to whom it may concern:
I have a problem, i would like todo MACSEC betwwen two switches cisco catalyst 3560-x but I know that for this operation i needed ACS server 5.1 is it possible to encryp dataflow without ACS server and if you have the configuration please send to me
You can configure switch to switch encryption without an ACS server using (CTS manual) on the interfaces.
I have done this on 3750-X using the MacSec module, not sure if it can be done on the 3560-X.
CCIE #23340 (Security)
Hi Jon -
Coming in late on this post - must I get a MACsec module to perform encryption between switches or is this only if I would need to perform encryption in hardware?
Thank you, Pat
for my understanding the MACSEC (service) module have to be used for links using the SFP+ ports in the module itself (eg fiber). Encryption is always done in hardware. MACSEC cannot be used on C3KX-NM-10G or C3KX-NM-1G. modules. MACSEC encryption is supported in hardware on "downlink" ports (copper ports).
Can somebody agree/disagree with this ?
thanks for the answer, I don't know how to see if my switch 3560-x has this MacSec module, do you have a print screen or a document to show me what kiind of show can i put in CLI comands to see this.
thank you very much,
Hi Frank, the macsec module is a separate hardware module/card that supposedly performs line rate macsec in hw. I think you can see it via show inv or show ver. The product code is C3KX-SM-10G.
I'm also having the exact problem above. I have 2 x 3650-X connected via fiber on their service modules (macsec module). I am trying to configure L2 encryption (macsec/trustsec) without an ACS server. I assume I need to configure in CTS manual mode, which I have done. When I do a "show cts" I can see sap session sucessful but nothing for authentication or accounting. Running a wireshark capture I can see all traffic i.e. no encryption.
Can anyone clarify the configuration needed?
I'm running c3560e-universalk9-mz.150-1.SE3.bin with ipbase licence. Do I need a different type of licence? I found this on Cisco website:
"If you select GCM as the SAP operating mode, you must have a MACsec Encryption software license from Cisco. If you select GCM without the required license, the interface is forced to a link-down state."
I have confirmed a working configuration:
Switch# configure terminal
Switch(config)# interface gi1/2
Switch(config-if)# cts manual
Switch(config-if-cts-manual)# sap pmk
Switch(config-if-cts-manual)# no propagate sgt
Switch(config-if)# no shut
This will work on both service module interface or regular switch interface and I am using 3560-X.
p.s. the issue I had was actually with an incorrect lab setup by spanning the traffic. Span decrypts traffic before sending it to the destination port. A re-test via a physical tap verified it was working.
Hope this helps. Cheers!
Great response! I was curious if I still needed the Service Module for switch-to-switch encryption? The data sheet made it sound like switch-to-switch encryption would not work without the Service Module.
Also, if using Manual Mode, would I still need to setup trustsec credentials on the switch or is that something only used with 802.1x authentication? Sorry, I'm new to this!
You don't need the credentials in manual mode, these are used to get the PAC from ACS 5.x or ISE.