Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1630
Views
0
Helpful
7
Replies

MacSec host to host on same switch

Go to solution
ivan.yeung
Level 1
Level 1

‎01-26-2023 12:34 AM

Hi,

Does Macsec support host to host encryption between hosts on the same switch?

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
khorram1998
Level 1
Level 1
In response to ivan.yeung

‎01-26-2023 01:04 AM

 

Yes, here are a few references on MacSec host to host encryption on the same switch:

  1. Cisco documentation on Configuring MACsec on Cisco IOS XE Switches: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/security/configuration_guide/b_sec_3se_3850_cg/b_sec_3se_3850_cg_chapter_0110.html


    Please note that the Cisco documentation and standard are the most reliable resources to follow.

    Please rate this and mark as solution/answer, if this resolved your issue
    All the best,
    AK

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎01-26-2023 01:32 AM

There is no support for Host to Host encryption within the same switch.  MACSec is a "per hop" or "on the wire" encryption protocol, meaning you can encrypt traffic on the link (or wire) between the Host and the switch, or on the link between two switches, but traffic that passes across a switch / within a switch is not encrypted.

Quote: "MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. Catalyst switches support 802.1AE encryption with MACsec Key Agreement (MKA) on switch-to-host links for encryption between the switch and host device. The switch also supports MACsec encryption for switch-to-switch (inter-network device) security using both Cisco TrustSec Network Device Admission Control (NDAC), Security Association Protocol (SAP) and MKA-based key exchange protocol."

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/sec/b_169_sec_9300_cg/macsec_encryption.html

 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to ivan.yeung

‎01-26-2023 02:16 AM

That depends on what you are defining as encrypted.  Traffic from Host A to Switch A is encrypted,  Traffic from Host B to Switch B is encrypted, but that is where the encryption stops.  Traffic from Host A to Host B (i.e. end to end) i NOT encrypted.

you could configure MACSec on the inter-switch link but you still do not have true Host to Host encryption.  Let us say that Host A is connected to port Eth1/1 and the uplink port between Switch A and Switch B is Eth1/48 respectively, and finally Host B is connected to Eth1/1 on Switch B.  then the following would be true

  • Host A to Switch A Eth1/1 IS encrypted
  • Switch A Eth1/1 to Switch A Eth1/48 IS NOT encrypted
  • Switch A Eth1/48 to Switch B Eth1/48 IS encrypted
  • Switch B Eth1/48 to Switch B Eth1/1 IS NOT encrypted
  • Switch B Eth1/1 to Host B IS encrypted
--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
7 Replies 7

Go to solution
khorram1998
Level 1
Level 1

‎01-26-2023 12:39 AM

Yes, MACsec (MAC Security) supports host-to-host encryption between hosts on the same switch. It uses IEEE 802.1AE standard for providing secure communication over a LAN by encrypting data frames at the MAC layer. It can be used for both point-to-point and point-to-multipoint connections, and can be configured on individual switch ports or on a VLAN level.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK

0 Helpful

Go to solution
ivan.yeung
Level 1
Level 1
In response to khorram1998

‎01-26-2023 12:49 AM

Hi Khorram1998 

is there any ref links?

 

0 Helpful

Go to solution
khorram1998
Level 1
Level 1
In response to ivan.yeung

‎01-26-2023 01:04 AM

 

Yes, here are a few references on MacSec host to host encryption on the same switch:

  1. Cisco documentation on Configuring MACsec on Cisco IOS XE Switches: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/security/configuration_guide/b_sec_3se_3850_cg/b_sec_3se_3850_cg_chapter_0110.html


    Please note that the Cisco documentation and standard are the most reliable resources to follow.

    Please rate this and mark as solution/answer, if this resolved your issue
    All the best,
    AK

0 Helpful

Go to solution
Tim Glen
Cisco Employee
Cisco Employee
In response to ivan.yeung

‎02-01-2023 04:47 AM

Hi @ivan.yeung  , Marius is correct.  Here is a Configuration Guide for MACsec Switch to Host.

https://community.cisco.com/t5/networking-knowledge-base/configuring-macsec-switch-to-host-with-cat9k-amp-ise/ta-p/4436087

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎01-26-2023 01:32 AM

There is no support for Host to Host encryption within the same switch.  MACSec is a "per hop" or "on the wire" encryption protocol, meaning you can encrypt traffic on the link (or wire) between the Host and the switch, or on the link between two switches, but traffic that passes across a switch / within a switch is not encrypted.

Quote: "MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. Catalyst switches support 802.1AE encryption with MACsec Key Agreement (MKA) on switch-to-host links for encryption between the switch and host device. The switch also supports MACsec encryption for switch-to-switch (inter-network device) security using both Cisco TrustSec Network Device Admission Control (NDAC), Security Association Protocol (SAP) and MKA-based key exchange protocol."

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/sec/b_169_sec_9300_cg/macsec_encryption.html

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
ivan.yeung
Level 1
Level 1
In response to Marius Gunnerud

‎01-26-2023 01:59 AM

Hi Marius,

consider below:

host A to switchA is encrypted by macsec and host B to switchB is encrypted by macsec also, so host A and host B is encrypted by macsec? am i correct?

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to ivan.yeung

‎01-26-2023 02:16 AM

That depends on what you are defining as encrypted.  Traffic from Host A to Switch A is encrypted,  Traffic from Host B to Switch B is encrypted, but that is where the encryption stops.  Traffic from Host A to Host B (i.e. end to end) i NOT encrypted.

you could configure MACSec on the inter-switch link but you still do not have true Host to Host encryption.  Let us say that Host A is connected to port Eth1/1 and the uplink port between Switch A and Switch B is Eth1/48 respectively, and finally Host B is connected to Eth1/1 on Switch B.  then the following would be true

  • Host A to Switch A Eth1/1 IS encrypted
  • Switch A Eth1/1 to Switch A Eth1/48 IS NOT encrypted
  • Switch A Eth1/48 to Switch B Eth1/48 IS encrypted
  • Switch B Eth1/48 to Switch B Eth1/1 IS NOT encrypted
  • Switch B Eth1/1 to Host B IS encrypted
--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card