Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
0
Helpful
0
Replies

cts manual (MACSEC) between C3560X & C3560CX

andrew.butterworth
Level 7
Level 7

‎05-12-2022 02:32 AM

I have been playing around with MACSEC to encrypt traffic between two switches - a C3560X running 15.2(4)E10 and a C3560CX running 15.2(7)E6.  The configuration is very simple; on both I have this configured on the interface:

 cts manual
  no propagate sgt
  sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF mode-list gcm-encrypt

The link is configured as L3 (no switchport) and OSPF is running over it.  It is working, however the output to the command 'show cts macsec counters interface x/x' show lots of 'rxL2UntaggedPkts' & 'rxL2SAMissPkts' on the C3750x side:

c3560x#show cts macsec counters interface gigabitEthernet 0/24
CTS Security Statistic Counters:
                    rxL2UntaggedPkts = 0
                       rxL2NotagPkts = 3857
                      rxL2SCMissPkts = 0
                        rxL2CTRLPkts = 0
                        rxL3CTRLPkts = 0
                   rxL3UnknownSAPkts = 0
                      rxL2BadTagPkts = 0
                    txL2UntaggedPkts = 0
                        txL2CtrlPkts = 0
                        txL3CtrlPkts = 0
                       txL3UnknownSA = 0

                            SA Index : 0
                  rxL2ReplayfailPkts = 0
                    rxL2AuthfailPkts = 0
                          rxL2PktsOK = 41009
                   rxL3AuthCheckFail = 0
                 rxL3ReplayCheckFail = 0
                      rxL2SAMissPkts = 3857
                     rxL3EspGcm_Pkts = 0
                rxL3InverseCheckfail = 0
                       txL3Protected = 0
                       txL2Protected = 12332
GENERIC Counters:
                      CRCAlignErrors = 0
                      UndersizedPkts = 0
                       OversizedPkts = 0
                        FragmentPkts = 0
                             Jabbers = 0
                          Collisions = 0
                            InErrors = 0
                           OutErrors = 0
                        ifInDiscards = 0
                   ifInUnknownProtos = 0
                       ifOutDiscards = 0
          dot1dDelayExceededDiscards = 0
                               txCRC = 0
                          linkChange = 0

On the C3560CX side I don't see this:

c3560cx#show cts macsec counters interface gigabitEthernet 1/0/9
CTS Security Statistic Counters:
                    rxL2UntaggedPkts = 8
                       rxL2NotagPkts = 0
                      rxL2SCMissPkts = 0
                        rxL2CTRLPkts = 0
                        rxL3CTRLPkts = 0
                   rxL3UnknownSAPkts = 0
                      rxL2BadTagPkts = 0
                    txL2UntaggedPkts = 0
                        txL2CtrlPkts = 0
                        txL3CtrlPkts = 0
                       txL3UnknownSA = 0

                            SA Index : 0
                  rxL2ReplayfailPkts = 1
                    rxL2AuthfailPkts = 0
                          rxL2PktsOK = 13135
                   rxL3AuthCheckFail = 0
                 rxL3ReplayCheckFail = 0
                      rxL2SAMissPkts = 0
                     rxL3EspGcm_Pkts = 0
                rxL3InverseCheckfail = 0
                       txL3Protected = 0
                       txL2Protected = 41895
GENERIC Counters:
                      CRCAlignErrors = 0
                      UndersizedPkts = 0
                       OversizedPkts = 0
                        FragmentPkts = 0
                             Jabbers = 0
                          Collisions = 0
                            InErrors = 0
                           OutErrors = 0
                        ifInDiscards = 0
                   ifInUnknownProtos = 0
                       ifOutDiscards = 0
          dot1dDelayExceededDiscards = 0
                               txCRC = 0
                          linkChange = 0

I thought it was CDP or LLDP as the value is the same, however the counters still increment on the C3560X side when I disable these.

 

Is this a cosmetic bug?  I can't mirror the traffic as the SPAN session is after/before the encryption as far as I can tell and I don't have a way to tap on the wire.

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card