cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1250
Views
0
Helpful
3
Replies

MacSec POP

martin.parodi
Level 1
Level 1

Hello, Im trying to implement MacSec manual mode between 2Cisco 3850 I will explain the lab.

 

PC connected to g1/0/1

Switch 3850 connected to another switch 3850 in port 1/1/1 : configuration

 

interface GigabitEthernet1/1/1
 switchport access vlan 500
 switchport mode access
 cts manual
  sap pmk 000000000000000000000000000000000000000000000000000000000000AAAA mode-list gcm-encrypt

( I tried with no propagate sgt )

 

I configured span port source g1/1/1 to another port and capture with wireshark.

When I sent image with tftp to the another 3850 I see the data in plain text, how can I check that this solution is working?

Im sending you some shows.

 

Thanks.

 

 

Switch2#sh macsec inter g1/1/1
 MACsec is enabled
  Replay protect : enabled
  Replay window : 0
  Include SCI : yes
  Use ES Enable : no
  Use SCB Enable : no
  Admin Pt2Pt MAC : forceTrue(1)
  Pt2Pt MAC Operational : no
  Cipher : GCM-AES-128
  Confidentiality Offset : 0

 Capabilities
  Identifier :
  Name :
  ICV length : 16
  Data length change supported: yes
  Max. Rx SA : 32
  Max. Tx SA : 32
  Max. Rx SC : 16
  Max. Tx SC : 16
  Validate Frames : strict
  PN threshold notification support : Yes
  Ciphers supported : GCM-AES-128

 Transmit Secure Channels
  SCI : 20BBC05F00990000
  SC state : notInUse(2)
   Elapsed time : 00:23:44
   Start time : 7w0d
   Current AN: 0
   Previous AN: -
   Next PN: 0
   SA State: notInUse(2)
   Confidentiality : no
   SAK Unchanged : no
   SA Create time : 02:18:26
   SA Start time : 7w0d
   SC Statistics
    Auth-only Pkts : 0
    Auth-only Bytes : 0
    Encrypt Pkts : 0
    Encrypt Bytes : 0
   SA Statistics
    Auth-only Pkts : 0
    Encrypt Pkts : 2822

  Port Statistics

 Receive Secure Channels
  SCI : 1CE6C7B7E8990000
  SC state : notInUse(2)
   Elapsed time : 00:23:45
   Start time : 7w0d
   Current AN: 0
   Previous AN: -
   Next PN: 0
   RX SA Count: 0
   SA State: notInUse(2)
   SAK Unchanged : no
   SA Create time : 02:18:26
   SA Start time : 7w0d
   SC Statistics
    Notvalid pkts 0
    Invalid pkts 0
    Valid pkts 0
    Valid bytes 0
    Late pkts 0
    Uncheck pkts 0
    Delay pkts 0
    UnusedSA pkts 0
    NousingSA pkts 0
    Decrypt bytes 0
   SA Statistics
    Notvalid pkts 0
    Invalid pkts 0
    Valid pkts 3552
    UnusedSA pkts 0
    NousingSA pkts 0

 

 

 

 

Switch2#sh cts interface g1/1/1
Global Dot1x feature is Enabled
Interface GigabitEthernet1/1/1:
    CTS is enabled, mode:    MANUAL
    IFC state:               OPEN
    Interface Active for 00:24:00.730
    Authentication Status:   NOT APPLICABLE
        Peer identity:       "unknown"
        Peer's advertised capabilities: "sap"
    Authorization Status:    NOT APPLICABLE
    SAP Status:              SUCCEEDED
        Version:             2
        Configured pairwise ciphers:
            gcm-encrypt

        Replay protection:      enabled
        Replay protection mode: STRICT

        Selected cipher:        gcm-encrypt

    Propagate SGT:           Enabled
    Cache Info:
        Expiration            : N/A
        Cache applied to link : NONE

    Critical-Authentication: Disabled
        Peer SGT: 0
        Peer SGT assignment: Untrusted
        Default PMK: Not Configured
        Default SGACL:
        Fail-Open: Enabled
    Statistics:
        authc success:              0
        authc reject:               0
        authc failure:              0
        authc no response:          0
        authc logoff:               0
        sap success:                3
        sap fail:                   7
        authz success:              0
        authz fail:                 0
        port auth fail:             0

    L3 IPM:   disabled.

 

 

 

3 Replies 3

TCAM
Level 1
Level 1

just curious, did you resolve it?  

In my case, i see only encrypted traffic, decrypted packets counter shows zero on both switches but traffic is switching in between switches with no issue.

I also noticed that Tx and Rx's SC state = notInUse as shown below.  Does macsec work?

Transmit Secure Channels
SC state : notInUse(2)
Encrypt Pkts : 2822

Receive Secure Channels
SC state : notInUse(2)
Decrypt bytes 0

I am also facing the same issue.

Any update on this?

My encrypt Pkts keep increasing but no decrypt Pkts.

Was anybody ever able to find out anything about this?  I see the same thing on all accounts.  The other issue I'm having using the Trustsec between the switches, is that for some reason it causes an Windows Network Profile issue on the PC's on the access switches.  I'm using the encryption on the link between the Distro and the Core, but PC's on the access switches end up believing that the network connection is "unauthenticated" and Windows shuts off access to our domain resources.  The only way I've been able to fix it is to toggle the VLAN on the access switch in order to create a new Windows Network Profile.  I was wondering if any else has seen this issue, or had issues with 802.1X authentication for end devices when using TrustSec on point to points between switches.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: