I have a network that is building built out and I cannot get macsec to work between a 9500 and a 3850cx. It works between the 9500 and 9300s without a problem. All I am doing is switch-to-switch macsec at this time. I am also new to implementing macsec so I am not sure if I have it configured properly between the two platforms.
9500 (C9500-48Y4C)
Cisco IOS XE Software, Version 17.03.04
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
network-advantage (C9500 Network Advantage) 2 IN USE
dna-advantage (C9500 48Y4C DNA Advantage) 2 IN USE
-----------------------------------------------------------------------------
3560CX (3560CX-12PD-S)
Cisco IOS 15.2(7)E4
License Name Type Period left
-------------------------------------------------------
ipservices PermanentRightLife time
ipbase Permanent 0 minute 0 second
dna-advantage Subscription CSSM Managed
-------------------------------------------------------
This is the config side of the 9500
key chain mka-keychain macsec
key 01
lifetime 00:00:00 1 Jan 1993 infinite
cryptographic-algorithm aes-256-cmac
key-string <OMITTED>
interface Config
macsec network-link
mka pre-shared-key key-chain mka-keychain
switchport trunk native vlan 101
switchport trunk allowed vlan 101
switchport mode trunk
channel-group 2 mode desirable
spanning-tree link-type point-to-point
spanning-tree portfast network
udld port aggressive
auto qos trust
interface Port-channel2
switchport trunk native vlan 101
switchport trunk allowed vlan 101
switchport mode trunk
interface Vlan101
ip address XX.XX.XX.XX 255.255.255.254
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 EIGRP
ip pim sparse-dense-mode
This is the config side of the 3560cx
key chain mka-keychain macsec
key 01
lifetime 00:00:00 1 Jan 1993 infinite
cryptographic-algorithm aes-256-cmac
key-string <OMITTED>
interface Config
switchport trunk allowed vlan 101
switchport trunk native vlan 101
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
macsec network-link
udld port aggressive
mka pre-shared-key key-chain mka-keychain
mls qos trust cos
auto qos trust
spanning-tree portfast network
spanning-tree link-type point-to-point
channel-group 1 mode desirable
interface Port-channel1
switchport trunk allowed vlan 101
switchport trunk native vlan 101
switchport mode trunk
interface Vlan101
ip address XX.XX.XX.XX 255.255.255.254
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 EIGRP
ip pim sparse-dense-mode
If I remove “macsec network-link” from the 9500 interface link everything comes up and works properly. I have also noticed that on the 9500 the sh macsec inter on the 9500 shows disabled but this seems to be consistent with the other switches until macsec is established. The only other thing I see and I don’t know how to address is when I run the sh mka keychains the latest CKN is different.
On the 9500 it looks like this:
MKA PSK Keychain(s) Summary...
Keychain Latest CKN Interface(s)
Name Latest CAK Applied
===============================================================================================
mka-keychain 01 Twe2/0/46 Twe2/0/45
<HIDDEN> Twe2/0/43 Twe2/0/42
Twe2/0/41 Twe1/0/46
Twe1/0/45 Twe1/0/43
Twe1/0/42 Twe1/0/41
<HIDDEN>
On the 3560cx it looks like this:
MKA PSK Keychain(s) Summary...
Keychain Latest CKN Interface(s)
Name Latest CAK Applied
===============================================================================================
mka-keychain 0100000000000000000000000000000000000000000000000000000000000000 Te1/0/2 Te1/0/1
<HIDDEN>
To me that looks like the 3560cx is adding trailing zero but I don’t know if that is transmitted between to two switches in macsec negotiations.
I also get “%SPANTREE-2-BRIDGE_ASSURANCE_BLOCK:” in the log. I only have one 10GB fiber connection between the two switches.
Any ideas what I have configured wrong?
