05-29-2014 03:52 AM - edited 03-07-2019 07:34 PM
Hi all,
Is anyone aware of any restriction's to using MACSec on the uplinks of a service module whilst the uplink ports are in an etherchannel?
Essentially we will have 2x 3560x's connected by 2x fibre's. The plan is to encrypt over these fibre's but to etherchannel them for resilience/convergence purposes. Is this likely to work? Has anyone done this before?
Many thanks
SteveH
08-08-2014 04:21 AM
Just to close this out, This is possible but you must use the Service Module and not the Network Module for the uplinks.
08-25-2014 06:15 AM
Hi thanks for your posting, have nearly the same situation here...
Where did you get the positive answer, could you find a documentation for MACsec together with Etherchannel?
I have on one side a 3560X with SM module and on the other side 68k with 69xx line card...
08-26-2014 02:00 AM
Just based on the data sheet and the configuration guide.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.html
I haven't yet got my hands on the kit, still waiting for it to arrive but based on the configuration guide switch-to-switch is supported.
You must be running higher than LAN Base though.
"Note MACsec is not supported on switches running the NPE or the LAN base image."
I will be configuring this in the next week or so and will post back here with a working configuration (hopefully!)
SteveH
12-17-2015 03:20 AM
Hi Steve
Did you make it work? I am having issue with MacSec switch to Switch manual configuration ( two 4500 with the right IOS ) with port Channel please can you help ?
can I get the running config and advices what I have to more take care
12-17-2015 04:07 AM
Indeed we did, and it works rather well.
See: http://www.petenetlive.com/KB/Article/0001000.htm for an example configuration.
I haven't tested this on a 4500 (which model? 4500X i presume?), however the commands should be very similar. If you can give a bit more detail on where your problem is and the configuration your trying to apply i could take a look.
12-18-2015 06:59 PM
Hi Steven
I am very happy to read you, my problem start on the configuration of 4500X out of the box:
-initial configuration
-MACsec configuration on Port-channel ( 4500X refuse some command )
-Also can we simulate MACsec using VIRL?
Thanks
08-26-2014 02:04 AM
Also see;
https://supportforums.cisco.com/discussion/11540361/how-configure-encryption-macsec-switch-switch-without-acs-server
09-22-2014 04:02 PM
I can now confirm this works with manual mode; see my colleagues' blog post with a simple configuration example;
http://www.petenetlive.com/KB/Article/0001000.htm
Thanks
SteveH
08-26-2014 02:01 AM
.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide