cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
214
Views
0
Helpful
0
Replies

MACSEC between Cisco 4500 Sup8 and Cisco 9500 Do not works

ifabrizio
Level 1
Level 1

Hi to All,

I have a couple of 9500 connected eachother with StackVirtual, each 9500 nodes connect wirh a Portchanell to two ports of 4500 Sup8. I have tryed to configure MACSEC on the Portchannel ports members. using PSK. But the channel remain down.

4500

interface Port-channel15
description Vs Core 9500
switchport
switchport trunk allowed vlan 3,75,76,78,81
switchport trunk native vlan 99
switchport mode trunk
mtu 9198
spanning-tree guard loop
ip dhcp snooping trust
end

interface TenGigabitEthernet2/4
description test TRUSTSEC2
switchport trunk allowed vlan 3,75,76,78,81
switchport trunk native vlan 99
switchport mode trunk
mtu 9198
cts manual
policy static sgt 900 trusted
no cts role-based enforcement
mka pre-shared-key key-chain keychan2
channel-protocol pagp
channel-group 15 mode desirable
spanning-tree guard loop
end

interface TenGigabitEthernet2/10
description test TRUSTSEC2
switchport trunk allowed vlan 3,75,76,78,81
switchport trunk native vlan 99
switchport mode trunk
mtu 9198
cts manual
policy static sgt 900 trusted
no cts role-based enforcement
mka pre-shared-key key-chain keychan2
channel-protocol pagp
channel-group 15 mode desirable
spanning-tree guard loop
end

key chain keychan2 macsec
key 1001
cryptographic-algorithm aes-128-cmac
key-string 7 removed

9500

interface Port-channel5
description VS RACK01
switchport trunk native vlan 99
switchport trunk allowed vlan 3,75,76,78,81
switchport mode trunk
mtu 9198
ip dhcp snooping trust
end

interface TenGigabitEthernet1/0/91
description test TRUSTSEC2
switchport trunk native vlan 99
switchport trunk allowed vlan 3,75,76,78,81
switchport mode trunk
mtu 9198
macsec network-link
cts manual
policy static sgt 900 trusted
no cts role-based enforcement
mka pre-shared-key key-chain keychan2
channel-protocol pagp
channel-group 5 mode desirable
spanning-tree guard loop
ip dhcp snooping trust
end

interface TenGigabitEthernet2/0/91
description test TRUSTSEC2
switchport trunk native vlan 99
switchport trunk allowed vlan 3,75,76,78,81
switchport mode trunk
mtu 9198
macsec network-link
cts manual
policy static sgt 900 trusted
no cts role-based enforcement
mka pre-shared-key key-chain keychan2
channel-protocol pagp
channel-group 5 mode desirable
spanning-tree guard loop
ip dhcp snooping trust
end

key 1001
cryptographic-algorithm aes-128-cmac
key-string 7 removed

Any suggestions?

Bye

JF

0 Replies 0