Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1828
Views
5
Helpful
5
Replies

Cisco 3850 Macsec encryption

Gregg Hamby
Level 1
Level 1

‎12-30-2014 10:28 AM - edited ‎03-07-2019 10:02 PM

Customer just bought four WS-C3850-T with IPServices. I upgraded them to IOS-XEE 3.3.5 straight away. Working fine except when trying to do manual CTS I don't have the gcm-encrypt option on these switches?

I have MACSec "configured" on two fiber ports between two switches but it's not actually encrypting anything. Do I need a separate license just for this?

Literally, if I go into interface mode, do cts manual, and then sap pmk mode I only have the no-encap option?

These are covered by Smartnet but I need to get associated with the contract to open a case.

Any thoughts?

Thanks all.

Labels:
0 Helpful
5 Replies 5

Gregg Hamby
Level 1
Level 1

‎12-30-2014 10:53 AM

Hmm, OK, is this because Cisco's docs on the 3850 and it's support for Trustsec/Macsec are clear as mud?

It looks to me from the release notes that 802.1AE is only supported as of Dec 10 with the 3.7.0ED code?

Nice.....

0 Helpful

Gregg Hamby
Level 1
Level 1
In response to Gregg Hamby

‎12-31-2014 01:28 PM

OK, this is working as of the 3.7.0 code however with MACSec enabled using "sap pmk <key> mode-list gcm-encrypt" across a 1 gig fiber the performance hit is so great that the link is unusable?

This is a small shop with less than 10 users behind this 3850. With "no-encap" specified performance is great. Using gcm-encrypt makes even remote admin activity (RDP, VNC) all but impossible.

This has been tested multiple times with the customer - enable encryption, test performance. disable it, and reboot. Performance is great. Re-enable encryption, performance tanks....

 

Thoughts anyone?

Thanks.

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Gregg Hamby

‎12-31-2014 03:55 PM

Have you talk to Cisco TAC about this?  We have not seen that many questions here on this forum regarding mec-sec deployment.  I am also guessing the issue has not been report to TAC or they just have not done anything about it because  of lac of wide deployments. 

Have you done any testing with copper ports?

When it is enabled, does it effect the CPU utilization?

HTH

0 Helpful

Gregg Hamby
Level 1
Level 1
In response to Reza Sharifi

‎01-13-2015 05:58 PM

Thanks Reza. We did indeed open a case and I've been working it with the team in RTP. As I mentioned, this capability became available on the 3850 in early December and, in my opinion, is not ready for prime time. We were able to get two switches working by using the built-in copper ports and media converters. Using the 1Gb fiber ports on the add-in network module produces all manner of unpredictable performance. Web pages barely render while pings to Google's DNS come back in 10ms. Weird.

I full expect that eventually this will get resolved but in the mean time MACSec and a 3850 are to be avoided.

Thanks.

 

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Gregg Hamby

‎01-13-2015 06:16 PM

Greg,

Thanks for the feedback.

Reza

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card