Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
0
Replies

PROBLEMS WITH MACSEC ON SWITCH CATALYST 9300 ADVANCED VERSION 17.08.01

francisco14
Level 1
Level 1

‎10-26-2022 12:00 PM

HI, i have a problem to implement MACSEC on switch 9300, The session MKA is not created

the design is:

SWITCH(MACSEC) - SWITCH(NO-MACSEC) - SWITCH(MACSEC)

this is the configuration on interfaces:

#interface GigabitEthernet1/0/1
no switchport
ip address 1.1.1.1 255.255.255.0
macsec network-link
mka policy PRUEBA
mka pre-shared-key key-chain SECTLS

#key chain SECTLS macsec
key 01
cryptographic-algorithm aes-128-cmac
key-string 12345678901234567890123456789012
lifetime local 00:00:00 Oct 16 2022 infinite

#mka policy PRUEBA
key-server priority 200
macsec-cipher-suite gcm-aes-128
confidentiality-offset 0

shows commands

#sh macsec int g1/0/1
MACsec is enabled
Replay protect : enabled
Replay window : 0
Include SCI : yes
Use ES Enable : no
Use SCB Enable : no
Admin Pt2Pt MAC : forceTrue(1)
Pt2Pt MAC Operational : no
Cipher : GCM-AES-128
Confidentiality Offset : 0

Capabilities
ICV length : 16
Data length change supported: yes
Max. Rx SA : 32
Max. Tx SA : 32
Max. Rx SC : 16
Max. Tx SC : 16
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128
GCM-AES-256
GCM-AES-XPN-128
GCM-AES-XPN-256

Access control : must secure

No Transmit Secure Channels
No Receive Secure Channels

#sh mka sessions

Total MKA Sessions....... 1
Secured Sessions... 0
Pending Sessions... 1

====================================================================================================
Interface        Local-TxSCI                Policy-Name         Inherited      Key-Server
Port-ID           Peer-RxSCI                MACsec-Peers     Status              CKN
====================================================================================================
Gi1/0/1       d4ad.bdd7.9e64/0034       PRUEBA               NO                YES
52               d4ad.bdd7.9e64/0000             0                    Init                  01

#sh macsec summary
Interface Transmit SC Receive SC
Gi1/0/1        0                  0

#sh mka statistics interface g1/0/1

MKA Statistics for Session
==========================
Reauthentication Attempts.. 0

CA Statistics
Pairwise CAKs Derived... 0
Pairwise CAK Rekeys..... 0
Group CAKs Generated.... 0
Group CAKs Received..... 0

SA Statistics
SAKs Generated.......... 0
SAKs Rekeyed............ 0
SAKs Received........... 0
SAK Responses Received.. 0

MKPDU Statistics
MKPDUs Validated & Rx... 0
"Distributed SAK".. 0
"Distributed CAK".. 0
MKPDUs Transmitted...... 436
"Distributed SAK".. 0
"Distributed CAK".. 0

#sh mka policy PRUEBA

MKA Policy defaults :
Send-Secure-Announcements: DISABLED

MKA Policy Summary...

Codes : CO - Confidentiality Offset, ICVIND - Include ICV-Indicator,
SAKR OLPL - SAK-Rekey On-Live-Peer-Loss,
DP - Delay Protect, KS Prio - Key Server Priority

Policy             KS        DP          CO         SAKR        ICVIND    Cipher                 Interfaces
Name             Prio                                  OLPL                        Suite(s)                 Applied
===============================================================================
PRUEBA         200     FALSE       0            FALSE        TRUE     GCM-AES-128      Gi1/0/1

 

HELP...

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents