UPDATE: According to TAC, it is not yet supported and will be available in 2016 only - this is not really what the datasheet suggested - misled me - by saying "3560CX MACsec hardware capable". )

=============================================================================================================

 Config MACsec on a port fails, because the command “cts” is not available, neither on gigi nor on tengig interface.

On a 3560CX (compact switch) one can not issue "cts" on interface config. 

We are trying to set up MACsec on a gigi link and all commands like mka, cts or macsec are not available.

Is there a global command necessary to trigger these commands?

Hardware: 3560CX-12PD-S

IOS: 15.2(3)E/15.2(3)E2

IMAGE1: C3560cx-universalk9-mz.152-3.E.bin

Image2: c3560cx-universalk9-mz.152-3.E2.bin

License: ipservices

as-02(config-if)#int gi1/0/1

as-02(config-if)#sw mo acc

as-02(config-if)#sw acc vl 2

as-02(config-if)#mac

as-02(config-if)#macse

as-02(config-if)#macsec

as-02(config-if)#macsec ?

% Unrecognized command

as-02(config-if)#macsec

                              ^

% Invalid input detected at '^' marker.

as-02(config-if)#mac ?

  access-group  MAC access-group configuration commands

as-02(config-if)#mka ?

% Unrecognized command

as-02(config-if)#mka

                            ^

% Invalid input detected at '^' marker.

as-02(config-if)#dot1x?

dot1x 

as-02(config-if)#dot1x ?

  authenticator   Configure authenticator parameters

  credentials     Credentials profile configuration

  default         Configure Dot1x with default values for this port

  max-reauth-req  Max No. of Reauthentication Attempts

  max-req         Max No. of Retries

  max-start       Max No. of EAPOL-Start requests

  pae             Set 802.1x interface pae type

  supplicant      Configure supplicant parameters

  timeout         Various Timeouts

as-02(config-if)#dot1x pae

as-02(config-if)#dot1x pae aut

as-02(config-if)#dot1x pae authenticator

as-02(config-if)#auth

as-02(config-if)#authentication viol

as-02(config-if)#authentication violation prot

as-02(config-if)#auth

as-02(config-if)#authentication por

as-02(config-if)#authentication port-control auto

as-02(config-if)#authentication port-control auto

as-02(config-if)#auth links

as-02(config-if)#auth linksec pol

as-02(config-if)#auth linksec policy mus

as-02(config-if)#auth linksec policy must-se

as-02(config-if)#auth linksec policy must-secure

as-02(config-if)#auth

as-02(config-if)#authentication host-mode multi

as-02(config-if)#authentication host-mode multi-d

as-02(config-if)#authentication host-mode multi-domain

as-02(config-if)#auth event linkse

as-02(config-if)#auth event linksec fail action auth vla 1111

as-02(config-if)#macsec

                              ^

% Invalid input detected at '^' marker.

as-02(config-if)#mka

as-02(config-if)#mka?

% Unrecognized command

as-02(config-if)#cts

as-02(config-if)#cts ?

  role-based  Role-based Access Control per-port config commands

as-02(config-if)#cts rol

as-02(config-if)#cts role-based ?

% Unrecognized command

as-02(config-if)#cts role-based

% Incomplete command.

as-02(config-if)#cts role-based sgt-map test

                                          ^

% Invalid input detected at '^' marker.

as-02(config-if)#

as-02(config-if)#do sh run int gi1/0/1

Building configuration...

Current configuration : 325 bytes

!

interface GigabitEthernet1/0/1

switchport access vlan 2

switchport mode access

authentication event linksec fail action authorize vlan 1111

authentication host-mode multi-domain

authentication linksec policy must-secure

authentication port-control auto

authentication violation protect

dot1x pae authenticator

end

Any ideas?