Solved: Cisco Macsec and licenses

LionKin1984 · ‎11-26-2020

Hello,

what is the license requirement for Cisco Macsec?

thanks

Marvin Rhoads · ‎01-25-2021

For Catalyst switches, MACsec does not require any specific licensing.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/macsec_encryption.html

For ASRs and other high end WAN devices, special licensing is required to use MACsec.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-16-9/macsec-xe-16-9-book/macsec-smart-licensing.html

View solution in original post

Damien Miller · ‎02-09-2021

Well hold up, there are some MACSEC licensing requirements, traditionally pre cat9k both TrustSec and MACSEC were IP base/IP services only feature sets.

LAN Base on older platforms does not have any MACSEC/CTS support
With the Cat9k, Essentials has partial support for MACSEC, but not CTS. If you want AES 256 support with MACSEC, then you require Network Advantage.

View solution in original post

Mike.Cifelli · ‎01-21-2021

In regard to ISE licensing, the base session licenses are what you need to support link encryption (MACsec). Not sure what version you are running, but please note that as of late 2020 and ISE 3.0 there is a new licensing scheme introduced. See below for further detail:

Products - ISE 3.0 License Migration Guide - Cisco

HTH!

LionKin1984 · ‎01-22-2021

Hi Mike, thanks for your reply, there is no ISE in the deployment

we are using macsec with mka.

thanks again

thomas · ‎01-25-2021

MACsec is really a feature of the switch and endpoint that ISE has the option to require as part of the endpoint authorizations. It is a basic RADIUS feature in the Base (2.x) and Essentials (3.x) licenses.

LionKin1984 · ‎02-09-2021

thanks Thomas

Marvin Rhoads · ‎01-25-2021

For Catalyst switches, MACsec does not require any specific licensing.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/macsec_encryption.html

For ASRs and other high end WAN devices, special licensing is required to use MACsec.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-16-9/macsec-xe-16-9-book/macsec-smart-licensing.html

LionKin1984 · ‎02-09-2021

thanks Marvin, that means we don't need to renew our DNA advantage license every three years.

thanks

Damien Miller · ‎02-09-2021

Well hold up, there are some MACSEC licensing requirements, traditionally pre cat9k both TrustSec and MACSEC were IP base/IP services only feature sets.

LAN Base on older platforms does not have any MACSEC/CTS support
With the Cat9k, Essentials has partial support for MACSEC, but not CTS. If you want AES 256 support with MACSEC, then you require Network Advantage.

LionKin1984 · ‎02-10-2021

thanks for your reply Damien, yes we are using cisco CAT9K and looks like we will need to renew the dna advantage license after all then,

Marvin Rhoads · ‎02-10-2021

Note that MACsec-128 is included with the perpetual Network Essentials license though. That does not require any term license or recurring license cost.

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9300-series-switches/nb-06-cat9300-ser-data-sheet-cte-en.html#Licensing

heba-elsherbiny · ‎03-23-2024

Hi Marvin, what about C8500? does it require the special license or Hsec license ?

Marvin Rhoads · ‎03-24-2024

On the Catalyst 8500 platform, a MACsec license is required according to this document:

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/m-macsec-in-cisco-sd-wan.html#supported-devices-for-macsec-support-in-cisco-vmanage

I can't find the SKU for ordering it but your reseller should be able to help you with that. If you are the reseller, you might reach out to the Partner Helpdesk for assistance.