3750-3650 MacSec-TrustSec License

Rafael Romero Diaz · ‎11-23-2014

Hi,

Our problem is that we need to test macsec-trustsec for show one of our customer the functionality.

Cisco sent us several 3750 and 3560 to try. with C3KX-SM-10GT: module

We don´t understand that 3750 have the ios right and some command we can´t type. Otherwise the 3560 don´t have the ios right and we can type the command to configure macsec.

show you the history.

--------------------------------------------

3560-5#sh license
Index 1 Feature: ipservices
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted

Index 2 Feature: ipbase
Period left: 0 minute 0 second
Index 3 Feature: lanbase
Period left: 0 minute 0 second

: flash:/c3560e-universalk9npe-mz.150-1.SE3/c3560e-universal k9npe-mz.150-1.SE3.bin

Note MACsec is not supported on switches running the NPE or the LAN base image.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.html

We can´t show macsec becouse we don´t activated the license for running ipbase but it posible that don´t run ok becouse the npe don´t run macsec. see the link.

3560-5#sh mac?
mac macro

3560-5#sh cts credentials
CTS password is defined in keystore, device-id = trust3560-5

3560-5#config t
Enter configuration commands, one per line. End with CNTL/Z.
3560-5(config)#int g1/2

3560-5(config-if)#cts manual

but We could configured macsec posibility

-------------------

3750-1#sh boot
: flash:/c3750e-universalk9-mz.122-58.SE2/c3750e-universalk9-mz.122-58.SE2.bin

3750-1#sh license
Index 1 Feature: ipservices
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted

Index 2 Feature: ipbase
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted

We have the license ok and we can see several command like sh macsec etc.. but we can´t configure others, like cts manual for example and in the 3560 ok yes.

3750-1#sh mac?
mac macro macsec

3750-1#sh macsec ?
interface Show MACSEC interface details
summary Shows MACSEC summary

3750-1(config)#int g1/1/1
3750-1(config-if)#ct
3750-1(config-if)#ct?
% Unrecognized command

we can´t configure cts manual or similar command.

Our question are:

We try to activate de temporaly license for 3560 but muy cisco user could´t access to gain the license. how cant I activate the ippase in 3560 if it posible becouse has npe ios?

Why the 3750 has the ipbase we didn´t configure cts manual in the interface?

We tried to confiure int 3560 and always had the same problem. It is necesary that always have comunicate with ise?? or if I want to confiure macsec between 2 switch is not necessary.??

Switch(config)# interface tengiigabitethernet 1/1/2
Switch(config-if)# cts manual
Switch(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm-encrypt null no-encap
Switch(config-if-cts-manual)#
Switch(config-if-cts-manual)# exit
Switch(config-if)# end

or

Switch(config)# interface tengigabitethernet 1/1/2
Switch(config-if)# cts dot1x
Switch(config-if-cts-dot1x)# sap mode-list gcm-encrypt null no-encap
Switch(config-if-cts-dot1x)# exit
Switch(config-if)# end

3560-5#
Mar 1 17:19:12.690: %SYS-5-CONFIG_I: Configured from console by console
Mar 1 17:19:13.655: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/2, changed state to down
Mar 1 17:19:16.717: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/2, changed state to up
Mar 1 17:19:17.698: %CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Gi1/2)
Mar 1 17:19:18.688: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/2, changed state to down
Mar 1 17:19:21.741: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/2, changed state to up
Mar 1 17:19:22.723: %CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Gi1/2)
Mar 1 17:19:23.713: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/2, changed state to down

Thanks in advance.

Karsten Iwen · ‎11-23-2014

You are facing different problems here:

1) 3650

This switch is hardware-ready for MacSec, but it's not yet included in the software. When the IOS will eventually support it, you need a non-npe-image.

This is from the Q&A:

Q. Is a service module available for the Cisco Catalyst 3650?

A. There are no service modules for the Cisco Catalyst 3650. The Cisco Catalyst 3650 natively supports the features supported by the service module in the 3560-X. The Cisco Catalyst 3650 is hardware ready for MACsec, and software support will be added in a future release. Check release notes for availability.

2) The 3750-X should support MacSecwith manual Keys on you uplink-ports with you IPBase license.

The configuration is shown in the config-guide:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-2_2_e/configuration/guide/b_1522e_consolidated_3750x_3560X_cg/b_1522e_consolidated_3750x_3560X_cg_chapter_0110110.html

Rafael Romero Diaz · ‎11-23-2014

Hi,

Thanks for the clarification. I will review the settings for 3750. but your link is for Cisco IOS Release 15.2(2)E and out 3750 has 122-58.SE2. I think the configuration will be similar.

Thanks you very much.

Karsten Iwen · ‎11-23-2014

I'm not sure in which release MacSec was included. So I would always look for newer releases if something that you are expecting is not available.

Rafael Romero Diaz · ‎11-24-2014

Him

I think that I found the keypoint.

Cisco IOS Software Release 15.0(2)SE is the base releases for new extended maintenance trains delivering leading borderless network services in campus access. Release 15.0(2)SE is an extension of the Cisco IOS Software Release 15.0(1)SE code base and thus inherits all the features from Release 15.0(1)SE and adds support for new services in Cisco TrustSec ^® technology, IPv6, and Cisco EnergyWise ^™ areas. For train continuity and release migration information, see the "Software Image Migration Guide" section later in this bulletin.

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-software-releases-12-2-special-early-deployments/product_bulletin_c25-716485.html

now, I´m downloading the correct IOS.

thanks!!!

Rafael Romero Diaz · ‎11-24-2014

Hi,

Now run ok.

I upgraded the IOs and FRULink 10G to c3kx-SM10G-tar.150-1.SE.tar

* 1 30 WS-C3560X-24P 15.0(2)SE4 C3560E-UNIVERSALK9-M

Configuration register is 0xF

3560-5#sh license
Index 1 Feature: ipservices
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted

Index 2 Feature: ipbase
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted

Index 3 Feature: lanbase
Period left: 0 minute 0 second

3560-5#sh switch service-modules
Switch/Stack supports service module CPU version: 03.00.65
Temperature CPU
Switch# H/W Status (CPU/FPGA) CPU Link Version
-----------------------------------------------------------------
1 OK 58C/53C notconnected N/A

3560-5#
3560-5#
3560-5#
Mar 2 18:33:29.738: %PLATFORM_SM10G-6-LINK_UP: The FRULink 10G Service Module (C3KX-SM-10G) communication has been established.
3560-5#sh switch service-modules
Switch/Stack supports service module CPU version: 03.00.65
Temperature CPU
Switch# H/W Status (CPU/FPGA) CPU Link Version
-----------------------------------------------------------------
1 OK 60C/56C connected 03.00.65

thanks