Re: MACsec with SDA roadmap

kklyubin · ‎04-09-2020

Hi All,

Hope you’re doing well!

Just one small question – if MACsec support is on the roadmap for SD-Access? Or there are no plans to support it at all?

Any input would be very welcome

jedolphi · ‎04-09-2020

Hello Katerina,

Update: In Cisco SD-Access 2.2.2.x there is some support for MACsec, depending on the specific circumstances. Cisco partners can review this URL for more details: https://www.cisco.com/c/dam/en/us/products/se/2021/6/Business_Unit/What_s_New_in_Cisco_SD-Access_2_2_2_4_-_v1_01__Partner.pdf

Best regards, Jerome

M@rco · ‎05-11-2022

Any new information? Link is dead by the way.

Jonathan Cuthbert · ‎05-11-2022

We support MACsec in SD-Access Fabric using templates or manual CLI.

Switch-to-switch MACsec in SD-Access has been validated using pre-shared key (PSK) key-chains.
Routing platforms have not been validated for MACsec in an SD-Access Fabric.
aes-256-cmac has been validated for the MACsec Keychain Cryptographic-Algorithm.
gcm-aes-256 has been validated for the MKA Policy Cipher-Suite.
Switch-to-host MACsec in SD-Access has been validated using a dynamically authorization result from ISE wherein the encryption policy is returned with the authorization result.

fernando-diaz · ‎10-23-2024

Hello Jonathan,

It's a pleasure to greet you.

I want to know in what exact scenario MACSEC switch-to-host works in SD-Access.
I currently have an SD-Access network and the MACSEC switch-to-host generates problems when DHCP negotiation of the host. With MACSEC enabled, the host does not receive an IP address.

Do you have any Cisco documents showing that MACSEC Switch-to-host is supported in SD-Access networks?

norberto.padin · ‎11-15-2024

Hello Jonatahan, as of today code, do we support host-to-switch MacSec with SD-Access in the Cat9300?

TIA.