Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1962
Views
0
Helpful
4
Replies

Switch to Router MACSEC

caleyjay7
Level 1
Level 1

‎08-13-2018 08:32 AM - edited ‎02-20-2020 09:45 PM

I have a Cisco 4510 with Supervisor 8E connected to a Cisco ASR1002-HX via a 10Gb link. Both ports support MACSEC and the ASR has a 10Gb MACSEC license. Is it possible to configure MACSEC on this switch to router link? If so then can anyone share the configuration?

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎08-13-2018 12:53 PM

As per Cisco documentation as long as the module support have MACSEC, it can be achieved.

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-16/macsec-xe-16-book.html

 

BB

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

caleyjay7
Level 1
Level 1
In response to balaji.bandi

‎08-17-2018 04:47 AM

Thanks for the reply BB. Good to know that it should be possible. But I'm trying to work out the configurations to get this working as the commands seems to be different between the ASR and Catalyst platforms,

 

At the moment we have many Catalyst switch-to-switch connections that are configured for macsec using a static key-string. The configurations are fairly simple:

 

Cisco 3850

------------

interface TenGigabitEthernet1/0/5
 cts manual
  sap pmk 0000000000000000000000000000000000000000000000000000000123456789

 

Cisco 4510 Sup 8E

------------------

interface TenGigabitEthernet5/3
 cts manual
  sap pmk 0000000000000000000000000000000000000000000000000000000123456789

 

 

While the cts manual command is available on the ASR 1002-HXs, there is no subcommand to put in the pmk string. It looks like the macsec key is defined through a key chain instead and macsec is enabled with the macsec command. I've tried the following configuration but cts remains disabled on the ASR port.

 

ASR 1002-HX

--------------

key chain MACSEC-KEY-CHAIN macsec
  key 01
  key-string 0000000000000000000000000000000000000000000000000000000123456789


interface TenGigabitEthernet0/1/0
  mka pre-shared-key key-chain MACSEC-KEY-CHAIN
  macsec

 

Router#sh cts int tenGigabitEthernet 0/1/0

Interface TenGigabitEthernet0/1/0:

    CTS is disabled.

 

    L3 IPM:   disabled.

 

    CTS sgt-caching Ingress : Disabled

 

    CTS sgt-caching Egress  : Disabled

 

 

 

0 Helpful

mojana0411
Level 1
Level 1

‎06-01-2021 01:03 AM

@caleyjay7  Did you ever managed to get this working? I want to deploy the same setup, can't get it working. I think the problem is SAP vs MKA?

0 Helpful
Customers Also Viewed These Support Documents