Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11281
Views
5
Helpful
6
Replies

Switch to switch encryption

Mario Erceg
Level 1
Level 1

‎12-05-2016 03:14 AM - edited ‎03-05-2019 07:36 AM

Hi,

I need to encrypt trafic between two remote location 1Gb/s. I would like to use Cisco switches with MACsec.

1. Can I use WS-3560CX-12TC-S switches with sfp modules. I found that the switch support MACsec on downlink ports but I'm not sure about uplink.

2. Can I use WS3650-24TS-S switches for same connection?

2. Can I use MACsec if two switches are connected with provider's EoMPLS service? 

Best regards

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Will Kerr
Level 1
Level 1

‎12-09-2016 11:27 AM

I have successfully done MACSEC on the 3850 over EoMPLS

Mario Erceg
Level 1
Level 1
In response to Will Kerr

‎12-14-2016 06:43 AM

Thanks.

What IOS and feature set you use?

0 Helpful

czaraed
Level 1
Level 1
In response to Will Kerr

‎12-20-2018 07:22 AM

Please let me know what's your configurations. Thanks.

0 Helpful

Georg Pauwen
VIP
VIP

‎12-09-2016 01:28 PM

Hello,

1. 

The Catalyst 3560-C switches support 802.1AE encryption with MACsec Key Agreement (MKA) on downlink and uplink ports for encryption between the switch and host devices.
The switch also supports MACsec link-layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP) key exchange.
Link-layer security can include both packet authentication between switches and MACsec encryption
between switches (encryption is optional).

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/15-0_2_se/configuration/guide/scg3560/swmacsec.pdf

2.

Cisco TrustSec NDAC MACsec is supported on switch to switch connections on the 3650 switches.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/37e/consolidated_guide/b_37e_consolidated_3650_cg/b_37e_consolidated_3650_cg_chapter_01110101.html

3.

I found the following for the ASR920, I don't know if the 3560 or the 3650 support this oor something similar"

MACSec (0x88E5) frames can be forwarded over EoMPLS by enabling this command globally:

mac-address-table evc-xconnect l2pt-forward-all

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Georg Pauwen

‎12-10-2016 12:00 PM

Hello Gpawen,

In a recent project I had t use Port based EoMPLS in order to extend trustsec between C3560 uplinks.

int gi0/20

no switchport

! this is required by port based EoMPLS

xconnect x.x.x.x 5000 encapsulation mpls

!

any form of EVC based EoMPLS blocked the trustsec negotation because the destination mac address is to be sent to main cpu of an IEEE compliant OSI layer 2 entity like an EVC actually is.

My PE nodes are ME-3600 running IOS XE 15.5.S3.1

Hope to help

Giuseppe

0 Helpful

Mario Erceg
Level 1
Level 1
In response to Georg Pauwen

‎12-14-2016 02:33 AM

Thanks Gpauwen,

Your link is for IOS 15.0.2. But I found the link about 15.2 IOS for CX switches and it says:

"All downlink ports on the switch can run Cisco TrustSec MACsec link layer switch-to-switch security." This make me confused.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960cx_3650cx/software/release/15-2_5_e/configuration_guide/b_1525e_consolidated_3560cx_2960cx_cg/b_1525e_consolidated_3560cx_2960cx_cg_chapter_01000100.html

This is strange because normally uplink ports are for switch-to-switch communication. I need to use SFP port and can't use downlink ports.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card