Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
180
Views
0
Helpful
2
Replies

Cisco Catalyst 9300 - MKA Channel Up but MACSEC Traffic Doesn't Work

ldnelson16
Level 1
Level 1

‎06-06-2024 02:09 PM

I am trying to use a Cisco Switch in the following test configuration: 

Test Device A <--> Cisco Catalyst <--> Test Device B

Thus, each device is connected to its own port in the Cisco Catalyst. 

I want to send traffic encrypted by MACSEC between the two devices. This means that it would be encrypted between Test Device A and Cisco Catalyst, then the Catalyst would decrypt the payload, and re-encrypt according to SAK for connection to Test Device B, then send to Device B, then Device B would decrypt according to its SAK and receive it. However, when I run this test (using a traffic generator), it completely fails, the packets are dropped somewhere for some unknown reason. 

Despite this, I can confirm that MKA worked successfully, as 

show macsec summary
Interface Transmit SC Receive SC
Tw1/0/3 1 1
Tw1/0/4 1 1

Also, generic forwarding of traditional Ethernet frames does in fact work. 

For this desired outcome, how should I set up my Catalyst interface, to decrypt-forward-reencrypt these frames? How can MKA session be successfully created but MACSEC traffic is dropped?

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎06-06-2024 07:27 PM

what is the full model of the device, what IOS XE code running, what License you have ?

how is your configuration looks like or refer below reference :

https://community.cisco.com/t5/networking-knowledge-base/configuring-macsec-switch-to-switch-with-pre-shared-key/ta-p/4436093

troubleshooting:

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/216849-troubleshoot-macsec-on-catalyst-9000.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ldnelson16
Level 1
Level 1
In response to balaji.bandi

‎06-07-2024 06:04 AM

Model: cisco C9300-48UXM

IOS XE: Cisco IOS XE Software, Version 17.06.05

Licenses: 

Technology Package License Information:

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-advantage Smart License network-advantage
dna-advantage Subscription Smart License dna-advantage
AIR License Level: AIR DNA Advantage

My configuration is not the same as the links: I wish to send a frame from Device A, and then have the switch forward it to its final destination (Device B), however the hops between Devices A and B with the switch should be encrypted by MACSEC. I can get each of these sessions to go up, however cannot get the switch to forward by simply looking at the destination MAC address as one can with plain Ethernet, how do I do that?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card