Discovery 4: Enable and Verify

Switch-to-Switch MACSec
Introduction
In this discovery, you will enable, verify, and test Media Access Control Security (MACsec), an IEEE
802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices.
MACsec is supported on Catalyst 9000 Series switches (some specific models do not support
MACsec). In this lab, you will configure MACsec between two Catalyst 9300 Series switches and verify
if it has been configured correctly.

Topology Description
The two Catalyst 9300 Series switches in this lab topology are interconnected using the
TenGigabitEthernet 1/1/5 link. The Student PC is connected to the Pod Network in the subnet
192.168.2.0/24. It has the IP address 192.168.2.20/24 and the default gateway 192.168.2.1 which is
configured on the CSR1Kv Internet Router. IP routing information is exchanged using the OSPF
protocol between the 9300-1 and 9300-2 switches. ISE is deployed in the same subnet as the Student
PC with the IP address 192.168.2.34.
The Management switch is hidden and has the function of mapping virtual machines and connecting
them to proper VLAN and subnets to the 9300-1 and 9300-2 switches.

Note Please do not change usernames and passwords configured on the Catalyst 9300 switches since it
will affect the lab’s functioning. You are advised not to change the configuration on the switches
other than the configurations needed for lab as per lab steps.

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 1

Topology

Job Aid
Access Credentials Table

Device Credentials

User: admin Password: 1234QWer

Cat9300-1
Enable Password: 1234QWer

User: admin Password: 1234QWer

Cat9300-2
Enable Password: 1234QWer

Note Please do not change usernames and passwords configured on the catalyst 9300 switches.

Device Information Table

Device Description IP Address

192.168.2.14/24
9300-1 Catalyst 9300 Switch 1
192.168.7.1/24

192.168.7.2/24
9300-2 Catalyst 9300 Switch 2
192.168.8.1/24

User PC Student PC 192.168.2.20/24

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 2

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 3
Command List
These tables describe the commands that are used in this activity. The commands are listed in
alphabetical order so you can quickly locate the information you need. Refer to this list if you need
configuration command assistance during the lab activity.

Command Description

aaa authentication dot1x default group group- Configures AAA authentication to use the defined server group
name name.

aaa authorization network default group Configures AAA authorization to use the defined server group
group-name name.

Configures the RADIUS server group the switch will communicate

aaa group server radius group-name
with.

aaa new-model Activates AAA on the switch.

configure terminal Enters the switch global configuration mode.

cryptographic-algorithm aes-128, aes-256 Configures the MKA authentication cipher.

cts manual Supplies local configuration for Cisco TrustSec parameters.

dot1x system-auth-control Enables 802.1x port-based authentication globally.

interface interface-id Enters interface configuration mode.

key chain name macsec Configures a MACsec keychain.

key Hexadecimal Name Configures key in MACsec keychain.

key-string CAK-key Configures CAK. Must be 32 or 64 Hex digits.

Lifetime local time Configures lifetime for MACsec key.

macsec network-link Enables MACsec on an interface.

macsec-cipher-suite gcm-aes-128, gcm-aes- Configures encryption cipher suite to be used in MACsec

256 encryption.

mka policy name Configures MKA policy.

mka policy policy-name Configures chosen MKA policy on an interface.

mka pre-shared-key key-chain name Configures chosen key-chain to be used as a PSK.

no propagate sgt Disables propagation of SGT information.

ping IP address Configure the IP address for the NTP server.

radius server Configures the RADIUS server the switch will communicate with.

sap pmk key mode-list mode1, mode2 Enables SAP PSK on the interface.

show cts interface interface-name Displays the CTS configuration for the interface-name.

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 4

 show macsec interface interface-id Displays the configured MACsec settings on an interface.

show mka policy Displays active MKA sessions on the switch.

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 5

Task 1: Configure Cisco MKA PSK MACsec on the
Cisco Catalyst 9300 Series Switches
In this task, you will first configure the following features: The MKA policy globally.
 The keychain containing the keys used in MACsec.
 Enable MACsec on the interface linking Catalyst 9300 Series switches.

Activity Procedure
Complete the following steps:
Step 1 Connect to the 9300-1 and 9300-2 switch console and configure the MKA policy
with the following parameters:
 MKA Policy Name: mka-psk
 MACsec Cipher Suite: gcm-aes-128
Connect to the 9300-1 switch console and enter the global configuration mode
using the configure terminal command. Use the mka policy command to
configure the MKA policy. This policy allows you to configure which cipher suite
will be used for encryption.
9300-1(config)mka policy mka-psk

9300-1(config-mka-policy)macsec-cipher-suite gcm-aes-128

9300-1(config-mka-policy)exit

Connect to the 9300-2 switch console and enter the global configuration mode
using the configure terminal command. Use the mka policy command to
configure the MKA policy. This policy allows you to configure which cipher suite
will be used for encryption.
9300-2(config)mka policy mka-psk

9300-2(config-mka-policy)macsec-cipher-suite gcm-aes-128

9300-2(config-mka-policy)exit

Step 2 Configure the MACsec keychain with the following parameters:

 Key Name: AA
 Cryptographic Algorithm: AES-128-CMAC
 Key-string: 32-64 hexadecimal characters
 Lifetime: Start time is the local time and end time is infinite

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 6

 Connect to the 9300-1 switch console and enter the global configuration mode
using the configure terminal command. Configure the MACsec keychain using the
key chain name macsec command.

You will then configure the first key in the key chain that will be used. When
configuring the key, you will choose the cryptographic algorithm that the key will
use. You will also configure the key string, which consists of 32-64 hexadecimal
characters. Since you are using aes-128-cmac a minimum of 32 hexadecimal
characters is needed (if you are using aes-256-cmac then a minimum of 64
hexadecimal characters would be needed). After configuring the key string, you
will need to configure the key's lifetime. This indicates the period in which the key
can be used and for how long.
9300-1(config) key chain mka-psk macsec

9300-1(config-keychain-macsec) key AA

9300-1(config-keychain-macsec-key) cryptographic-algorithm aes-128-cmac

9300-1(config-keychain-macsec-key) key-string AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD

9300-1(config-keychain-macsec-key) lifetime local 00:00:00 Sep 7 2022 infinite
9300-1(config-keychain-macsec-key) exit

9300-1(config-keychain-macsec)exit

Connect to the 9300-2 switch console and enter the global configuration mode
using the configure terminal command. Configure the MACsec keychain using the
key chain name macsec command.
9300-2(config) key chain mka-psk macsec

9300-2(config-keychain-macsec) key AA

9300-2(config-keychain-macsec-key) cryptographic-algorithm aes-128-cmac

9300-2(config-keychain-macsec-key) key-string AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD

9300-2(config-keychain-macsec-key) lifetime local 00:00:00 Sep 7 2022 infinite
9300-2(config-keychain-macsec-key) exit

9300-2(config-keychain-macsec) exit

Note Both switches must be configured with the same parameters.

Note Local time is the current time as you are configuring the lab.

Step 3 Enable MACsec on the interface connecting both Catalyst 9300 Series switches.
Connect to the 9300-1 switch console and enter the global configuration mode
using the configure terminal command. Enter the interface configuration mode
to configure the Te1/1/5 interface using the Te1/1/5 command. Enable MACsec

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 7

 on the interface. When you enable MACsec on an interface, you will need to
define the following parameters:
 MKA Policy: The MKA policy that will be used in MACsec.
 MKA Pre-Shared Key: The keychain containing the key that will be used
for encryption in MACsec.
9300-1(config) interface te1/1/5

9300-1(config-if) mka policy mka-psk

9300-1(config-if) mka pre-shared-key key-chain mka-psk

9300-1(config-if) macsec network-link

When you configure 9300-1 correctly, the interface connecting it to 9300-2 and
the OSPF neighborship will go down. The interface and neighborship will come
back up after you configure 9300-2. You will see the following messages in the
CLI:
%LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/1/5, changed state to down

%OSPF-5-ADJCHG: Process 100, Nbr 192.168.8.14 on TenGigabitEthernet1/1/5 from FULL to DOWN,

Neighbor Down: Interface down or detached

Connect to the 9300-2 switch console and enter the global configuration mode
using the configure terminal command. Enter the interface configuration mode
to configure the Te1/1/5 interface using the interface Te1/1/5 command. Enable
MACsec on the interface.
9300-2(config) interface te1/1/5

9300-2(config-if) mka policy mka-psk

9300-2(config-if) mka pre-shared-key key-chain mka-psk

9300-2(config-if) macsec network-link

9300-2(config-if) exit

When you configure both switches correctly, the following message will appear
in the CLI:
%MKA-5-SESSION_START: (Te1/1/5 : 53) MKA Session started for RxSCI 2c01.b575.9cc6/0000,
AuditSessionID , AuthMgr-Handle FF00000D

%MKA-5-SESSION_SECURED: (Te1/1/5 : 53) MKA Session was secured for RxSCI 2c01.b575.b3c6/0035,
AuditSessionID , CKN AA

%LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/1/5, changed state to up

%OSPF-5-ADJCHG: Process 100, Nbr 192.168.7.1 on TenGigabitEthernet1/1/5 from LOADING to FULL,

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 8

 Loading Done

9300-2

Note After MACsec is configured on 9300-1, the interface goes down. When configuring MACsec on
9300-2, the interface connected to 9300-1 switch comes up and OSPF neighborship is established
again.

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 9

Task 2: Verify the MKA PSK MACsec Configuration
on the Cisco Catalyst 9300 Series Switches
In this task, you will verify if MACsec has been configured successfully. You will use various show
commands to confirm the MACsec operation.

Activity Procedure
Complete the following steps:
Step 1 Connect to the 9300-1 switch console and use the show macsec interface
Te1/1/5 command to verify that MACsec is enabled on the interface:
9300-1show macsec interface te1/1/5

MACsec is enabled

Replay protect :
enabled Replay window :
0 Include SCI : yes

Use ES Enable : no
Use SCB Enable : no

Admin Pt2Pt MAC : forceTrue(1)

Pt2Pt MAC Operational : no
Cipher : GCM-AES-128

Confidentiality Offset : 0

Capabilities

ICV length : 16

Data length change supported: yes

Max. Rx SA : 32

Max. Tx SA : 32
Max. Rx SC : 16
Max. Tx SC :
16

Validate Frames : strict

PN threshold notification support : Yes

Ciphers supported : GCM-AES-128

GCM-AES-256
GCM-AES-XPN-
128 GCM-AES-
XPN-256

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 10

 Access control : must secure

Transmit Secure Channels

SCI : 2C01B575B2C40061

SC state : inUse(1)
Elapsed time :
00:33:45 Start time :
7w0d Current AN: 0

Previous AN: -
Next PN: 293

SA State: inUse(1)
Confidentiality :
yes SAK Unchanged :
yes SA Create time :
2w0d SA Start time :
7w0d SC Statistics

Auth-only Pkts : 0
Auth-only Bytes :
0 Encrypted Pkts :
0 Encrypted Bytes :
0

SA Statistics

Auth-only Pkts : 0
Auth-only Bytes : 0
Encrypted Pkts :
292

Encrypted Bytes : 42216

--output omitted--

Step 2 Connect to the 9300-1 switch console and use the show mka policy command to
verify if the MKA policy is configured:
9300-1show mka policy

MKA Policy defaults :

Send-Secure-Announcements: DISABLED

MKA Policy Summary...

Codes : CO - Confidentiality Offset, ICVIND - Include ICV-Indicator,

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 11

 SAKR OLPL - SAK-Rekey On-Live-Peer-Loss,

DP - Delay Protect, KS Prio - Key Server Priority

Policy KS DP CO SAKR INCVIND Cipher Interfaces

Name Prio OLPL Suite(s) Applied

===============================================================================

*DEFAULT POLICY* 0 FALSE 0 FALSE TRUE GCM-AES-128

mka-psk 0 FALSE 0 FALSE TRUE GCM-AES-128 Te1/1/5

Step 3 Connect to the 9300-1 switch console and verify if the MKA session is active on
the link between Catalyst 9300 Series switches using the show mka sessions
command:
9300-1show mka sessions

Total MKA Sessions....................1

Secured Sessions..........1

Pending Sessions..........0

==================================================================================================

Interface Local-TxSCI Policy-Name Inherited Key-Server

Port-ID Peer-RxSCI MACsec-Peers Status CKN

==================================================================================================

Te1/1/5 2c01.b575.9cc6/0035 mka-psk NO YES

53 2c01.b575.b3c6/0035 1 Secured AA

Step 4 Connect to the 9300-2 switch console and use the show macsec interface
Te1/1/5 command to verify if MACsec is enabled on the interface:
9300-2show macsec interface te1/1/5

MACsec is enabled

Replay protect : enabled

Replay window : 0

Include SCI : yes

Use ES Enable : no

Use SCB Enable : no

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 12

 Admin Pt2Pt MAC : forceTrue(1)

Pt2Pt MAC Operational : no

Cipher : GCM-AES-128

Confidentiality Offset : 0

Capabilities

ICV length : 16

Data length change supported: yes

Max. Rx SA : 32

Max. Tx SA : 32

Max. Rx SC : 16

Max. Tx SC : 16

Validate Frames : strict

PN threshold notification support : Yes

Ciphers supported : GCM-AES-128

GCM-AES-256

GCM-AES-XPN-128

GCM-AES-XPN-256

Access control : must secure

Transmit Secure Channels

SCI : 2C01B575B2C40061

SC state : inUse(1)

Elapsed time : 00:33:45

Start time : 7w0d

Current AN: 0

Previous AN: -

Next PN: 293

SA State: inUse(1)

Confidentiality : yes

SAK Unchanged : yes

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 13

 SA Create time : 2w0d SA

Start time : 7w0d

SC Statistics

Auth-only Pkts : 0

Auth-only Bytes : 0

Encrypted Pkts : 0

Encrypted Bytes : 0

SA Statistics

Auth-only Pkts : 0

Auth-only Bytes : 0

Encrypted Pkts : 292

Encrypted Bytes : 42216

--output omitted--

Step 5 Connect to the 9300-2 switch console and use the show mka policy command to
verify if the MKA policy is configured:
9300-2show mka policy

MKA Policy defaults :

Send-Secure-Announcements: DISABLED MKA Policy Summary...

Codes : CO - Confidentiality Offset, ICVIND - Include ICV-Indicator,

SAKR OLPL - SAK-Rekey On-Live-Peer-Loss,

DP - Delay Protect, KS Prio - Key Server Priority

Policy KS DP CO SAKR INCVIND Cipher Interfaces

Name Prio OLPL Suite(s) Applied

===============================================================================

*DEFAULT POLICY* 0 FALSE 0 FALSE TRUE GCM-AES-128

mka-psk 0 FALSE 0 FALSE TRUE GCM-AES-128 Te1/1/5

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 14

 Step 6 Connect to the 9300-2 switch console and verify if the MKA session is active on
the link between Catalyst 9300 Series switches by using the show mka
sessions command:

9300-1show mka sessions

Total MKA Sessions....................1

Secured Sessions..........1

Pending Sessions..........0

==================================================================================================

Interface Local-TxSCI Policy-Name Inherited Key-Server

Port-ID Peer-RxSCI MACsec-Peers Status CKN

==================================================================================================

Te1/1/5 2c01.b575.b3c6/0035 mka-psk NO YES

53 2c01.b575.b575/0035 1 Secured AA

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 15

Task 3: Configure SAP PSK Cisco MACsec on the
Cisco Catalyst 9300 Series Switches
In this task, you will configure the following features:
 The AAA server globally.
 Enable MACsec on the interface linking Catalyst 9300 Series switches.

Activity Procedure
Complete the following steps:
Step 1 Connect to the 9300-1 and 9300-2 switch consoles and configure the AAA
server with the following parameters:
 Radius Server Name: ISE
 IP Address: 192.168.2.34
 Key String: 1234QWer
 AAA Group Type: Radius
 AAA Group Name: ISE-Group
Connect to the 9300-1 switch console and enter the global configuration mode
using the configure terminal command. Use the radius server command to
configure the AAA server. This will allow you to configure the AAA server the
switch will communicate with.
9300-1(config) aaa new-model

9300-1(config) dot1x system-auth-control

9300-1(config) radius server ISE

9300-1(config-radius-server) address ipv4 192.168.2.34

9300-1(config -radius-server) key 1234QWer

9300-1(config -radius-server) exit

9300-1(config) aaa group server radius ISE-Group

9300-1(config-sg-radius) server name ISE

9300-1(config-sg-radius) exit

9300-1(config) aaa authentication dot1x default group ISE-Group

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 16

 9300-1(config) aaa authorization network default group ISE-Group

Note When you enter the key command the following warning will be shown “AAAA-4-
CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0
password. However, recommended to migrate to strong type-6 encryption”. This warning can be
ignored for the purpose of the lab.

Connect to the 9300-2 switch console and enter the global configuration mode
using the configure terminal command. Use the radius server command to
configure the AAA server. This will allow you to configure the AAA server the
switch will communicate with.

9300-2(config) aaa new-model

9300-2(config) dot1x system-auth-control

9300-2(config) radius server ISE

9300-2(config-radius-server) address ipv4 192.168.2.34

9300-2(config -radius-server) key 1234QWer

9300-2(config -radius-server) exit

9300-2(config) aaa group server radius ISE-Group

9300-2(config-sg-radius) server name ISE

9300-2(config-sg-radius) exit

9300-2(config) aaa authentication dot1x default group ISE-Group

9300-2(config) aaa authorization network default group ISE-Group

Step 2 Enable SAP PSK MACsec on the Te1/1/5 interface with the following
parameters:
 CTS Mode: Manual
 Pre-Shared Key: AABBCC
 SAP Mode: GCM-Encrypt
 SGT Propagation: No
Connect to the 9300-1 switch console and enter the global configuration mode
using the configure terminal command. Enter the interface configuration mode
using the interface Te1/1/5 command.

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 17

 Note You need to remove the mka policy and mka pre-shared-key key-chain configured on interface
Te1/1/5 in 9300-1 and 9300-2 before configure CTS command on the interfaces else you will notice
conflict message.

9300-1(config)interface Te1/1/5

9300-1(config-if)cts manual

Command rejected (Te1/1/5): conflict with MKA

Remove mka commands from interfaces.

9300-1configure terminal

Enter configuration commands, one per line. End with

CNTL/Z. 9300-1(config)interface Te1/1/5

9300-1(config-if)no mka policy mka-psk

9300-1(config-if)no mka pre-shared-key key-chain mka-psk

% Active MKA Session on this interface cleared for PSK key-chain: mka-psk.

9300-2configure terminal

Enter configuration commands, one per line. End with

CNTL/Z. 9300-2(config)interface Te1/1/5

9300-2(config-if)no mka policy mka-psk

9300-2(config-if)no mka pre-shared-key key-chain mka-psk

You will first configure CTS in manual mode. SAP is configured under the SAP
configuration mode on the interface. When enabling SAP, you will enter the PSK
that will be used between the switches and the mode of operation using the
mode-list command. The mode-list command allows you to choose whether
integrity, confidentiality, both or none will be configured between the switches.
9300-1(config) interface TenGigabitEthernet1/1/5

9300-1(config-if) cts manual

9300-1(config-if-cts-manual) sap pmk AABBCC mode-list gcm-encrypt

9300-1(config -if-cts-manual) no propagate sgt

When you configure 9300-1 correctly, the interface connecting it to 9300-2 and
the OSPF neighborship will go down. The interface and neighborship will come
back up after you configure 9300-2. You will see the following messages in the
CLI:

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 18

 %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/1/5, changed state to down

%OSPF-5-ADJCHG: Process 100, Nbr 192.168.8.14 on TenGigabitEthernet1/1/5 from FULL to DOWN,

Neighbor Down: Interface down or detached

Connect to the 9300-2 switch console and enter the global configuration mode
using the configure terminal command. Enter the interface configuration mode
using the interface Te1/1/5 command.
You will first configure CTS in manual mode. SAP is configured under the SAP
configuration mode on the interface. When enabling SAP, you will enter the PSK
that will be used between the switches and the mode of operation using the
mode-list command. The mode-list command allows you to choose whether
integrity, confidentiality, both or none will be configured between the switches.
9300-2(config) interface TenGigabitEthernet1/1/5

9300-2(config-if) cts manual

9300-2(config-if-cts-manual) sap pmk AABBCC mode-list gcm-encrypt

9300-2(config -if-cts-manual) no propagate sgt

When you configure both switches correctly, the following message will appear
in the CLI:
%LINK-3-UPDOWN: Interface TenGigabitEthernet1/1/5, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/1/5, changed state to up

Note After MACsec is configured on the 9300-1 switch, the interface goes down. When configuring
MACsec on the 9300-2 switch, the interface connected to the 9300-1 switch comes up and OSPF
neighborship is established again.

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 19

Task 4: Verify the SAP PSK MACsec Configuration
on the Cisco Catalyst 9300 Series Switches
In this task, you will verify if MACsec has been configured successfully. You will use various show
commands to confirm the MACsec operation.

Activity Procedure
Complete the following steps:
Step 1 Connect to the 9300-1 switch console and use the show macsec interface
Te1/1/5 command to verify that MACsec is enabled on the interface:
9300-1show macsec interface Te1/1/5

MACsec is enabled

Replay protect : enabled

Replay window : 0

Include SCI : yes

Use ES Enable : no

Use SCB Enable : no

Admin Pt2Pt MAC : forceTrue(1)

Pt2Pt MAC Operational : no

Cipher : GCM-AES-128

Confidentiality Offset : 0

Capabilities

ICV length : 16

Data length change supported: yes

Max. Rx SA : 32

Max. Tx SA : 32

Max. Rx SC : 16

Max. Tx SC : 16

Validate Frames : strict

PN threshold notification support : Yes

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 20

 Ciphers supported : GCM-AES-128

GCM-AES-256

GCM-AES-XPN-128

GCM-AES-XPN-256

Access control : must secure

Transmit Secure Channels

SCI : 2C01B5759CA10000

SC state : inUse(1)

Elapsed time : 1d18h

Start time : 7w0d

Current AN: 0

Previous AN: 1

Next PN: 24

SA State: inUse(1)

Confidentiality : yes

SAK Unchanged : no

SA Create time : 7w0d

SA Start time : 7w0d

SC Statistics

Auth-only Pkts : 0
Auth-only Bytes : 0
Encrypted Pkts :
26945

Encrypted Bytes : 3525260

SA Statistics

Auth-only Pkts : 0
Auth-only Bytes : 0
Encrypted Pkts : 23
Encrypted Bytes :
2898

--output omitted--

Step 2 Connect to the 9300-1 switch console and use the show cts interface Te1/1/5
command to verify if SAP PSK is configured:

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 21

9300-1-Pod-4show cts interface Te1/1/5

Global Dot1x feature is Disabled

Interface TenGigabitEthernet1/1/5:

CTS is enabled, mode: MANUAL

IFC state: OPEN

Interface Active for 1d18h

Authentication Status: NOT APPLICABLE

Peer identity: "unknown"

Peer's advertised capabilities: "sap"

Authorization Status: NOT APPLICABLE

SAP Status: SUCCEEDED

Version: 2

Configured pairwise ciphers:

gcm-encrypt

Replay protection: enabled

Replay protection mode: STRICT

Selected cipher: gcm-encrypt

Propagate SGT: Disabled

Cache Info:

Expiration : N/A

Cache applied to link : NONE

Statistics:

authc success: 0

authc reject: 0

authc failure: 0

authc no response: 0

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 22

 authc logoff: 0

sap success: 3

sap fail: 1

authz success: 0

authz fail: 0

port auth fail: 0

L3 IPM: disabled.

Step 3 Connect to the 9300-2 switch console and use the show macsec interface
Te1/1/5 command to verify that MACsec is enabled on the interface:

9300-2show macsec interface Te1/1/5

MACsec is enabled

Replay protect : enabled

Replay window : 0

Include SCI : yes

Use ES Enable : no

Use SCB Enable : no

Admin Pt2Pt MAC : forceTrue(1)

Pt2Pt MAC Operational : no

Cipher : GCM-AES-128

Confidentiality Offset : 0

Capabilities

ICV length : 16

Data length change supported: yes

Max. Rx SA : 32

Max. Tx SA : 32

Max. Rx SC : 16

Max. Tx SC : 16

Validate Frames : strict

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 23

 PN threshold notification support : Yes

Ciphers supported : GCM-AES-128

GCM-AES-256

GCM-AES-XPN-128

GCM-AES-XPN-256

Access control : must secure

Transmit Secure Channels

SCI : 2C01B5759CA10000

SC state : inUse(1)

Elapsed time : 1d18h

Start time : 7w0d

Current AN: 0

Previous AN: 1

Next PN: 24

SA State: inUse(1)

Confidentiality : yes

SAK Unchanged : no

SA Create time : 7w0d

SA Start time : 7w0d

SC Statistics

Auth-only Pkts : 0

Auth-only Bytes : 0

Encrypted Pkts : 26945

Encrypted Bytes : 3525260

SA Statistics

Auth-only Pkts : 0

Auth-only Bytes : 0

Encrypted Pkts : 23

Encrypted Bytes : 2898

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 24

 --output omitted--

Step 4 Connect to the 9300-2 switch console and use the show cts interface Te1/1/5
command to verify if SAP PSK is configured:
9300-2show cts interface Te1/1/5
Global Dot1x feature is Disabled
Interface TenGigabitEthernet1/1/5:

CTS is enabled, mode:

MANUAL IFC state: OPEN

Interface Active for 1d18h

Authentication Status: NOT
APPLICABLE

Peer identity: "unknown"

Peer's advertised capabilities: "sap"

Authorization Status: NOT APPLICABLE

SAP Status: SUCCEEDED

Version: 2

Configured pairwise ciphers:

gcm-encrypt

Replay protection: enabled

Replay protection mode: STRICT

Selected cipher: gcm-encrypt

Propagate SGT: Disabled

Cache Info:

Expiration : N/A

Cache applied to link : NONE

Statistics:

authc success: 0

authc reject: 0

authc failure: 0

authc no response: 0

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 25

 authc logoff: 0

sap success: 3

sap fail: 1

authz success: 0

authz fail: 0

port auth fail: 0

L3 IPM: disabled.

Discovery Lab # | © 2025 Cisco Systems, Inc. Lab Guide 26