Solved: MACSec on ISR 4K Routers and Switches 3850 (interoperability)

m.maier · ‎04-19-2018

Hi

I'm trying to configure MacSec (link encryption) on ISR 4K Routers (Cisco 4431) and Cisco Switch 3850.

I have a question here regarding MACsec interoperability on routers and Switch which I can`t find out.

Focus of MACsec is really straightforward and this means the goal of end of the day is a link encryption.

V1: Cisco 3850 - to -Cisco 3850 - MACSec (cts, manuel mode with pmk) = works well

V2: Cisco ISR4k (IOS Everest, NIM-2GE-CU-SFP) - to - Cisco ISR4K (IOS Everest, NIM-2GE-CU-SFP) - MACSec (mka) = works well

V3 (interoperability): Cisco ISR4k (IOS Everest, NIM-2GE-CU-SFP) - to - Cisco 3850 (NM, 4 x Gigabit Ethernet) – MACSec = w/o any successfully story

My questions:

Q1: Is an interoperability between routers (ISR4K, NIM-2GE-CU-SFP) and switches (Cisco 3850, NM) possible (MACSec WAN/LAN)?

Q2: If so, does anyone have useful inputs (configuration snippets, experienc)?

Q3: Do I need an MKA Policy?

Have already studied some guidelines and the result wasn’t positive.

Regards,

Markus

ericwithrow · ‎03-31-2019

We get MACSec working between a Cisco 9500 switch and a Cisco 4331 ISR Router. I imagine that a 3850 would be similar. The trick was to pad the key number on the switch with a bunch of zeroes. Here is a working snippet, obviously you should replace your key-string with your own instead of "0123456..."

Cat 9K:

conf t
!
mka policy MKA_Policy
macsec-cipher-suite gcm-aes-128 gcm-aes-256
key-server priority 1
!
key chain SITE_A macsec
key 0100000000000000000000000000000000000000000000000000000000000000
cryptographic-algorithm aes-256-cmac 
key-string 0 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
lifetime 22:39:16 Dec 10 2001 infinite
!
interface Twe1/0/25
mka policy MKA_Policy
mka pre-shared-key key-chain SITE_A
macsec network-link
end
!

***

4331 Router:

conf t
!
mka policy MKA_Policy
macsec-cipher-suite gcm-aes-128 gcm-aes-256
key-server priority 2
!
key chain SITE_A macsec
key 01
cryptographic-algorithm aes-256-cmac 
key-string 0 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
lifetime 22:39:16 Dec 10 2001 infinite
!
int gi0/1/0
mka policy MKA_Policy
mka pre-shared-key key-chain SITE_A
macsec
end
!

View solution in original post

ericwithrow · ‎03-31-2019

We get MACSec working between a Cisco 9500 switch and a Cisco 4331 ISR Router. I imagine that a 3850 would be similar. The trick was to pad the key number on the switch with a bunch of zeroes. Here is a working snippet, obviously you should replace your key-string with your own instead of "0123456..."

Cat 9K:

conf t
!
mka policy MKA_Policy
macsec-cipher-suite gcm-aes-128 gcm-aes-256
key-server priority 1
!
key chain SITE_A macsec
key 0100000000000000000000000000000000000000000000000000000000000000
cryptographic-algorithm aes-256-cmac 
key-string 0 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
lifetime 22:39:16 Dec 10 2001 infinite
!
interface Twe1/0/25
mka policy MKA_Policy
mka pre-shared-key key-chain SITE_A
macsec network-link
end
!

***

4331 Router:

conf t
!
mka policy MKA_Policy
macsec-cipher-suite gcm-aes-128 gcm-aes-256
key-server priority 2
!
key chain SITE_A macsec
key 01
cryptographic-algorithm aes-256-cmac 
key-string 0 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
lifetime 22:39:16 Dec 10 2001 infinite
!
int gi0/1/0
mka policy MKA_Policy
mka pre-shared-key key-chain SITE_A
macsec
end
!

m.maier · ‎04-04-2019

Hi

Thanks for an entry. We tested MACSEC in January 2019 and found a final solution.
The verification include a basic setup, HW interoperability and QoS too.

Summary:

- License must be checked => LHSEC-K9 (hsec9) license on top of SEC (securityk9)
- IOS release must be checked => Fuji 16.9.1 or higher for router and switch
- The CFG must be checked by the Cisco Release Guidelines

It works with all these points.

+ Router +

++ License

ISR4K#show license feature
Feature name Enforcement Evaluation Subscription Enabled RightToUse
appxk9 yes yes no yes yes
uck9 yes yes no no yes
securityk9 yes yes no yes yes
ipbasek9 no no no yes no
FoundationSuiteK9 yes yes no no yes
AdvUCSuiteK9 yes yes no no yes
cme-srst yes yes no no yes
hseck9 yes no no yes no
throughput yes yes no yes yes
internal_service yes no no no no

++ boot level:

license udi pid ISR4431/K9 sn xxxx
license boot level appxk9
license boot level securityk9

++ key chain
key chain k1 macsec
key 0100000000000000000000000000000000000000000000000000000000000000
cryptographic-algorithm aes-128-cmac
key-string 7 15345A2A560C7805791267034024472053750A7C02705C274B30087E0575017005

>>> key name key 0100000000000000000000000000000000000000000000000000000000000000 has to have 64 characters due MKA-PSK: CKN Behavior Change
it was introduced in Cisco IOS XE Everest Release 16.6.1 onwards
See more details here:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-16/macsec-xe-16-book/wan-macsec-mka-support-enhance.html

++ mka policy

mka policy p1
macsec-cipher-suite gcm-aes-128

++ on interface

interface GigabitEthernetx/y/z
no ip address
ip mtu 1468 >>>> (this is added automatically when you issue “macsec” command)
carrier-delay 0
negotiation auto
mka policy p1
mka pre-shared-key key-chain k1
macsec

+ Switch +

For C3850:
++ ipbasek9 licence
++ boot level
license boot level ipbasek9

++ key chain
key chain k1 macsec
key 0100000000000000000000000000000000000000000000000000000000000000
cryptographic-algorithm aes-128-cmac
key-string 7 15345A2A560C7805791267034024472053750A7C02705C274B30087E0575017005

>>> same as above the key name has to have 64 characters

++ mka policy
mka policy p1
macsec-cipher-suite gcm-aes-128

++ on interface
interface GigabitEthernetx/y/z
switchport mode trunk
switchport nonegotiate
carrier-delay 0
macsec network-link
mka pre-shared-key key-chain k1
mka policy p1

Markus