Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1073
Views
10
Helpful
2
Replies

Creating a secure channel between (2) WS-C3850-24T using (2) LH fiber modules located in the C3850-NM-4-1G

Go to solution
Richard Stanger
Level 1
Level 1

‎11-11-2016 09:07 AM - edited ‎03-10-2019 12:44 AM

I wish to create a secure channel between (2) WS-C3850-24T using (2) LH fiber modules in the C3850-NM-4-1G. I originally wanted to use MacSec but I am questioning now if MacSec is even possible on the 3850 (unable to get all the commands to work). Can anyone confirm if MacSec is possible on the 3850 with this module? If you have configured this, let me know how.

On the fiber module port, I am unable to issue the commands:

 

switchport  trunk encapsulation dot1q

as well as the “gcm-encypt” part of sap pmk <Hexdec> mode-list gcm-encrypt

 

 If it isn't possible, is there another way recommended? Site-to-Site VPN?

MacSec is desirable due to the speed but if it can't be done, so be it. I am getting conflicting information online and with Cisco. 

Rick   

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-11-2016 10:10 AM

switchport  trunk encapsulation dot1q

This command is only available on switches that also support the legacy ISL in addition to dot1q. Normal behavior.

For MacSec, I never implemented it on that module, but are you running a recent IOS? In first versions it was not implemented in the software and was added in a later release.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/37e/consolidated_guide/b_37e_consolidated_3850_cg/b_37e_consolidated_3850_cg_chapter_01110101.html#task_CCBD6C0C4B07493BB5531708AE622C61

View solution in original post

2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎11-11-2016 10:10 AM

switchport  trunk encapsulation dot1q

This command is only available on switches that also support the legacy ISL in addition to dot1q. Normal behavior.

For MacSec, I never implemented it on that module, but are you running a recent IOS? In first versions it was not implemented in the software and was added in a later release.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/37e/consolidated_guide/b_37e_consolidated_3850_cg/b_37e_consolidated_3850_cg_chapter_01110101.html#task_CCBD6C0C4B07493BB5531708AE622C61

Go to solution
BrianSekleckiGE
Level 1
Level 1

‎01-05-2022 03:39 AM

Did you ever make it work?

0 Helpful
Customers Also Viewed These Support Documents