Is anyone aware of any restriction's to using MACSec on the uplinks of a service module whilst the uplink ports are in an etherchannel?
Essentially we will have 2x 3560x's connected by 2x fibre's. The plan is to encrypt over these fibre's but to etherchannel them for resilience/convergence purposes. Is this likely to work? Has anyone done this before?
Just to close this out, This is possible but you must use the Service Module and not the Network Module for the uplinks.
Hi thanks for your posting, have nearly the same situation here...
Where did you get the positive answer, could you find a documentation for MACsec together with Etherchannel?
I have on one side a 3560X with SM module and on the other side 68k with 69xx line card...
Just based on the data sheet and the configuration guide.
I haven't yet got my hands on the kit, still waiting for it to arrive but based on the configuration guide switch-to-switch is supported.
You must be running higher than LAN Base though.
"Note MACsec is not supported on switches running the NPE or the LAN base image."
I will be configuring this in the next week or so and will post back here with a working configuration (hopefully!)
Did you make it work? I am having issue with MacSec switch to Switch manual configuration ( two 4500 with the right IOS ) with port Channel please can you help ?
can I get the running config and advices what I have to more take care
Indeed we did, and it works rather well.
See: http://www.petenetlive.com/KB/Article/0001000.htm for an example configuration.
I haven't tested this on a 4500 (which model? 4500X i presume?), however the commands should be very similar. If you can give a bit more detail on where your problem is and the configuration your trying to apply i could take a look.
I am very happy to read you, my problem start on the configuration of 4500X out of the box:
-MACsec configuration on Port-channel ( 4500X refuse some command )
-Also can we simulate MACsec using VIRL?
I can now confirm this works with manual mode; see my colleagues' blog post with a simple configuration example;