Enabling and configuring group interfaces for MACsec

After MACsec is enabled for the device, each MACsec interface must be individually enabled, and a configured group of parameters must be applied.

  1. To enable MACsec, at the dot1x-mka configuration level, enter the enable-mka command, and specify the interface as device/slot/port.

    In the following example, Ethernet port 2 on slot 2 of device 1 is enabled for MACsec security.

    device# configure terminal
    device(config)# dot1x-mka 
    device(config-dot1x-mka)# enable-mka ethernet 2/2/1
    device(config-dot1x-mka-2/2/1)#
    Note: The following output is displayed if there is no MACsec license present on the device.
    
    device(config-dot1x-mka)# enable-mka ethernet 2/2/1
    Error: No MACsec License available for the port 2/2/1. Cannot enable MACsec !!!
    Error: MKA cannot be enabled on port 2/2/1
    
  2. At the dot1x-mka interface configuration level, enter the mka-cfg-group command, and specify the MKA group configuration to apply to the interface.

    In the following example, MACsec options configured for group test1 are applied to the enabled interface.

    
    device# configure terminal
    device(config)# dot1x-mka  
    device (config-dot1x-mka)# enable-mka ethernet 2/2/1
    device(config-dot1x-mka-2/2/1)# mka-cfg-group test1