topic Re: MacSec host to host on same switch in Network Security

MacSec host to host on same switch

ivan.yeung — Thu, 26 Jan 2023 08:34:32 GMT

Hi,

Does Macsec support host to host encryption between hosts on the same switch?

Re: MacSec host to host on same switch

khorram1998 — Thu, 26 Jan 2023 08:39:19 GMT

Yes, MACsec (MAC Security) supports host-to-host encryption between hosts on the same switch. It uses IEEE 802.1AE standard for providing secure communication over a LAN by encrypting data frames at the MAC layer. It can be used for both point-to-point and point-to-multipoint connections, and can be configured on individual switch ports or on a VLAN level.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK

Re: MacSec host to host on same switch

ivan.yeung — Thu, 26 Jan 2023 08:49:50 GMT

Hi Khorram1998

is there any ref links?

Re: MacSec host to host on same switch

khorram1998 — Thu, 26 Jan 2023 09:04:45 GMT

Yes, here are a few references on MacSec host to host encryption on the same switch:

Cisco documentation on Configuring MACsec on Cisco IOS XE Switches: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/security/configuration_guide/b_sec_3se_3850_cg/b_sec_3se_3850_cg_chapter_0110.html

Please note that the Cisco documentation and standard are the most reliable resources to follow.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK

Re: MacSec host to host on same switch

Marius Gunnerud — Thu, 26 Jan 2023 09:32:13 GMT

There is no support for Host to Host encryption within the same switch. MACSec is a "per hop" or "on the wire" encryption protocol, meaning you can encrypt traffic on the link (or wire) between the Host and the switch, or on the link between two switches, but traffic that passes across a switch / within a switch is not encrypted.

Quote: "MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. Catalyst switches support 802.1AE encryption with MACsec Key Agreement (MKA) on switch-to-host links for encryption between the switch and host device. The switch also supports MACsec encryption for switch-to-switch (inter-network device) security using both Cisco TrustSec Network Device Admission Control (NDAC), Security Association Protocol (SAP) and MKA-based key exchange protocol."

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/sec/b_169_sec_9300_cg/macsec_encryption.html

Re: MacSec host to host on same switch

ivan.yeung — Thu, 26 Jan 2023 09:59:29 GMT

Hi Marius,

consider below:

host A to switchA is encrypted by macsec and host B to switchB is encrypted by macsec also, so host A and host B is encrypted by macsec? am i correct?

Re: MacSec host to host on same switch

Marius Gunnerud — Thu, 26 Jan 2023 10:16:39 GMT

That depends on what you are defining as encrypted. Traffic from Host A to Switch A is encrypted, Traffic from Host B to Switch B is encrypted, but that is where the encryption stops. Traffic from Host A to Host B (i.e. end to end) i NOT encrypted.

you could configure MACSec on the inter-switch link but you still do not have true Host to Host encryption. Let us say that Host A is connected to port Eth1/1 and the uplink port between Switch A and Switch B is Eth1/48 respectively, and finally Host B is connected to Eth1/1 on Switch B. then the following would be true

Host A to Switch A Eth1/1 IS encrypted
Switch A Eth1/1 to Switch A Eth1/48 IS NOT encrypted
Switch A Eth1/48 to Switch B Eth1/48 IS encrypted
Switch B Eth1/48 to Switch B Eth1/1 IS NOT encrypted
Switch B Eth1/1 to Host B IS encrypted

Re: MacSec host to host on same switch

Tim Glen — Wed, 01 Feb 2023 12:47:50 GMT

Hi @ivan.yeung , Marius is correct. Here is a Configuration Guide for MACsec Switch to Host.

https://community.cisco.com/t5/networking-knowledge-base/configuring-macsec-switch-to-host-with-cat9k-amp-ise/ta-p/4436087