Solved: Network Link Encryption

simoesmarco8626982 · ‎10-13-2021

Hi all,

hope to find everyone well in this times

I had a request from a costumer where he said that I need to have all the network links encrypted but I have no clue how to implement this.

Basically the core of the network is comprised by Cisco 9300L in a ring disposition where all the packets are being routed from switch to switch by EIGRP. I know I won't be able to apply encryption in simple L2 managed switches but is it possible to encrypt all the data passing trough to the core of the network?

Also in the opinion of all, what's the best way to encrypt like the costumer requested, all the links of the network?

Thank you for the help

balaji.bandi · ‎10-13-2021

On Layer 2 you can do MACSEC on Cat 9300

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/macsec_encryption.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Rob Ingram · ‎10-13-2021

Hi @simoesmarco8626982

You can implement MACSec on a hop-by-hop basis, between switch from the access layer to distribution to core.

https://community.cisco.com/t5/networking-documents/configuring-macsec-switch-to-switch-with-pre-shared-key/ta-p/4436093

https://community.cisco.com/t5/networking-documents/macsec-history-amp-terminology/ta-p/4436094

If you wish to encrypt from the user's computer to the access layer switch, you'd need AnyConnect.

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/117277-config-anyconnect-00.html

View solution in original post

balaji.bandi · ‎10-13-2021

On Layer 2 you can do MACSEC on Cat 9300

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/macsec_encryption.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎10-13-2021

Hi @simoesmarco8626982

You can implement MACSec on a hop-by-hop basis, between switch from the access layer to distribution to core.

https://community.cisco.com/t5/networking-documents/configuring-macsec-switch-to-switch-with-pre-shared-key/ta-p/4436093

https://community.cisco.com/t5/networking-documents/macsec-history-amp-terminology/ta-p/4436094

If you wish to encrypt from the user's computer to the access layer switch, you'd need AnyConnect.

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/117277-config-anyconnect-00.html

simoesmarco8626982 · ‎10-13-2021

Thank you very much, this is extremely helpful. I will apply this to all of the core switches on a hop by hop basis.

simoesmarco8626982 · ‎10-20-2021

Hi all,

a doubt arisen from this now, I was trying to understand this better and watching CBT Nuggets as well and found that Keith Barker programmed MACSec using the following command in the interface "CTS Manual" and then applying the PMK.

What is the difference between the "CTS Manual" and the "key chain keychain1 macsec" configuration?

Thank you

Network Link Encryption

Secure Access: Network Tunnel Groupの接続におけるFTDのECMP設定例

Network Services Orchestrator (NSO) - How To

UCSMにおけるPassword Encryption Keyについて

Implementing Group Encrypted Transport VPN (GETVPN)

Using Let's Encrypt Certificates with Cisco ISE