MACSEC Encryption (switch to switch) with 3650-24TD-S (no gcm-encrypt option)

tim-armstrong · ‎03-15-2019

I have two 3650-24TD-S (IPBASE) running 3.7.4E(ED) and trying to get MACSEC switch to switch encryption running but i am not given the 'gcm-encrypt' option. Why????

sap pmk XXXXYYYYZZZZZ mode-list gcm-encrypt null no-encap

I am able to get the SAP connection to work but only without encryption. I do not even get the option to add the 'gcm-encryp' option??? Does this platform support 'gcm-encryp' option, i.e. MACSEC Encryption?

I have several 3560-X units with IPBASE that are supporting MACSEC encryption with the 'gcm-encryp' option.

Thanks for any assistance on this.

here is the basic manual config i working perfectly on several 3560-X units, where I am given the option to use the gcm-encrypt option, but on my 3650 boxes, I am not getting the option, despite it running IPBASE.

Switch(config-if)# cts manual

Switch(config-if-cts-manual)# sap pmk XXXXYYYYZZZZZ mode-list gcm-encrypt null no-encap

Switch(config-if-cts-manual)# no propagate sgt

Switch(config-if-cts-manual)# exit

NOTE: this is my config from 3560-X box with 10G service module, not the 3650-24TD-S unit, as it will not allow the gcm-encrypt option.

Any assistance is greatly appreciated!

Thanks,
Tim

balaji.bandi · ‎03-15-2019

Q. Is a service module available for the Cisco Catalyst 3650?

A. There are no service modules for the Cisco Catalyst 3650. The Cisco Catalyst 3650 natively supports the features supported by the service module in the 3560-X. The Cisco Catalyst 3650 is hardware ready for MACsec, and software support will be added in a future release. Check release notes for availability.

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3650-series-switches/q-and-a-c67-737464.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tim-armstrong · ‎03-19-2019

Thanks for the response. I don't see any related information in the link you provided.

Everything I read in the following documents make it sound like MACSEC encryption is supported with IPBASE AND IPSERVICES license on the 3560 platform.

Everest 16.6.x Configuration Guide for 3650

From the MACSEC Encryption Section:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-6/configuration_guide/sec/b_166_sec_3650_cg/macsec_encryption.html

The switch also supports MACsec encryption for switch-to-switch (inter-network device) security using both Cisco TrustSec Network Device Admission Control (NDAC), Security Association Protocol (SAP) and MKA-based key exchange protocol. Link layer security can include both packet authentication between switches and MACsec encryption between switches (encryption is optional).

802.1AE Tagging (MACsec) - Protocol for IEEE 802.1AE-based wire-rate hop-to-hop Layer 2 encryption.

Between MACsec-capable devices, packets are encrypted on egress from the transmitting device, decrypted on ingress to the receiving device, and in the clear within the devices.

This feature is only available between TrustSec hardware-capable devices.

From the TrustSec section:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-6/configuration_guide/sec/b_166_sec_3650_cg/configuring_cisco_trustsec.html

802.1AE Tagging (MACsec)

Between MACsec-capable devices, packets are encrypted on egress from the transmitting device, decrypted on ingress to the receiving device, and in the clear within the devices.

This feature is only available between TrustSec hardware-capable devices.

This feature is not supported on Catalyst 3850 and Catalyst 3650 switches with Cisco IOS XE Denali 16.1.1

This feature is not supported on Catalyst 2960x.