsecShutdown (scalar:Bool)	Enable or disable Macsec Shutdown	SELECTION: true or false DEFAULT: 1

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Unconfiguring a Shutdown

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

no macsec shutdown

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecEntity	sys/macsec
macsecInst	sys/macsec/inst

macsecInst Properties

The following table contains information about the macsecInst properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
macsecShutdown	macsec:MacsecShutdown (scalar:Bool)	Enable or disable Macsec Shutdown	SELECTION: true or false DEFAULT: 1

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring an Ether Type (Broadcast Address)

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

interface ethernet 1/2-3
  eapol mac-address broadcast-address ethertype 0x600

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
macsecEntity	sys/macsec
macsecInst	sys/macsec/inst
macsecEapol	sys/macsec/inst/eapol-[eth1/3]
macsecEapol	sys/macsec/inst/eapol-[eth1/2]
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-[eth1/3]
l1PhysIf	sys/intf/phys-[eth1/2]

macsecEapol Properties

The following table contains information about the macsecEapol properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
etherType	macsec:EtherType (scalar:Uint32)	Macsec EAPOL Ether Type	SELECTION: 34958 - 0x888e DEFAULT: 0x888e
id	nw:IfId (base:IfIndex)	Interface Index	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
macAddress	address:MAC	Macsec EAPOL Mac Address	Value must match MM:MM:MM:SS:SS:SS format DEFAULT: 0180.c200.0003

macsecEapol Properties

The following table contains information about the macsecEapol properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
etherType	macsec:EtherType (scalar:Uint32)	Macsec EAPOL Ether Type	SELECTION: 34958 - 0x888e DEFAULT: 0x888e
id	nw:IfId (base:IfIndex)	Interface Index	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
macAddress	address:MAC	Macsec EAPOL Mac Address	Value must match MM:MM:MM:SS:SS:SS format DEFAULT: 0180.c200.0003

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting an Ether Type (Broadcast Address)

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

interface ethernet 1/2-3
  no eapol mac-address broadcast-address ethertype 0x600

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-[eth1/3]
l1PhysIf	sys/intf/phys-[eth1/2]

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring an Ether Type (MAC Address)

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

interface ethernet 1/2-3
  eapol mac-address d8b1.9071.e903 ethertype 0x600

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
macsecEntity	sys/macsec
macsecInst	sys/macsec/inst
macsecEapol	sys/macsec/inst/eapol-[eth1/3]
macsecEapol	sys/macsec/inst/eapol-[eth1/2]
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-[eth1/3]
l1PhysIf	sys/intf/phys-[eth1/2]

macsecEapol Properties

The following table contains information about the macsecEapol properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
etherType	macsec:EtherType (scalar:Uint32)	Macsec EAPOL Ether Type	SELECTION: 34958 - 0x888e DEFAULT: 0x888e
id	nw:IfId (base:IfIndex)	Interface Index	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
macAddress	address:MAC	Macsec EAPOL Mac Address	Value must match MM:MM:MM:SS:SS:SS format DEFAULT: 0180.c200.0003

macsecEapol Properties

The following table contains information about the macsecEapol properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
etherType	macsec:EtherType (scalar:Uint32)	Macsec EAPOL Ether Type	SELECTION: 34958 - 0x888e DEFAULT: 0x888e
id	nw:IfId (base:IfIndex)	Interface Index	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
macAddress	address:MAC	Macsec EAPOL Mac Address	Value must match MM:MM:MM:SS:SS:SS format DEFAULT: 0180.c200.0003

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting an Ether Type (MAC Address)

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

interface ethernet 1/2-3
  no eapol mac-address d8b1.9071.e903 ethertype 0x600

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-[eth1/3]
l1PhysIf	sys/intf/phys-[eth1/2]

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Fallback Keychain

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

interface ethernet 1/2-3
  macsec keychain SampleString_2 policy SampleString_3 fallback-keychain SampleString_1

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
macsecEntity	sys/macsec
macsecInst	sys/macsec/inst
macsecIf	sys/macsec/inst/if-[eth1/3]
macsecIf	sys/macsec/inst/if-[eth1/2]
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-[eth1/3]
l1PhysIf	sys/intf/phys-[eth1/2]

macsecIf Properties

The following table contains information about the macsecIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
fallbackKeychainName	macsec:KeyChainName (string:Basic)	Name of Macsec Fallback Key Chain	A sequence of characters
id	nw:IfId (base:IfIndex)	Interface Index	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
keychainName	macsec:KeyChainName (string:Basic)	Name of Macsec Key Chain	A sequence of characters
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

macsecIf Properties

The following table contains information about the macsecIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
fallbackKeychainName	macsec:KeyChainName (string:Basic)	Name of Macsec Fallback Key Chain	A sequence of characters
id	nw:IfId (base:IfIndex)	Interface Index	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
keychainName	macsec:KeyChainName (string:Basic)	Name of Macsec Key Chain	A sequence of characters
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Unconfiguring a Fallback Keychain

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

interface ethernet 1/2-3
   no macsec keychain SampleString_2 policy SampleString_3 fallback-keychain SampleString_1

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
macsecEntity	sys/macsec
macsecInst	sys/macsec/inst
macsecIf	sys/macsec/inst/if-{[id]}
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-{[id]}

macsecIf Properties

The following table contains information about the macsecIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	Interface Index	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Cipher Suite

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  cipher-suite GCM-AES-128

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
macsecEntity	sys/macsec
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
cipherSuite	macsec:CipherSuite (scalar:Enum8)	Cipher Suite for Macsec Policy	SELECTION: 1 - GCM-AES-128 2 - GCM-AES-256 3 - GCM-AES-XPN-128 4 - GCM-AES-XPN-256 DEFAULT: GCM-AES-XPN-256
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Cipher Suite Enforce Peer

Note: This example was added in Release 10.3(3). The 'cipherSuite : enforce-peer' and 'allowedPeerCipherSuite1','allowedPeerCipherSuite2','allowedPeerCipherSuite3','allowedPeerCipherSuite4' are supported from 10.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

cipher-suite { { enforce-peer <allowed-peer-cipher-suite1> the most preferred ciphersuite that is supported [allowed-peer-cipher-suite2> [allowed-peer-cipher-suite3> [allowed-peer-cipher-suite4> least preferred]]] }} The session gets secured on <suite1>

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecEntity	sys/macsec
macsecInst	sys/macsec/inst
macsecIf	sys/macsec/inst/if-[eth1/9/1]
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
cipherSuite	macsec:CipherSuite (scalar:Enum8)	Cipher Suite for Macsec Policy	SELECTION: 1 - GCM-AES-128 2 - GCM-AES-256 3 - GCM-AES-XPN-128 4 - GCM-AES-XPN-256 DEFAULT: GCM-AES-XPN-256
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Cipher Suite

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  no cipher-suite GGCM-AES-128

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Confidentiality Offset Options

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  conf-offset CONF-OFFSET-30

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
confOffset	macsec:ConfOffset (scalar:Enum8)	Confidentiality Offset for Macsec Policy	SELECTION: 1 - CONF-OFFSET-0 2 - CONF-OFFSET-30 3 - CONF-OFFSET-50 DEFAULT: CONF-OFFSET-0
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Confidentiality Offset Options

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  no conf-offset CONF-OFFSET-30

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Including ICV Indicator paramset in MKPDU

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  include-icv-indicator

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
includeIcvParam	macsec:IncludeIcvParam (scalar:Bool)	Include ICV Indicator paramset in MKPDU for Macsec Policy	SELECTION: true or false DEFAULT: false
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Excluding ICV Indicator paramset in MKPDU

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  no include-icv-indicator

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
includeIcvParam	macsec:IncludeIcvParam (scalar:Bool)	Include ICV Indicator paramset in MKPDU for Macsec Policy	SELECTION: true or false DEFAULT: false
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Key-Server priority

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  key-server-priority 71

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
keySvrPrio	macsec:KeySvrPrio (scalar:UByte)	Key Server Priority for Macsec Policy	RANGE: [0 , 255] DEFAULT: 16
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Key-Server priority

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  no key-server-priority 71

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Time in Seconds to Force SAK Rekey

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  sak-expiry-time 2190458

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy
sakExpiryTime	macsec:SakExpiryTime (scalar:Uint32)	Security Association Key Expiry Time for Macsec Policy	RANGE: [0 , 2592000] DEFAULT: pn-rollover

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Time in Seconds to Force SAK Rekey

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  no sak-expiry-time 2190458

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy
sakExpiryTime	macsec:SakExpiryTime (scalar:Uint32)	Security Association Key Expiry Time for Macsec Policy	RANGE: [0 , 2592000] DEFAULT: pn-rollover

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Should-Secure Policy

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  security-policy should-secure

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy
secPolicy	macsec:SecPolicy (scalar:Enum8)	Security Policy for Macsec Policy	SELECTION: 0 - must-secure 1 - should-secure DEFAULT: should-secure

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Must-Secure Policy

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  security-policy must-secure

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy
secPolicy	macsec:SecPolicy (scalar:Enum8)	Security Policy for Macsec Policy	SELECTION: 0 - must-secure 1 - should-secure DEFAULT: should-secure

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Must-Secure Policy

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  no security-policy must-secure

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy
secPolicy	macsec:SecPolicy (scalar:Enum8)	Security Policy for Macsec Policy	SELECTION: 0 - must-secure 1 - should-secure DEFAULT: should-secure

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Window Size

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  window-size 135714166

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy
replayWindow	macsec:ReplayWindow (scalar:Uint32)	Replay Window for Macsec Policy	RANGE: [0 , 596000000] DEFAULT: 148809600

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Unconfiguring the Window Size

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

macsec policy Pol_1
  no window-size 135714166

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
macsecInst	sys/macsec/inst
macsecPolicy	sys/macsec/inst/policy-Pol_1

macsecPolicy Properties

The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	macsec:PolicyName (string:Basic)	Name of Macsec Policy	A sequence of characters DEFAULT: system-default-macsec-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Unconfiguring the fallback keychain

Note: This example was added in Release 9.3(3).

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
macsecEntity	sys/macsec
macsecInst	sys/macsec/inst
macsecIf	sys/macsec/inst/if-{[id]}
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-{[id]}

macsecIf Properties

The following table contains information about the macsecIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	Interface Index	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html