Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

how configure Encryption with MACsec switch to switch without ACS server

to whom it may concern:

I have a problem, i would like todo MACSEC betwwen two switches cisco catalyst 3560-x but I know that for this operation i needed ACS server 5.1 is it possible to encryp dataflow without ACS server and if you have the configuration please send to me

thank you

Everyone's tags (1)
9 REPLIES
New Member

how configure Encryption with MACsec switch to switch without AC

Hi,

You can configure switch to switch encryption without an ACS server using (CTS manual) on the interfaces.

I have done this on 3750-X using the MacSec module, not sure if it can be done on the 3560-X.

Regards,

Jon

CCIE #23340 (Security)

Jon Humphries

New Member

Hi Jon - Coming in late on

Hi Jon -

 

Coming in late on this post - must I get a MACsec module to perform encryption between switches or is this only if I would need to perform encryption in hardware?

Thank you, Pat

New Member

Hi Pat,for my understanding

Hi Pat,

for my understanding the MACSEC (service) module have to be used for links using the SFP+ ports in the module itself (eg fiber). Encryption is always done in hardware. MACSEC cannot be used on C3KX-NM-10G or C3KX-NM-1G. modules. MACSEC encryption is supported in hardware on "downlink" ports (copper ports).

Can somebody agree/disagree with this ?

 

br Fritz

how configure Encryption with MACsec switch to switch without AC

hi Jon

thanks for the answer, I don't know how to see if my switch 3560-x has this MacSec module, do you have a print screen or a document to show me what kiind of show can i put in CLI comands to see this.

thank you very much,

liberth

New Member

how configure Encryption with MACsec switch to switch without AC

Hi Frank, the macsec module is a separate hardware module/card that supposedly performs line rate macsec in hw. I think you can see it via show inv or show ver. The product code is C3KX-SM-10G.

I'm also having the exact problem above. I have 2 x 3650-X connected via fiber on their service modules (macsec module). I am trying to configure L2 encryption (macsec/trustsec) without an ACS server. I assume I need to configure in CTS manual mode, which I have done. When I do a "show cts" I can see sap session sucessful but nothing for authentication or accounting. Running a wireshark capture I can see all traffic i.e. no encryption.

Can anyone clarify the configuration needed?

I'm running c3560e-universalk9-mz.150-1.SE3.bin with ipbase licence. Do I need a different type of licence? I found this on Cisco website:

"If you select GCM as the SAP operating mode, you must have a MACsec Encryption software license from Cisco. If you select GCM without the required license, the interface is forced to a link-down state."

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/configuration/guide/swmacsec.html#wp1334072

New Member

how configure Encryption with MACsec switch to switch without AC

Hi Frank,

I have confirmed a working configuration:

Switch# configure terminal

Switch(config)# interface gi1/2

Switch(config-if)# cts manual

Switch(config-if-cts-manual)# sap pmk mode-list gcm-encrypt

Switch(config-if-cts-manual)# no propagate sgt

Switch(config-if-cts-manual)# exit

Switch(config-if)# shut

Switch(config-if)# no shut

Switch(config-if)# end

This will work on both service module interface or regular switch interface and I am using 3560-X.

p.s. the issue I had was actually with an incorrect lab setup by spanning the traffic. Span decrypts traffic before sending it to the destination port. A re-test via a physical tap verified it was working.

Hope this helps. Cheers!

New Member

how configure Encryption with MACsec switch to switch without AC

Hi Andrew,

Great response! I was curious if I still needed the Service Module for switch-to-switch encryption? The data sheet made it sound like switch-to-switch encryption would not work without the Service Module.

- Mike

New Member

how configure Encryption with MACsec switch to switch without AC

Also, if using Manual Mode, would I still need to setup trustsec credentials on the switch or is that something only used with 802.1x authentication? Sorry, I'm new to this!

New Member

how configure Encryption with MACsec switch to switch without AC

Michael,

You don't need the credentials in manual mode, these are used to get the PAC from ACS 5.x or ISE.

HTH,

Jon

13703
Views
0
Helpful
9
Replies