Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1393
Views
0
Helpful
2
Replies

MACsec/TrustSec between Sets of Switch ports and Specific Host

RICHARD MESSINGER
Level 7
Level 7

‎02-25-2018 06:34 PM - edited ‎03-11-2019 01:23 AM

We have a client that needs to be able to do secure Voice calling in a Cisco UCM Phones and a third Party device that unfortunately does not support Secure SIP.

The thought is that MACsec /TrustSEC might be able to be configured so that the switch ports on the various cisco switches would do the encryptionfrom the Phones to the customer's Third Party Voice "Dialer" while all other phone to phone would be able to be doing Secure SIP.

This also needs to ba supported across a WAN.

What I was looking at in the documentation was that this multi point to single point really was not supported.

I do not have the information as to which Cisco Switches are involved, but I understand that they would need to be running IPServices to even think about supporting this.

Would like to hear Ideas if this is possible or not.

If possible some pointers to documentation to implement.

Thank you

Labels:
0 Helpful
2 Replies 2

gbekmezi-DD
Level 5
Level 5

‎02-26-2018 10:30 AM

I’m not sure what you mean by “multipoint” encryption not being supported. MACSec is designed to be a hop by hop, link layer, encryption technology. What you are trying to do should work as long as the switches along the path support the protocol. One thing to note is that you won’t be encrypting just the voice traffic across those links, but all traffic at every hop will be encrypted across those links/ports.

0 Helpful

RICHARD MESSINGER
Level 7
Level 7
In response to gbekmezi-DD

‎02-27-2018 06:24 AM

George,

Thanks for the reply.

So what I think you are saying is that as long as the source port where the phone is and the destination port where the third party device is and all of the trunk ports inbetween are set for MACSEC, then all of the traffic will be encrypted by the switch.  But is the traffic from the PC behind the phone will also be encrypted if going to another port that is also set for MACSEC.  But would travel in the clear if going to a plain switch port server.

Right?

And across the WAN, if we are going through encrypted tunnels, the traffic would be de-encrypted at the router lan port and re-encrypted going across the WAN tunnel.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents