05-12-2022 02:32 AM
I have been playing around with MACSEC to encrypt traffic between two switches - a C3560X running 15.2(4)E10 and a C3560CX running 15.2(7)E6. The configuration is very simple; on both I have this configured on the interface:
cts manual no propagate sgt sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF mode-list gcm-encrypt
The link is configured as L3 (no switchport) and OSPF is running over it. It is working, however the output to the command 'show cts macsec counters interface x/x' show lots of 'rxL2UntaggedPkts' & 'rxL2SAMissPkts' on the C3750x side:
c3560x#show cts macsec counters interface gigabitEthernet 0/24 CTS Security Statistic Counters: rxL2UntaggedPkts = 0 rxL2NotagPkts = 3857 rxL2SCMissPkts = 0 rxL2CTRLPkts = 0 rxL3CTRLPkts = 0 rxL3UnknownSAPkts = 0 rxL2BadTagPkts = 0 txL2UntaggedPkts = 0 txL2CtrlPkts = 0 txL3CtrlPkts = 0 txL3UnknownSA = 0 SA Index : 0 rxL2ReplayfailPkts = 0 rxL2AuthfailPkts = 0 rxL2PktsOK = 41009 rxL3AuthCheckFail = 0 rxL3ReplayCheckFail = 0 rxL2SAMissPkts = 3857 rxL3EspGcm_Pkts = 0 rxL3InverseCheckfail = 0 txL3Protected = 0 txL2Protected = 12332 GENERIC Counters: CRCAlignErrors = 0 UndersizedPkts = 0 OversizedPkts = 0 FragmentPkts = 0 Jabbers = 0 Collisions = 0 InErrors = 0 OutErrors = 0 ifInDiscards = 0 ifInUnknownProtos = 0 ifOutDiscards = 0 dot1dDelayExceededDiscards = 0 txCRC = 0 linkChange = 0
On the C3560CX side I don't see this:
c3560cx#show cts macsec counters interface gigabitEthernet 1/0/9 CTS Security Statistic Counters: rxL2UntaggedPkts = 8 rxL2NotagPkts = 0 rxL2SCMissPkts = 0 rxL2CTRLPkts = 0 rxL3CTRLPkts = 0 rxL3UnknownSAPkts = 0 rxL2BadTagPkts = 0 txL2UntaggedPkts = 0 txL2CtrlPkts = 0 txL3CtrlPkts = 0 txL3UnknownSA = 0 SA Index : 0 rxL2ReplayfailPkts = 1 rxL2AuthfailPkts = 0 rxL2PktsOK = 13135 rxL3AuthCheckFail = 0 rxL3ReplayCheckFail = 0 rxL2SAMissPkts = 0 rxL3EspGcm_Pkts = 0 rxL3InverseCheckfail = 0 txL3Protected = 0 txL2Protected = 41895 GENERIC Counters: CRCAlignErrors = 0 UndersizedPkts = 0 OversizedPkts = 0 FragmentPkts = 0 Jabbers = 0 Collisions = 0 InErrors = 0 OutErrors = 0 ifInDiscards = 0 ifInUnknownProtos = 0 ifOutDiscards = 0 dot1dDelayExceededDiscards = 0 txCRC = 0 linkChange = 0
I thought it was CDP or LLDP as the value is the same, however the counters still increment on the C3560X side when I disable these.
Is this a cosmetic bug? I can't mirror the traffic as the SPAN session is after/before the encryption as far as I can tell and I don't have a way to tap on the wire.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide