Configuring MACSec
Media Access Control Security (MACsec) an IEEE 802.1AE along with MACsec Key Agreement (MKA) protocol provide secure communications on Ethernet links. It offers the following :
- Provides line rate encryption capabilities.
- Helps to ensure data confidentiality by providing strong encryption at Layer 2.
- Provides integrity checking to help ensure that data cannot be modified in transit.
- Can be selectively enabled using a centralized policy to help ensure that it is enforced where required while allowing non-MACsec-capable components to access the network.
- Encrypts packets on a hop-by-hop basis at Layer 2, allowing the network to inspect, monitor, mark, and forward traffic according to your existing policies (unlike end-to-end Layer 3 encryption techniques that hide the contents of packets from the network devices they cross).
For more information, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide:
Configuring a Macsec Policy
Configuring a Macsec Policy
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"policyName": "SampleString_123"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>SampleString_123</policyName>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy SampleString_123
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-SampleString_123 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Deleting a Macsec Policy
Deleting a Macsec Policy
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"policyName": "SampleString_123",
"status": "deleted"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list nc:operation="delete">
<policyName>SampleString_123</policyName>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
no macsec policy SampleString_123
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-SampleString_123 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
| status | mo:ModificationStatus (scalar:Bitmask32) | The upgrade status. This property is for internal use only. | SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Displaying MACsec Statistics
Displaying MACsec Statistics
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecGlobalMacsecIf": {
"attributes": {
"dn": "sys/macsec/inst/globalmacsecif",
"modTs": "2023-06-08T22:07:06.108+00:00",
"roInMkpduBadPeerError": "0",
"roInMkpduPeerListError": "0",
"roInMkpduValidationError": "0",
"roSakDecryptionError": "0",
"roSakEncryptionError": "0",
"roSakGenerationError": "0",
"roSakHashError": "0"
}
}
}
{
imdata:[]
}
Note: This example was added in Release 10.4(2).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
show macsec mka statistics
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecGlobalMacsecIf | sys/macsec/inst/globalmacsecif |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring a Shutdown
Configuring a Shutdown
POST http://<mgmt0_IP>/api/mo/sys/macsec.json
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"attributes": {
"macsecShutdown": "no"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<macsecShutdown>false</macsecShutdown>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec shutdown
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecEntity | sys/macsec |
| macsecInst | sys/macsec/inst |
macsecInst Properties
The following table contains information about the macsecInst properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| macsecShutdown | macsec:MacsecShutdown (scalar:Bool) | Enable or disable Macsec Shutdown | SELECTION: true or false DEFAULT: 1 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Unconfiguring a Shutdown
Unconfiguring a Shutdown
POST http://<mgmt0_IP>/api/mo/sys/macsec.json
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"attributes": {
"macsecShutdown": "yes"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<macsecShutdown>true</macsecShutdown>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
no macsec shutdown
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecEntity | sys/macsec |
| macsecInst | sys/macsec/inst |
macsecInst Properties
The following table contains information about the macsecInst properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| macsecShutdown | macsec:MacsecShutdown (scalar:Bool) | Enable or disable Macsec Shutdown | SELECTION: true or false DEFAULT: 1 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring an Ether Type (Broadcast Address)
Configuring an Ether Type (Broadcast Address)
POST http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"children": [
{
"macsecEapol": {
"attributes": {
"etherType": "0x600",
"id": "eth1/3",
"macAddress": "FF:FF:FF:FF:FF:FF"
}
}
},
{
"macsecEapol": {
"attributes": {
"etherType": "0x600",
"id": "eth1/2",
"macAddress": "FF:FF:FF:FF:FF:FF"
}
}
}
]
}
}
]
}
},
{
"interfaceEntity": {
"children": [
{
"l1PhysIf": {
"attributes": {
"id": "eth1/3"
}
}
},
{
"l1PhysIf": {
"attributes": {
"id": "eth1/2"
}
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<eapol-items>
<Eapol-list>
<id>eth1/3</id>
<etherType>1536</etherType>
<macAddress>FF:FF:FF:FF:FF:FF</macAddress>
</Eapol-list>
<Eapol-list>
<id>eth1/2</id>
<etherType>1536</etherType>
<macAddress>FF:FF:FF:FF:FF:FF</macAddress>
</Eapol-list>
</eapol-items>
</inst-items>
</macsec-items>
<intf-items>
<phys-items>
<PhysIf-list>
<id>eth1/3</id>
</PhysIf-list>
<PhysIf-list>
<id>eth1/2</id>
</PhysIf-list>
</phys-items>
</intf-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
interface ethernet 1/2-3
eapol mac-address broadcast-address ethertype 0x600
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| topSystem | sys |
| macsecEntity | sys/macsec |
| macsecInst | sys/macsec/inst |
| macsecEapol | sys/macsec/inst/eapol-[eth1/3] |
| macsecEapol | sys/macsec/inst/eapol-[eth1/2] |
| interfaceEntity | sys/intf |
| l1PhysIf | sys/intf/phys-[eth1/3] |
| l1PhysIf | sys/intf/phys-[eth1/2] |
macsecEapol Properties
The following table contains information about the macsecEapol properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| etherType | macsec:EtherType (scalar:Uint32) | Macsec EAPOL Ether Type | SELECTION: 34958 - 0x888e DEFAULT: 0x888e |
| id | nw:IfId (base:IfIndex) | Interface Index | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
| macAddress | address:MAC | Macsec EAPOL Mac Address | Value must match MM:MM:MM:SS:SS:SS format DEFAULT: 0180.c200.0003 |
macsecEapol Properties
The following table contains information about the macsecEapol properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| etherType | macsec:EtherType (scalar:Uint32) | Macsec EAPOL Ether Type | SELECTION: 34958 - 0x888e DEFAULT: 0x888e |
| id | nw:IfId (base:IfIndex) | Interface Index | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
| macAddress | address:MAC | Macsec EAPOL Mac Address | Value must match MM:MM:MM:SS:SS:SS format DEFAULT: 0180.c200.0003 |
l1PhysIf Properties
The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | An identifier . | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
l1PhysIf Properties
The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | An identifier . | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Deleting an Ether Type (Broadcast Address)
Deleting an Ether Type (Broadcast Address)
POST http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"children": [
{
"macsecEapol": {
"attributes": {
"id": "eth1/3",
"status": "deleted"
}
}
},
{
"macsecEapol": {
"attributes": {
"id": "eth1/2",
"status": "deleted"
}
}
}
]
}
}
]
}
},
{
"interfaceEntity": {
"children": [
{
"l1PhysIf": {
"attributes": {
"id": "eth1/3"
}
}
},
{
"l1PhysIf": {
"attributes": {
"id": "eth1/2"
}
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
{
"intf-items": {
"phys-items": {
"PhysIf-list": [
{
"id": "eth1/3"
},
{
"id": "eth1/2"
}
]
}
}
}
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
interface ethernet 1/2-3
no eapol mac-address broadcast-address ethertype 0x600
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| topSystem | sys |
| interfaceEntity | sys/intf |
| l1PhysIf | sys/intf/phys-[eth1/3] |
| l1PhysIf | sys/intf/phys-[eth1/2] |
l1PhysIf Properties
The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | An identifier . | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
l1PhysIf Properties
The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | An identifier . | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring an Ether Type (MAC Address)
Configuring an Ether Type (MAC Address)
POST http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"children": [
{
"macsecEapol": {
"attributes": {
"etherType": "0x600",
"id": "eth1/3",
"macAddress": "D8:B1:90:71:E9:03"
}
}
},
{
"macsecEapol": {
"attributes": {
"etherType": "0x600",
"id": "eth1/2",
"macAddress": "D8:B1:90:71:E9:03"
}
}
}
]
}
}
]
}
},
{
"interfaceEntity": {
"children": [
{
"l1PhysIf": {
"attributes": {
"id": "eth1/3"
}
}
},
{
"l1PhysIf": {
"attributes": {
"id": "eth1/2"
}
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<eapol-items>
<Eapol-list>
<id>eth1/3</id>
<etherType>1536</etherType>
<macAddress>D8:B1:90:71:E9:03</macAddress>
</Eapol-list>
<Eapol-list>
<id>eth1/2</id>
<etherType>1536</etherType>
<macAddress>D8:B1:90:71:E9:03</macAddress>
</Eapol-list>
</eapol-items>
</inst-items>
</macsec-items>
<intf-items>
<phys-items>
<PhysIf-list>
<id>eth1/3</id>
</PhysIf-list>
<PhysIf-list>
<id>eth1/2</id>
</PhysIf-list>
</phys-items>
</intf-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
interface ethernet 1/2-3
eapol mac-address d8b1.9071.e903 ethertype 0x600
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| topSystem | sys |
| macsecEntity | sys/macsec |
| macsecInst | sys/macsec/inst |
| macsecEapol | sys/macsec/inst/eapol-[eth1/3] |
| macsecEapol | sys/macsec/inst/eapol-[eth1/2] |
| interfaceEntity | sys/intf |
| l1PhysIf | sys/intf/phys-[eth1/3] |
| l1PhysIf | sys/intf/phys-[eth1/2] |
macsecEapol Properties
The following table contains information about the macsecEapol properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| etherType | macsec:EtherType (scalar:Uint32) | Macsec EAPOL Ether Type | SELECTION: 34958 - 0x888e DEFAULT: 0x888e |
| id | nw:IfId (base:IfIndex) | Interface Index | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
| macAddress | address:MAC | Macsec EAPOL Mac Address | Value must match MM:MM:MM:SS:SS:SS format DEFAULT: 0180.c200.0003 |
macsecEapol Properties
The following table contains information about the macsecEapol properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| etherType | macsec:EtherType (scalar:Uint32) | Macsec EAPOL Ether Type | SELECTION: 34958 - 0x888e DEFAULT: 0x888e |
| id | nw:IfId (base:IfIndex) | Interface Index | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
| macAddress | address:MAC | Macsec EAPOL Mac Address | Value must match MM:MM:MM:SS:SS:SS format DEFAULT: 0180.c200.0003 |
l1PhysIf Properties
The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | An identifier . | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
l1PhysIf Properties
The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | An identifier . | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Deleting an Ether Type (MAC Address)
Deleting an Ether Type (MAC Address)
POST http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"children": [
{
"macsecEapol": {
"attributes": {
"id": "eth1/3",
"status": "deleted"
}
}
},
{
"macsecEapol": {
"attributes": {
"id": "eth1/2",
"status": "deleted"
}
}
}
]
}
}
]
}
},
{
"interfaceEntity": {
"children": [
{
"l1PhysIf": {
"attributes": {
"id": "eth1/3"
}
}
},
{
"l1PhysIf": {
"attributes": {
"id": "eth1/2"
}
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
{
"intf-items": {
"phys-items": {
"PhysIf-list": [
{
"id": "eth1/3"
},
{
"id": "eth1/2"
}
]
}
}
}
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
interface ethernet 1/2-3
no eapol mac-address d8b1.9071.e903 ethertype 0x600
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| topSystem | sys |
| interfaceEntity | sys/intf |
| l1PhysIf | sys/intf/phys-[eth1/3] |
| l1PhysIf | sys/intf/phys-[eth1/2] |
l1PhysIf Properties
The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | An identifier . | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
l1PhysIf Properties
The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | An identifier . | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring a Fallback Keychain
Configuring a Fallback Keychain
POST http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"children": [
{
"macsecIf": {
"attributes": {
"fallbackKeychainName": "SampleString_1",
"id": "eth1/3",
"keychainName": "SampleString_2",
"policyName": "SampleString_3"
}
}
},
{
"macsecIf": {
"attributes": {
"fallbackKeychainName": "SampleString_1",
"id": "eth1/2",
"keychainName": "SampleString_2",
"policyName": "SampleString_3"
}
}
}
]
}
}
]
}
},
{
"interfaceEntity": {
"children": [
{
"l1PhysIf": {
"attributes": {
"id": "eth1/3"
}
}
},
{
"l1PhysIf": {
"attributes": {
"id": "eth1/2"
}
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<if-items>
<If-list>
<id>eth1/3</id>
<fallbackKeychainName>SampleString_1</fallbackKeychainName>
<keychainName>SampleString_2</keychainName>
<policyName>SampleString_3</policyName>
</If-list>
<If-list>
<id>eth1/2</id>
<fallbackKeychainName>SampleString_1</fallbackKeychainName>
<keychainName>SampleString_2</keychainName>
<policyName>SampleString_3</policyName>
</If-list>
</if-items>
</inst-items>
</macsec-items>
<intf-items>
<phys-items>
<PhysIf-list>
<id>eth1/3</id>
</PhysIf-list>
<PhysIf-list>
<id>eth1/2</id>
</PhysIf-list>
</phys-items>
</intf-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
interface ethernet 1/2-3
macsec keychain SampleString_2 policy SampleString_3 fallback-keychain SampleString_1
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| topSystem | sys |
| macsecEntity | sys/macsec |
| macsecInst | sys/macsec/inst |
| macsecIf | sys/macsec/inst/if-[eth1/3] |
| macsecIf | sys/macsec/inst/if-[eth1/2] |
| interfaceEntity | sys/intf |
| l1PhysIf | sys/intf/phys-[eth1/3] |
| l1PhysIf | sys/intf/phys-[eth1/2] |
macsecIf Properties
The following table contains information about the macsecIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| fallbackKeychainName | macsec:KeyChainName (string:Basic) | Name of Macsec Fallback Key Chain | A sequence of characters |
| id | nw:IfId (base:IfIndex) | Interface Index | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
| keychainName | macsec:KeyChainName (string:Basic) | Name of Macsec Key Chain | A sequence of characters |
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
macsecIf Properties
The following table contains information about the macsecIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| fallbackKeychainName | macsec:KeyChainName (string:Basic) | Name of Macsec Fallback Key Chain | A sequence of characters |
| id | nw:IfId (base:IfIndex) | Interface Index | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
| keychainName | macsec:KeyChainName (string:Basic) | Name of Macsec Key Chain | A sequence of characters |
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
l1PhysIf Properties
The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | An identifier . | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
l1PhysIf Properties
The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | An identifier . | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Unconfiguring a Fallback Keychain
Unconfiguring a Fallback Keychain
POST http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"children": [
{
"macsecIf": {
"attributes": {
"id": "eth1/3",
"status": "deleted"
}
}
},
{
"macsecIf": {
"attributes": {
"id": "eth1/2",
"status": "deleted"
}
}
}
]
}
}
]
}
},
{
"interfaceEntity": {
"children": [
{
"l1PhysIf": {
"attributes": {
"id": "eth1/3"
}
}
},
{
"l1PhysIf": {
"attributes": {
"id": "eth1/2"
}
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<if-items>
<If-list>
<id>eth1/3</id>
<fallbackKeychainName>SampleString_1</fallbackKeychainName>
<keychainName>SampleString_2</keychainName>
<policyName>SampleString_3</policyName>
</If-list>
<If-list>
<id>eth1/2</id>
<fallbackKeychainName>SampleString_1</fallbackKeychainName>
<keychainName>SampleString_2</keychainName>
<policyName>SampleString_3</policyName>
</If-list>
</if-items>
</inst-items>
</macsec-items>
<intf-items>
<phys-items>
<PhysIf-list>
<id>eth1/3</id>
</PhysIf-list>
<PhysIf-list>
<id>eth1/2</id>
</PhysIf-list>
</phys-items>
</intf-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
interface ethernet 1/2-3
no macsec keychain SampleString_2 policy SampleString_3 fallback-keychain SampleString_1
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| topSystem | sys |
| macsecEntity | sys/macsec |
| macsecInst | sys/macsec/inst |
| macsecIf | sys/macsec/inst/if-{[id]} |
| interfaceEntity | sys/intf |
| l1PhysIf | sys/intf/phys-{[id]} |
macsecIf Properties
The following table contains information about the macsecIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | Interface Index | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
| status | mo:ModificationStatus (scalar:Bitmask32) | The upgrade status. This property is for internal use only. | SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced |
l1PhysIf Properties
The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | An identifier . | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring a Cipher Suite
Configuring a Cipher Suite
POST http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"cipherSuite": "GCM-AES-128",
"policyName": "Pol_1"
}
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
<cipherSuite>GCM-AES-128</cipherSuite>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
cipher-suite GCM-AES-128
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| topSystem | sys |
| macsecEntity | sys/macsec |
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| cipherSuite | macsec:CipherSuite (scalar:Enum8) | Cipher Suite for Macsec Policy | SELECTION: 1 - GCM-AES-128 2 - GCM-AES-256 3 - GCM-AES-XPN-128 4 - GCM-AES-XPN-256 DEFAULT: GCM-AES-XPN-256 |
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring a Cipher Suite Enforce Peer
Configuring a Cipher Suite Enforce Peer
POST http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"allowedPeerCipherSuite1": "GCM-AES-256",
"allowedPeerCipherSuite2": "None",
"allowedPeerCipherSuite3": "None",
"allowedPeerCipherSuite4": "None",
"cipherSuite": "enforce-peer",
"includeIcvParam": "yes",
"includeSci": "yes",
"keySvrPrio": "32",
"policyName": "Test-MP8",
"replayWindow": "10000",
"sakExpiryTime": "1000",
"secPolicy": "must-secure"
}
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
Note: This example was added in Release 10.3(3). The 'cipherSuite : enforce-peer' and 'allowedPeerCipherSuite1','allowedPeerCipherSuite2','allowedPeerCipherSuite3','allowedPeerCipherSuite4' are supported from 10.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
cipher-suite { { enforce-peer
<allowed-peer-cipher-suite1> the most preferred ciphersuite that is supported
[allowed-peer-cipher-suite2>
[allowed-peer-cipher-suite3>
[allowed-peer-cipher-suite4> least preferred]]] }} The session gets secured on <suite1>
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecEntity | sys/macsec |
| macsecInst | sys/macsec/inst |
| macsecIf | sys/macsec/inst/if-[eth1/9/1] |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| cipherSuite | macsec:CipherSuite (scalar:Enum8) | Cipher Suite for Macsec Policy | SELECTION: 1 - GCM-AES-128 2 - GCM-AES-256 3 - GCM-AES-XPN-128 4 - GCM-AES-XPN-256 DEFAULT: GCM-AES-XPN-256 |
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Deleting a Cipher Suite
Deleting a Cipher Suite
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"cipherSuite": "GCM-AES-XPN-256",
"policyName": "Pol_1"
}}}]}}
{
imdata:[]
}
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
no cipher-suite GGCM-AES-128
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring Confidentiality Offset Options
Configuring Confidentiality Offset Options
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"topSystem": {
"children": [
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"confOffset": "CONF-OFFSET-0",
"policyName": "Pol_1"
}
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
<confOffset>CONF-OFFSET-30</confOffset>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
conf-offset CONF-OFFSET-30
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| confOffset | macsec:ConfOffset (scalar:Enum8) | Confidentiality Offset for Macsec Policy | SELECTION: 1 - CONF-OFFSET-0 2 - CONF-OFFSET-30 3 - CONF-OFFSET-50 DEFAULT: CONF-OFFSET-0 |
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Deleting Confidentiality Offset Options
Deleting Confidentiality Offset Options
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"policyName": "Pol_1"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
no conf-offset CONF-OFFSET-30
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Including ICV Indicator paramset in MKPDU
Including ICV Indicator paramset in MKPDU
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"includeIcvParam": "yes",
"policyName": "Pol_1"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
<includeIcvParam>true</includeIcvParam>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
include-icv-indicator
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| includeIcvParam | macsec:IncludeIcvParam (scalar:Bool) | Include ICV Indicator paramset in MKPDU for Macsec Policy | SELECTION: true or false DEFAULT: false |
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Excluding ICV Indicator paramset in MKPDU
Excluding ICV Indicator paramset in MKPDU
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"includeIcvParam": "no",
"policyName": "Pol_1"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
<includeIcvParam>false</includeIcvParam>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
no include-icv-indicator
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| includeIcvParam | macsec:IncludeIcvParam (scalar:Bool) | Include ICV Indicator paramset in MKPDU for Macsec Policy | SELECTION: true or false DEFAULT: false |
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring Key-Server priority
Configuring Key-Server priority
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"keySvrPrio": "71",
"policyName": "Pol_1"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
<keySvrPrio>71</keySvrPrio>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
key-server-priority 71
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| keySvrPrio | macsec:KeySvrPrio (scalar:UByte) | Key Server Priority for Macsec Policy | RANGE: [0 , 255] DEFAULT: 16 |
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Deleting Key-Server priority
Deleting Key-Server priority
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"topSystem": {
"children": [
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"keySvrPrio": "16",
"policyName": "Pol_1"
}
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
no key-server-priority 71
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring Time in Seconds to Force SAK Rekey
Configuring Time in Seconds to Force SAK Rekey
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"policyName": "Pol_1",
"sakExpiryTime": "2190458"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
<sakExpiryTime>2190458</sakExpiryTime>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
sak-expiry-time 2190458
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
| sakExpiryTime | macsec:SakExpiryTime (scalar:Uint32) | Security Association Key Expiry Time for Macsec Policy | RANGE: [0 , 2592000] DEFAULT: pn-rollover |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Deleting Time in Seconds to Force SAK Rekey
Deleting Time in Seconds to Force SAK Rekey
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"policyName": "Pol_1",
"sakExpiryTime": "pn-rollover"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
<sakExpiryTime>0</sakExpiryTime>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
no sak-expiry-time 2190458
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
| sakExpiryTime | macsec:SakExpiryTime (scalar:Uint32) | Security Association Key Expiry Time for Macsec Policy | RANGE: [0 , 2592000] DEFAULT: pn-rollover |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring a Should-Secure Policy
Configuring a Should-Secure Policy
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"policyName": "Pol_1",
"secPolicy": "should-secure"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
<secPolicy>should-secure</secPolicy>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
security-policy should-secure
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
| secPolicy | macsec:SecPolicy (scalar:Enum8) | Security Policy for Macsec Policy | SELECTION: 0 - must-secure 1 - should-secure DEFAULT: should-secure |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring a Must-Secure Policy
Configuring a Must-Secure Policy
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"policyName": "Pol_1",
"secPolicy": "must-secure"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
<secPolicy>must-secure</secPolicy>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
security-policy must-secure
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
| secPolicy | macsec:SecPolicy (scalar:Enum8) | Security Policy for Macsec Policy | SELECTION: 0 - must-secure 1 - should-secure DEFAULT: should-secure |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Deleting a Must-Secure Policy
Deleting a Must-Secure Policy
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"policyName": "Pol_1",
"secPolicy": "should-secure"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
<secPolicy>should-secure</secPolicy>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
no security-policy must-secure
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
| secPolicy | macsec:SecPolicy (scalar:Enum8) | Security Policy for Macsec Policy | SELECTION: 0 - must-secure 1 - should-secure DEFAULT: should-secure |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring the Window Size
Configuring the Window Size
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"policyName": "Pol_1",
"replayWindow": "135714166"
}}}]}}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
<replayWindow>135714166</replayWindow>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
window-size 135714166
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
| replayWindow | macsec:ReplayWindow (scalar:Uint32) | Replay Window for Macsec Policy | RANGE: [0 , 596000000] DEFAULT: 148809600 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Unconfiguring the Window Size
Unconfiguring the Window Size
POST http://<mgmt0_IP>/api/mo/sys/macsec/inst.json
{
"topSystem": {
"children": [
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"children": [
{
"macsecPolicy": {
"attributes": {
"cipherSuite": "GCM-AES-XPN-256",
"policyName": "pol1"
}
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
macsec policy Pol_1
no window-size 135714166
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| macsecInst | sys/macsec/inst |
| macsecPolicy | sys/macsec/inst/policy-Pol_1 |
macsecPolicy Properties
The following table contains information about the macsecPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| policyName | macsec:PolicyName (string:Basic) | Name of Macsec Policy | A sequence of characters DEFAULT: system-default-macsec-policy |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Unconfiguring the fallback keychain
Unconfiguring the fallback keychain
POST http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"macsecEntity": {
"children": [
{
"macsecInst": {
"children": [
{
"macsecIf": {
"attributes": {
"id": "eth1/3",
"status": "deleted"
}
}
},
{
"macsecIf": {
"attributes": {
"id": "eth1/2",
"status": "deleted"
}
}
}
]
}
}
]
}
},
{
"interfaceEntity": {
"children": [
{
"l1PhysIf": {
"attributes": {
"id": "eth1/3"
}
}
},
{
"l1PhysIf": {
"attributes": {
"id": "eth1/2"
}
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<macsec-items>
<inst-items>
<policy-items>
<Policy-list>
<policyName>Pol_1</policyName>
</Policy-list>
</policy-items>
</inst-items>
</macsec-items>
</System>
Note: This example was added in Release 9.3(3).
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| topSystem | sys |
| macsecEntity | sys/macsec |
| macsecInst | sys/macsec/inst |
| macsecIf | sys/macsec/inst/if-{[id]} |
| interfaceEntity | sys/intf |
| l1PhysIf | sys/intf/phys-{[id]} |
macsecIf Properties
The following table contains information about the macsecIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | Interface Index | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
| status | mo:ModificationStatus (scalar:Bitmask32) | The upgrade status. This property is for internal use only. | SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced |
l1PhysIf Properties
The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | nw:IfId (base:IfIndex) | An identifier . | Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide: