topic how configure Encryption with MACsec switch to switch without AC in Network Access Control

how configure Encryption with MACsec switch to switch without ACS server

Liberth Frank Torrez Rivera — Fri, 21 Feb 2020 18:27:24 GMT

to whom it may concern:

I have a problem, i would like todo MACSEC betwwen two switches cisco catalyst 3560-x but I know that for this operation i needed ACS server 5.1 is it possible to encryp dataflow without ACS server and if you have the configuration please send to me

thank you

how configure Encryption with MACsec switch to switch without AC

jon.humphries — Mon, 02 Jul 2012 13:39:04 GMT

Hi,

You can configure switch to switch encryption without an ACS server using (CTS manual) on the interfaces.

I have done this on 3750-X using the MacSec module, not sure if it can be done on the 3560-X.

Regards,

Jon

CCIE #23340 (Security)

Jon Humphries

how configure Encryption with MACsec switch to switch without AC

Liberth Frank Torrez Rivera — Mon, 02 Jul 2012 14:28:05 GMT

hi Jon

thanks for the answer, I don't know how to see if my switch 3560-x has this MacSec module, do you have a print screen or a document to show me what kiind of show can i put in CLI comands to see this.

thank you very much,

liberth

how configure Encryption with MACsec switch to switch without AC

andrew-lang — Mon, 02 Jul 2012 15:24:58 GMT

Hi Frank, the macsec module is a separate hardware module/card that supposedly performs line rate macsec in hw. I think you can see it via show inv or show ver. The product code is C3KX-SM-10G.

I'm also having the exact problem above. I have 2 x 3650-X connected via fiber on their service modules (macsec module). I am trying to configure L2 encryption (macsec/trustsec) without an ACS server. I assume I need to configure in CTS manual mode, which I have done. When I do a "show cts" I can see sap session sucessful but nothing for authentication or accounting. Running a wireshark capture I can see all traffic i.e. no encryption.

Can anyone clarify the configuration needed?

I'm running c3560e-universalk9-mz.150-1.SE3.bin with ipbase licence. Do I need a different type of licence? I found this on Cisco website:

"If you select GCM as the SAP operating mode, you must have a MACsec Encryption software license from Cisco. If you select GCM without the required license, the interface is forced to a link-down state."

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/configuration/guide/swmacsec.html#wp1334072

how configure Encryption with MACsec switch to switch without AC

andrew-lang — Wed, 11 Jul 2012 08:59:08 GMT

Hi Frank,

I have confirmed a working configuration:

Switch# configure terminal

Switch(config)# interface gi1/2

Switch(config-if)# cts manual

Switch(config-if-cts-manual)# sap pmk mode-list gcm-encrypt

Switch(config-if-cts-manual)# no propagate sgt

Switch(config-if-cts-manual)# exit

Switch(config-if)# shut

Switch(config-if)# no shut

Switch(config-if)# end

This will work on both service module interface or regular switch interface and I am using 3560-X.

p.s. the issue I had was actually with an incorrect lab setup by spanning the traffic. Span decrypts traffic before sending it to the destination port. A re-test via a physical tap verified it was working.

Hope this helps. Cheers!

how configure Encryption with MACsec switch to switch without AC

michael.lorincz — Tue, 17 Jul 2012 23:16:14 GMT

Hi Andrew,

Great response! I was curious if I still needed the Service Module for switch-to-switch encryption? The data sheet made it sound like switch-to-switch encryption would not work without the Service Module.

- Mike

how configure Encryption with MACsec switch to switch without AC

michael.lorincz — Tue, 17 Jul 2012 23:23:18 GMT

Also, if using Manual Mode, would I still need to setup trustsec credentials on the switch or is that something only used with 802.1x authentication? Sorry, I'm new to this!

how configure Encryption with MACsec switch to switch without AC

jon.humphries — Mon, 17 Sep 2012 09:32:32 GMT

Michael,

You don't need the credentials in manual mode, these are used to get the PAC from ACS 5.x or ISE.

HTH,

Jon

Hi Jon - Coming in late on

Patrick McHenry — Wed, 21 Jan 2015 18:30:06 GMT

Hi Jon -

Coming in late on this post - must I get a MACsec module to perform encryption between switches or is this only if I would need to perform encryption in hardware?

Thank you, Pat

Hi Pat,for my understanding

kerstin-534 — Mon, 22 Jun 2015 08:49:05 GMT

Hi Pat,

for my understanding the MACSEC (service) module have to be used for links using the SFP+ ports in the module itself (eg fiber). Encryption is always done in hardware. MACSEC cannot be used on C3KX-NM-10G or C3KX-NM-1G. modules. MACSEC encryption is supported in hardware on "downlink" ports (copper ports).

Can somebody agree/disagree with this ?

br Fritz