Re: 2 Catalysts with Port-Channel encryption

t.ricco · ‎07-01-2023

Hi Community,

is it possible to encrypt the traffic between two Catalysts on a Port-Channel with multiple VLANs???

Thanks for your ideas!

MHM Cisco World · ‎07-01-2023

NO IPSec (crypto map) is L3 protocol
you need L2 protocol which I think the best is MACsec

t.ricco · ‎07-01-2023

MACsec with mka policy commands are not available on my Catalysts C2960...

t.ricco · ‎07-01-2023

When Port-Channel is on L2, the it should be possible to create encryption endpoints using L3 on top, right?

MHM Cisco World · ‎07-01-2023

two point
SW 2960 not support IPsec
also be notice that this L3 not L2
i.e.
User in SW1 in VLANx can access User in SW2 in VLANx this traffic will not encrypt.

t.ricco · ‎07-01-2023

Really, IPsec is not supported? - But why there are all the crypto commands (isakmp/ipsec/map) accessible on the devices?

MHM Cisco World · ‎07-04-2023

there is command accept by SW ? if yes try use IPsec
but again this is protect L3 not L2

Flavio Miranda · ‎07-01-2023

Hi

A good question would be for what reason? Of course it is for protection but why specifically there? Maybe the best solution would be seek for protection on the application instead as switch will offers basically connectivity.

Probably any other solution rather than MacSec would envolve Radius or end to end cryptography

t.ricco · ‎07-01-2023

We got a new branch office, outside of our main building. The branch is connected with a dark fiber and no isb or public wan. Normaly I'll use IPsec on our firewall, but in this case I wondering if extending the vlans over the sfp-ports would be a solution as well, but not without encryption. In my test lab I'm using C2960, but in place we have C9200 Switches.

Flavio Miranda · ‎07-01-2023

If security is a big concern, it would be higly recommended to get a router or a small firewall and stablish a ipsec tunnel.

Or, as you have firewall, install vpn clients on the machines and put them to work in the VPN and use the switches for basic connectivity

paul driver · ‎07-02-2023

Hello
Yes via MAC/TrustSec encryption -here

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

M02@rt37 · ‎07-02-2023

Hello @t.ricco,

Since Port-Channels operate at L2, protocols like IPsec that operate at L3 cannot be directly implemented on them. IPsec requires the underlying L3 network to establish encrypted tunnels between devices.

To encrypt the traffic between Catalyst switches on a Port-Channel with multiple VLANs at L2, you can consider using MACsec. It provides hop-by-hop encryption and integrity checks for Ethernet frames, ensuring the confidentiality and integrity of the data transmitted between switches.

By configuring MACsec on the physical interfaces participating in the Port-Channel, you can secure the traffic between the switches at L2, regardless of the VLANs involved. Each VLAN's traffic within the Port-Channel will be encrypted individually.

C9200 support MACsec.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

t.ricco · ‎07-04-2023

Ok, I'll give MACSec a try. In the question of data throughput: Do someone know how much MACsec "costs"? 10%?

Joseph W. Doherty · ‎07-04-2023

Part of the cost would be the bandwidth used by MACsec tags. Overhead percentage would depend on size of base frame (much like VLAN tag overhead).

Costs for CPU and latency would depend on platform, but if platform supports MACsec, in theory, impact should minimal (as that's the goal).

Giuseppe Larosa · ‎07-04-2023

Hello @t.ricco ,

if MACSec is supported on your Cat9200 it is performed in hardware in the UADP Forwarding Engine ASIC.

So you should not see great performance penalty.

The links must be direct between devices or the MACSec will be broken. No Layer 2 device in between

Hope to help

Giuseppe