Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20730
Views
0
Helpful
9
Replies

how configure Encryption with MACsec switch to switch without ACS server

Liberth Frank Torrez Rivera
Level 1
Level 1

‎06-29-2012 01:51 PM - edited ‎02-21-2020 10:27 AM

to whom it may concern:

I have a problem, i would like todo MACSEC betwwen two switches cisco catalyst 3560-x but I know that for this operation i needed ACS server 5.1 is it possible to encryp dataflow without ACS server and if you have the configuration please send to me

thank you

3 people had this problem
Labels:
0 Helpful
9 Replies 9

jon.humphries
Level 1
Level 1

‎07-02-2012 06:39 AM

Hi,

You can configure switch to switch encryption without an ACS server using (CTS manual) on the interfaces.

I have done this on 3750-X using the MacSec module, not sure if it can be done on the 3560-X.

Regards,

Jon

CCIE #23340 (Security)

Jon Humphries

0 Helpful

Patrick McHenry
Level 3
Level 3
In response to jon.humphries

‎01-21-2015 10:30 AM

Hi Jon -

 

Coming in late on this post - must I get a MACsec module to perform encryption between switches or is this only if I would need to perform encryption in hardware?

Thank you, Pat

0 Helpful

kerstin-534
Level 1
Level 1
In response to Patrick McHenry

‎06-22-2015 01:49 AM

Hi Pat,

for my understanding the MACSEC (service) module have to be used for links using the SFP+ ports in the module itself (eg fiber). Encryption is always done in hardware. MACSEC cannot be used on C3KX-NM-10G or C3KX-NM-1G. modules. MACSEC encryption is supported in hardware on "downlink" ports (copper ports).

Can somebody agree/disagree with this ?

 

br Fritz

0 Helpful

Liberth Frank Torrez Rivera
Level 1
Level 1

‎07-02-2012 07:28 AM

hi Jon

thanks for the answer, I don't know how to see if my switch 3560-x has this MacSec module, do you have a print screen or a document to show me what kiind of show can i put in CLI comands to see this.

thank you very much,

liberth

0 Helpful

andrew-lang
Level 1
Level 1
In response to Liberth Frank Torrez Rivera

‎07-02-2012 08:24 AM

Hi Frank, the macsec module is a separate hardware module/card that supposedly performs line rate macsec in hw. I think you can see it via show inv or show ver. The product code is C3KX-SM-10G.

I'm also having the exact problem above. I have 2 x 3650-X connected via fiber on their service modules (macsec module). I am trying to configure L2 encryption (macsec/trustsec) without an ACS server. I assume I need to configure in CTS manual mode, which I have done. When I do a "show cts" I can see sap session sucessful but nothing for authentication or accounting. Running a wireshark capture I can see all traffic i.e. no encryption.

Can anyone clarify the configuration needed?

I'm running c3560e-universalk9-mz.150-1.SE3.bin with ipbase licence. Do I need a different type of licence? I found this on Cisco website:

"If you select GCM as the SAP operating mode, you must have a MACsec Encryption software license from Cisco. If you select GCM without the required license, the interface is forced to a link-down state."

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/configuration/guide/swmacsec.html#wp1334072

0 Helpful

andrew-lang
Level 1
Level 1

‎07-11-2012 01:59 AM

Hi Frank,

I have confirmed a working configuration:

Switch# configure terminal

Switch(config)# interface gi1/2

Switch(config-if)# cts manual

Switch(config-if-cts-manual)# sap pmk mode-list gcm-encrypt

Switch(config-if-cts-manual)# no propagate sgt

Switch(config-if-cts-manual)# exit

Switch(config-if)# shut

Switch(config-if)# no shut

Switch(config-if)# end

This will work on both service module interface or regular switch interface and I am using 3560-X.

p.s. the issue I had was actually with an incorrect lab setup by spanning the traffic. Span decrypts traffic before sending it to the destination port. A re-test via a physical tap verified it was working.

Hope this helps. Cheers!

0 Helpful

michael.lorincz
Level 4
Level 4
In response to andrew-lang

‎07-17-2012 04:16 PM

Hi Andrew,

Great response! I was curious if I still needed the Service Module for switch-to-switch encryption? The data sheet made it sound like switch-to-switch encryption would not work without the Service Module.

- Mike

0 Helpful

michael.lorincz
Level 4
Level 4
In response to andrew-lang

‎07-17-2012 04:23 PM

Also, if using Manual Mode, would I still need to setup trustsec credentials on the switch or is that something only used with 802.1x authentication? Sorry, I'm new to this!

0 Helpful

jon.humphries
Level 1
Level 1
In response to michael.lorincz

‎09-17-2012 02:32 AM

Michael,

You don't need the credentials in manual mode, these are used to get the PAC from ACS 5.x or ISE.

HTH,

Jon

0 Helpful
Customers Also Viewed These Support Documents