08-25-2015 06:44 AM - edited 03-08-2019 01:30 AM
UPDATE: According to TAC, it is not yet supported and will be available in 2016 only - this is not really what the datasheet suggested - misled me - by saying "3560CX MACsec hardware capable". )
=============================================================================================================
Config MACsec on a port fails, because the command “cts” is not available, neither on gigi nor on tengig interface.
On a 3560CX (compact switch) one can not issue "cts" on interface config.
We are trying to set up MACsec on a gigi link and all commands like mka, cts or macsec are not available.
Is there a global command necessary to trigger these commands?
Hardware: 3560CX-12PD-S
IOS: 15.2(3)E/15.2(3)E2
IMAGE1: C3560cx-universalk9-mz.152-3.E.bin
Image2: c3560cx-universalk9-mz.152-3.E2.bin
License: ipservices
as-02(config-if)#int gi1/0/1
as-02(config-if)#sw mo acc
as-02(config-if)#sw acc vl 2
as-02(config-if)#mac
as-02(config-if)#macse
as-02(config-if)#macsec
as-02(config-if)#macsec ?
% Unrecognized command
as-02(config-if)#macsec
^
% Invalid input detected at '^' marker.
as-02(config-if)#mac ?
access-group MAC access-group configuration commands
as-02(config-if)#mka ?
% Unrecognized command
as-02(config-if)#mka
^
% Invalid input detected at '^' marker.
as-02(config-if)#dot1x?
dot1x
as-02(config-if)#dot1x ?
authenticator Configure authenticator parameters
credentials Credentials profile configuration
default Configure Dot1x with default values for this port
max-reauth-req Max No. of Reauthentication Attempts
max-req Max No. of Retries
max-start Max No. of EAPOL-Start requests
pae Set 802.1x interface pae type
supplicant Configure supplicant parameters
timeout Various Timeouts
as-02(config-if)#dot1x pae
as-02(config-if)#dot1x pae aut
as-02(config-if)#dot1x pae authenticator
as-02(config-if)#auth
as-02(config-if)#authentication viol
as-02(config-if)#authentication violation prot
as-02(config-if)#auth
as-02(config-if)#authentication por
as-02(config-if)#authentication port-control auto
as-02(config-if)#authentication port-control auto
as-02(config-if)#auth links
as-02(config-if)#auth linksec pol
as-02(config-if)#auth linksec policy mus
as-02(config-if)#auth linksec policy must-se
as-02(config-if)#auth linksec policy must-secure
as-02(config-if)#auth
as-02(config-if)#authentication host-mode multi
as-02(config-if)#authentication host-mode multi-d
as-02(config-if)#authentication host-mode multi-domain
as-02(config-if)#auth event linkse
as-02(config-if)#auth event linksec fail action auth vla 1111
as-02(config-if)#macsec
^
% Invalid input detected at '^' marker.
as-02(config-if)#mka
as-02(config-if)#mka?
% Unrecognized command
as-02(config-if)#cts
as-02(config-if)#cts ?
role-based Role-based Access Control per-port config commands
as-02(config-if)#cts rol
as-02(config-if)#cts role-based ?
% Unrecognized command
as-02(config-if)#cts role-based
% Incomplete command.
as-02(config-if)#cts role-based sgt-map test
^
% Invalid input detected at '^' marker.
as-02(config-if)#
as-02(config-if)#do sh run int gi1/0/1
Building configuration...
Current configuration : 325 bytes
!
interface GigabitEthernet1/0/1
switchport access vlan 2
switchport mode access
authentication event linksec fail action authorize vlan 1111
authentication host-mode multi-domain
authentication linksec policy must-secure
authentication port-control auto
authentication violation protect
dot1x pae authenticator
end
Any ideas?
12-16-2016 03:02 AM
Hi Burkir,
Did you get ios for macsec on 3560-cx? Can you use macsec on uplink sfp ports?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide