Please see the
Cisco Nexus 7000 I/O Module
Comparison Matrix for hardware support for Cisco TrustSec’s MACSec
Cisco TrustSec has
the following guidelines and limitations:
MACSec—The following set of requirements must be used when deploying MACSec
over SP-provided pseudowire connections. These requirements help to ensure the
right service, quality, or characteristics are ordered from the SP.
The Nexus 7000 supports MACSec over Point-to-Point links, including those using DWDM, as well as non-PtP links such as EoMPLS where the following conditions are met:
There is no re-ordering or buffering of packets on the MACSec link.
No additional frames can be injected to the MACSec link.
There must be end-to-end link event notification—if the edge device or any intermediate device loses a link then there must be notifications sent so that the customer is aware of the link failure as the service will be interrupted.
For MACsec links
that have a bandwidth that is greater than or equal to 40G, multiple security
associations (SCI/AN pairs) are established with each Security Association
Protocol (SAP) exchange.
When you change
the CTS MACSec port mode from Cache Engine (CE) mode to FabricPath mode, CRC
errors are displayed in the CTS MACsec link until native VLAN tagging is
disabled on the FabricPath core port. Such configuration changes that occur on
a CTS port should be flapped. However, this could cause possible traffic
disruptions. In such circumstances, to avoid the display of CRC errors and
traffic disruptions, perform the following steps:
cache engine port while having the CTS MACsec enabled.
port mode to FabricPath mode.
native VLAN tagging on the FabricPath core port.
When the M3 line
card interoperates with older line cards, the user must configure only the
legacy modes on the M3 line card for the link to be up. The configuration on
both the peers must be consistent. On older line cards, the GCM-256 bit option
is prevented because capability is not available.
Cisco Nexus 7000 Series Switches has the debounce timer feature to delay the notification of link change, which can decrease traffic loss due to network reconfiguration. This feature affects the CTS Macsec and if delays on links are higher, the MACsec-enabled links may not come up. To bring the link up, increase the value of debounce timer link down from its default value 100. For more information about debounce timer, see the Configuring the Debounce Timer section in the Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide.