topic Re: MACsec with SDA roadmap in Software-Defined Access (SD-Access)

MACsec with SDA roadmap

kklyubin — Thu, 09 Apr 2020 08:29:23 GMT

Hi All,

Hope you’re doing well!

Just one small question – if MACsec support is on the roadmap for SD-Access? Or there are no plans to support it at all?

Any input would be very welcome

Re: MACsec with SDA roadmap

jedolphi — Tue, 07 Sep 2021 03:22:35 GMT

Hello Katerina,

Update: In Cisco SD-Access 2.2.2.x there is some support for MACsec, depending on the specific circumstances. Cisco partners can review this URL for more details: https://www.cisco.com/c/dam/en/us/products/se/2021/6/Business_Unit/What_s_New_in_Cisco_SD-Access_2_2_2_4_-_v1_01__Partner.pdf

Best regards, Jerome

Re: MACsec with SDA roadmap

M@rco — Wed, 11 May 2022 20:02:04 GMT

Any new information? Link is dead by the way.

Re: MACsec with SDA roadmap

Jonathan Cuthbert — Wed, 11 May 2022 21:04:07 GMT

We support MACsec in SD-Access Fabric using templates or manual CLI.

Switch-to-switch MACsec in SD-Access has been validated using pre-shared key (PSK) key-chains.
Routing platforms have not been validated for MACsec in an SD-Access Fabric.
aes-256-cmac has been validated for the MACsec Keychain Cryptographic-Algorithm.
gcm-aes-256 has been validated for the MKA Policy Cipher-Suite.
Switch-to-host MACsec in SD-Access has been validated using a dynamically authorization result from ISE wherein the encryption policy is returned with the authorization result.

Re: MACsec with SDA roadmap

fernando-diaz — Thu, 24 Oct 2024 04:43:39 GMT

Hello Jonathan,

It's a pleasure to greet you.

I want to know in what exact scenario MACSEC switch-to-host works in SD-Access.
I currently have an SD-Access network and the MACSEC switch-to-host generates problems when DHCP negotiation of the host. With MACSEC enabled, the host does not receive an IP address.

Do you have any Cisco documents showing that MACSEC Switch-to-host is supported in SD-Access networks?

Re: MACsec with SDA roadmap

norberto.padin — Fri, 15 Nov 2024 20:36:36 GMT

Hello Jonatahan, as of today code, do we support host-to-switch MacSec with SD-Access in the Cat9300?

TIA.

Re: MACsec with SDA roadmap

jedolphi — Mon, 18 Nov 2024 10:27:44 GMT

Largely not supported unfortunately. Please speak to your sales team about roadmap. See TrustSec section of 17.15 release notes, https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-15/release_notes/ol-17-15-9300.html