cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
153
Views
0
Helpful
3
Replies

How to Set Up Multiple SC via Virtual Ports - Catalyst 9300

ldnelson16
Level 1
Level 1

In the Security Configuration Guide, Cisco Catalyst IE9300 Rugged Series Switches, it mentions using virtual ports as a way to set up multiple MKA sessions on the same physical port for your catalyst. However, I am unable to find documentation of how to do this. Can someone give basic instructions, or if it is possible another way?

"Virtual Ports
Use virtual ports for multiple secured connectivity associations on a single physical port. Each connectivity association (pair) represents a virtual port. In uplink, you can have only one virtual port per physical port. You cannot simultaneously host secured and unsecured sessions in the same VLAN on the same port. Because of this limitation, 802.1x multiple authentication mode is not supported.

The exception to this limitation is in multiple-host mode when the first MACsec supplicant is successfully authenticated and connected to a hub that is connected to the switch. A non-MACsec host connected to the hub can send traffic without authentication because it is in multiple-host mode. We do not recommend using multi-host mode because after the first successful client, authentication is not required for other clients.

Virtual ports represent an arbitrary identifier for a connectivity association and have no meaning outside the MKA Protocol. A virtual port corresponds to a separate logical port ID. Valid port IDs for a virtual port are 0x0002 to 0xFFFF. Each virtual port receives a unique secure channel identifier (SCI) based on the MAC address of the physical interface concatenated with a 16-bit port ID." 

3 Replies 3

Hello,

try the procedure below:

Configuring virtual ports to set up multiple MKA (MACsec Key Agreement) sessions on a single physical port for Cisco Catalyst IE9300 Rugged Series Switches involves defining virtual ports within the MACsec configuration. Here's a basic guide to get you started, based on the information provided:

Step-by-Step Instructions:

1. Enable MACsec on the Physical Interface:

First, ensure that MACsec is enabled on the physical interface.

interface GigabitEthernet1/0/1
macsec

2. Configure MACsec Policy:

Define a MACsec policy that will be applied to the virtual ports. This involves creating a policy profile and specifying the MKA parameters.

macsec policy myMacsecPolicy
key-server priority 1
key-chain myKeyChain
replay-protection window-size 64
include-sci

3. Create and Configure Virtual Ports:

For each virtual port, specify a unique port ID. The port IDs should be within the range of 0x0002 to 0xFFFF.

interface GigabitEthernet1/0/1
macsec virtual-port 0x0002
macsec policy myMacsecPolicy
mka pre-shared-key myPreSharedKey
macsec virtual-port 0x0003
macsec policy myMacsecPolicy
mka pre-shared-key myPreSharedKey

4. Apply the Configuration:

Ensure the configuration is applied and saved.

end
write memory

Detailed Example:

Below is a more detailed example, putting all the pieces together:

1. Define MACsec Policy:


macsec policy myMacsecPolicy
key-server priority 1
key-chain myKeyChain
replay-protection window-size 64
include-sci

2. Configure Key Chain:


key chain myKeyChain
key 1
key-string 0 mySecretKey

3. Enable MACsec on the Physical Interface and Create Virtual Ports:


interface GigabitEthernet1/0/1
macsec
macsec virtual-port 0x0002
macsec policy myMacsecPolicy
mka pre-shared-key myPreSharedKey
macsec virtual-port 0x0003
macsec policy myMacsecPolicy
mka pre-shared-key myPreSharedKey

Additional Notes:

- Virtual Port IDs: Ensure each virtual port has a unique port ID within the valid range.
- Key Management: The key management can use pre-shared keys as shown or integrate with a more advanced key management system depending on the security requirements.
- Compatibility: Verify that the connected devices support MACsec and the configuration aligns with the device capabilities and network design.
- Testing: After configuration, test the connectivity and ensure the secured sessions are established as expected.

Troubleshooting:

If you encounter issues, check the following:
- Interface Status: Ensure the physical interface is up and running.
- MACsec Policy: Validate the MACsec policy configuration and ensure it matches on both ends of the connection.
- Key Agreement: Verify the MKA parameters and pre-shared keys are correctly configured and match on both sides.

By following these steps, you should be able to configure multiple MKA sessions on a single physical port using virtual ports on your Cisco Catalyst IE9300 Rugged Series Switches.

The options under an interface for macsec for me are only access-control, network-link, replay-protection, strict all of which aren't to do with virtual ports, does Catalyst 9300 support virtual ports?

To specify, I have C9300-48UXM, is this not a compatible 9300 model with virtual ports?

Review Cisco Networking for a $25 gift card