Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Webcast- Automate Nexus9k

Highlighted
Community Member

cts manual with gcm-aes-256

Trying to get cts manual to work between two switches with GCM-AES-256

 

How do I even change from GCM-AES-128 to GCM-AES-256 ?

listed below as "supported", can't find any usefull information about this topic

WS-C3650-24TS      16.3.3   ipbasek9

 

 

interface GigabitEthernet1/1/2
 description Trunk
 switchport trunk native vlan 3
 switchport mode trunk
 switchport nonegotiate
 cts manual
  no propagate sgt
  sap pmk 01234 mode-list gcm-encrypt


Switch#sh macsec int g1/1/2
 MACsec is enabled
  Replay protect : enabled
  Replay window : 0
  Include SCI : yes
  Use ES Enable : no
  Use SCB Enable : no
  Admin Pt2Pt MAC : forceTrue(1)
  Pt2Pt MAC Operational : no
  Cipher : GCM-AES-128
  Confidentiality Offset : 0

 Capabilities
  ICV length : 16
  Data length change supported: yes
  Max. Rx SA : 16
  Max. Tx SA : 16
  Max. Rx SC : 8
  Max. Tx SC : 8
  Validate Frames : strict
  PN threshold notification support : Yes
  Ciphers supported : GCM-AES-128
                      GCM-AES-256

 Transmit Secure Channels
  SCI : 58AC78D7EE1A0000
  SC state : notInUse(2)
   Elapsed time : 00:06:55
   Start time : 7w0d
   Current AN: 0
   Previous AN: -
   Next PN: 0
   SA State: notInUse(2)
   Confidentiality : no
   SAK Unchanged : no
   SA Create time : 00:30:44
   SA Start time : 7w0d
   SC Statistics
    Auth-only Pkts : 0
    Auth-only Bytes : 0
    Encrypt Pkts : 0
    Encrypt Bytes : 0
   SA Statistics
    Auth-only Pkts : 0
    Encrypt Pkts : 1092

  Port Statistics
   Egress untag pkts  0
   Egress long pkts  1098379227928

 Receive Secure Channels
  SCI : 74A02F8FA2810000
  SC state : notInUse(2)
   Elapsed time : 00:06:58
   Start time : 7w0d
   Current AN: 0
   Previous AN: -
   Next PN: 0
   RX SA Count: 0
   SA State: notInUse(2)
   SAK Unchanged : no
   SA Create time : 00:30:44
   SA Start time : 7w0d
   SC Statistics
    Notvalid pkts 0
    Invalid pkts 0
    Valid pkts 0
    Valid bytes 0
    Late pkts 0
    Uncheck pkts 0
    Delay pkts 0
    UnusedSA pkts 0
    NousingSA pkts 0
    Decrypt bytes 0
   SA Statistics
    Notvalid pkts 0
    Invalid pkts 0
    Valid pkts 148
    UnusedSA pkts 0
    NousingSA pkts 0

  Port Statistics
   Ingress untag pkts  1099150680408
   Ingress notag pkts  21
   Ingress badtag pkts  0
   Ingress unknownSCI pkts  0
   Ingress noSCI pkts  0
   Ingress overrun pkts  1098492218128


Switch#sh cts int g1/1/2
Global Dot1x feature is Disabled
Interface GigabitEthernet1/1/2:
    CTS is enabled, mode:    MANUAL
    IFC state:               OPEN
    Interface Active for 00:16:10.232
    Authentication Status:   NOT APPLICABLE
        Peer identity:       "unknown"
        Peer's advertised capabilities: "sap"
    Authorization Status:    NOT APPLICABLE
    SAP Status:              SUCCEEDED
        Version:             2
        Configured pairwise ciphers:
            gcm-encrypt

        Replay protection:      enabled
        Replay protection mode: STRICT

        Selected cipher:        gcm-encrypt

    Propagate SGT:           Disabled
    Cache Info:
        Expiration            : N/A
        Cache applied to link : NONE

    Statistics:
        authc success:              0
        authc reject:               0
        authc failure:              0
        authc no response:          0
        authc logoff:               0
        sap success:                3
        sap fail:                   0
        authz success:              0
        authz fail:                 0
        port auth fail:             0

    L3 IPM:   disabled.

    CTS sgt-caching Ingress : Disabled

    CTS sgt-caching Egress  : Disabled

 

 

2 REPLIES
Community Member

Re: cts manual with gcm-aes-256

Did anyone find an a solution?

 

Community Member

Re: cts manual with gcm-aes-256

Solved by using IOS 16.6.2
369
Views
0
Helpful
2
Replies
CreatePlease to create content