Hi
I have the following problem:
I have implemented MACsec for a customer of mine. The MACcec runs between two WS-C3560X-24 switches and connects two locations (carrier in between). But I receive input errors on both interfaces where MACsec is implemented.
I replaced the SFP, the fiber optic cable and the port. Nothing helped. But when I disable MACsec (remove config from port) there are no input errors.
The effects of this input errors are that because one of these two switches is the root bridge for all vlans, the other switch doesn't receive some BPDUs and hence starts the SPA for electing the new root bridge. During the time which the SPA runs, some users notice network outage.
The next step I'm going to do is to upgrade the IOS to UNIVERSAL c3560e-universalk9-mz.150-2.SE11.bin.
Has anyone a idea how I could fix this input errors so the SPA doesn't lead to outages anymore?
Here some information:
Config on both Interfaces where MACsec is configured:
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan <vlans>
switchport mode trunk
cts manual
no propagate sgt
sap pmk <pmk> mode-list gcm-encrypt
Actually installed IOS:
c3560e-universalk9-mz.152-1.E1
Used MACsec encrypton module:
C3KX-SM-10G
Best regards
Jimmy