Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
760
Views
0
Helpful
0
Replies

Macsec Between DC and DR "Switch 3650"

Yasir Muhammed Tameez
Level 1
Level 1

‎06-25-2016 02:11 PM - edited ‎02-20-2020 09:44 PM

Hello,

I will be doing small PoC to customer for manual Macsec between 2 switches. I have Cisco 3650 switches with the below image .

cat3k_caa-base.SPA.03.07.02E Macsec supports on this image

below is the configuration on two switches

SW1

interface GigabitEthernet1/0/1
switchport mode access
switchport nonegotiate
cts manual
no propagate sgt
sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF mode-list gcm-encrypt
end

SW2

interface GigabitEthernet1/0/1
switchport mode access
switchport nonegotiate
cts manual
no propagate sgt
sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF mode-list gcm-encrypt
end



After configuring it i can only able to see the SC encrypt packets but decrypt byte is unchanged and remains 0

Is there any other way to verify that Macsec is running fine? and can i use SPAN to show the traffic is encrypted?



Appreciate your quick response on this



below is the out put of the show command

DC-SW2#sh macsec interface gigabitEthernet 1/0/1
MACsec is enabled
Replay protect : enabled
Replay window : 0
Include SCI : yes
Use ES Enable : no
Use SCB Enable : no
Admin Pt2Pt MAC : forceTrue(1)
Pt2Pt MAC Operational : no
Cipher : GCM-AES-128
Confidentiality Offset : 0

Capabilities
Identifier :
Name :
ICV length : 16
Data length change supported: yes
Max. Rx SA : 16
Max. Tx SA : 16
Max. Rx SC : 8
Max. Tx SC : 8
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128

Transmit Secure Channels
SCI : 00FEC84304010000
SC state : notInUse(2)
Elapsed time : 01:01:25
Start time : 7w0d
Current AN: 0
Previous AN: 1
Next PN: 0
SA State: notInUse(2)
Confidentiality : no
SAK Unchanged : no
SA Create time : 05:36:15
SA Start time : 7w0d
SC Statistics
Auth-only Pkts : 0
Auth-only Bytes : 0
Encrypt Pkts : 2649
Encrypt Bytes : 0
SA Statistics
Auth-only Pkts : 0
Encrypt Pkts : 174

Port Statistics

Receive Secure Channels
SCI : CC46D6ECC4810000
SC state : notInUse(2)
Elapsed time : 01:01:25
Start time : 7w0d
Current AN: 0
Previous AN: 1
Next PN: 0
RX SA Count: 0
SA State: notInUse(2)
SAK Unchanged : no
SA Create time : 05:36:15
SA Start time : 7w0d
SC Statistics
Notvalid pkts 0
Invalid pkts 0
Valid pkts 2176
Valid bytes 0
Late pkts 0
Uncheck pkts 0
Delay pkts 0
UnusedSA pkts 0
NousingSA pkts 0
Decrypt bytes 0
SA Statistics
Notvalid pkts 0
Invalid pkts 0
Valid pkts 52
UnusedSA pkts 0
NousingSA pkts 0

Port Statistics


2 people had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents