Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1307
Views
5
Helpful
4
Replies

DNAC|SDA|MACSec

Rajesh Kongath
Level 1
Level 1

‎10-12-2022 12:01 AM

Hi

We are running a fully lan automated, SDA Fabric network with DNAC version 2.2.3.4 & C9300 IOS 17.3.4. We wanted to switch to host macsec, below given a sample commands for the while we are doing thru the CLI.

I would like to know 

  • What is the best practice in SDA environment for implementing switch to host macsec
  • How can we automate the global and switchport config thru DNAC ( templates or via some workflow)
  • Since its lan automated, default network port templates pushed while onboarding so how do we do the changes

Global Config:
mka policy mka_policy
key-server priority 200
include-icv-indicator
macsec-cipher-suite gcm-aes-128
confidentiality-offset 0
ssci-based-on-sci
Port:
macsec
mka policy mka_policy

 

Labels:
0 Helpful
4 Replies 4

Sylvain_Che
Level 1
Level 1

‎10-13-2022 01:08 AM

Hi,

I don't have specific experience with MACsec on SDA deployment but the following video from Cisco shows switch-to-switch MACsec configuration using templates.

This might probably help you for the switch-to-host configuration you wish to perform.

https://www.youtube.com/watch?v=fPKprvRndTU 

Best regards,

Sylvain.

0 Helpful

willwetherman
Spotlight
Spotlight

‎10-13-2022 03:11 AM - edited ‎10-13-2022 03:13 AM

Hi @Rajesh Kongath 

As far as I'm aware, MACsec (both switch-to-switch and switch-to-host) still needs to be implemented using DNA Center templates or manually using the switch CLI. Please see the following that was posted in May 2022. I'm not sure if MACsec is on the roadmap to be fully automated by DNA Center using an additional app/workflow. You will need to reach out to your Cisco AM/SE to check and confirm.

https://community.cisco.com/t5/software-defined-access-sd-access/macsec-with-sda-roadmap/td-p/4062519 

You can create a day-n template for your fabric edge switches that includes the global and port configuration, or separate templates for the global and port configuration that are then combined in a composite template. Once the fabric edge switches have been onboarded using LAN automation, you can then re-provision the switches to apply the required templates.

Will

0 Helpful

Rajesh Kongath
Level 1
Level 1
In response to willwetherman

‎10-13-2022 03:50 AM

Thank You @willwetherman & @Sylvain_Che - allow me to ask a few more questions

  • MacSec needs host-mode multi-domain, which I believe can be achieved via selecting no of hosts "single" by editing closed authentication settings in DNAC. But in our scenario, we don’t want macsec for all data ports but only the one which end users pc/phone connected. The ELV devices are not capable of macsec. Selecting “one device” or adding it via template will change to whole fabric. How we can automate/achieve configuring “access-session host-mode multi-domain” only for end user ports?
  • Can we push “access-session host-mode multi-domain” from ISE after the authentication by any chance?
  • We have Dynamic VLAN assignment for the data vlans, how macsec will work in such situations?

Once again Thanks

0 Helpful

willwetherman
Spotlight
Spotlight
In response to Rajesh Kongath

‎10-14-2022 07:38 AM - edited ‎10-19-2022 11:40 PM

Hi @Rajesh Kongath 

The DNA Center Closed Authentication template will use the setting of 'Unlimited' for the number of hosts by default, this will enable host-mode multi-auth on the fabric edge which is not supported with MACsec. You will need to change this option to 'Single' which will enable host-mode multi-domain on the fabric edge which is supported. Once multi-domain has been implemented, you can apply your MACsec global and port templates to the required fabric edge switches.

Note that switch-to-host MACsec with SDA has been validated with the encryption policy being returned by the ISE authorisation result. This means that you can use ISE authorisation policy to be selective on the devices and users that are subject to MACsec encryption.

For example, the ISE authorisation policy for my Corporate clients returns the following attributes to the fabric edge switch once they have passed EAP-TLS authentication. The 'should-secure' policy will attempt MKA on the port, and if successful will encrypt the traffic, however if MKA times out or fails, the port will permit unencrypted traffic. Dynamic VLAN assignment works in the same way; we are just returning an additional attribute to the fabric edge switch for the MACsec policy

Access Type = ACCESS_ACCEPT
VLAN = 1021
MACSec Policy = should-secure

For devices that do not support MACsec, or for devices that you want to exclude from MACsec encryption, you can create a separate ISE authorisation policy that returns the MACsec policy of 'must-not-secure'

You have the following MACSec policy options in ISE. 

must-not-secure
should-secure
must-secure 

Please see the following for further details

https://community.cisco.com/t5/networking-knowledge-base/configuring-macsec-switch-to-host-with-cat9k-amp-ise/ta-p/4436087

 

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card