Macsec capability on Catalyst 9300-T model

algreg · ‎01-19-2025

Hi,

Is there macsec capability on Catalyst 9300-T switch model?

Switch Ports Model SW Version SW Image Mode

------ ----- ----- ---------- ---------- ----

1 65 C9300-48T 16.12.02 CAT9K_IOSXE INSTALL

* 2 65 C9300-48T 16.12.02 CAT9K_IOSXE INSTALL

Technology Package License Information:

------------------------------------------------------------------------------

Technology-package Technology-package

Current Type Next reboot

------------------------------------------------------------------------------

network-advantage Smart License network-advantage

dna-advantage Subscription Smart License dna-advantage

Cannot find commands like "mka policy" or "sh macsec".

Based on the feature navigator it should be there.

Am I wrong?

Flavio Miranda · ‎01-20-2025

@algreg

I believe this can be related with license

algreg · ‎01-20-2025

Hi Flavio,

I think this is requirement for WAN MACsec feature. I am asking about switch-to-switch MACsec feature.

Flavio Miranda · ‎01-20-2025

they also mention stack and stackwise, which seems to be your case.

algreg · ‎01-20-2025

MACsec is not supported on stacked switches?

Flavio Miranda · ‎01-20-2025

It is with the additional license as describded above.

MHM Cisco World · ‎01-20-2025

Macsec is same between Sw and wan and between sw and other sw.

Note:- not all port support macsec I think only uplink support macsec

MHM

M02@rt37 · ‎01-20-2025

Hello @algreg

Which port do yo connect to the other switch ?

AS an example for C9300-48UN switch models, MACsec is supported only on the first 16 downlink network ports and on all uplink network module ports. MACsec is not supported on the last 32 downlink network ports of C9300-48UN switch models...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

algreg · ‎01-20-2025

Hi M02@rt37

The port is T1/1/1

The thing is there is no macsec related commands at all:

SW1-ST#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW1-ST(config)#mka pol

SW1-ST(config)#mka?

% Unrecognized command

SW1-ST(config)#m?

mab mac mac-address-table macro

macro maintenance-template map-class map-list

md-list mdns-sd mdns-sd media

memory metadata monitor mpls

mvrp

SW1-ST(config)#mk?

% Unrecognized command

SW1-ST(config)#mka

^

% Invalid input detected at '^' marker.

SW1-ST(config)#mka?

% Unrecognized command

SW1-ST(config)#mka

^

% Invalid input detected at '^' marker.

SW1-ST(config)#int t1/1/1

SW1-ST(config-if)#mac?

mac mac-address macro

SW1-ST(config-if)#mac?

% Unrecognized command

SW1-ST(config-if)#mka?

% Unrecognized command

M02@rt37 · ‎01-20-2025

Ok @algreg

So, open a TAC case.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

algreg · ‎01-20-2025

I would if I had a contract.

I thought maybe someone here could give me a hint

MHM Cisco World · ‎01-21-2025

Don't worry' if I have time I will check your issue today

Thanks for waiting

MHM

Macsec capability on Catalyst 9300-T model

MACSEC Switch to Switch supported models

Configure WAN MACsec on Catalyst 8500 with Subinterfaces

MACsec History & Terminology

Cisco Model Driven Telemetry 白皮书: 英文版+ 注释版

Modelo OSI e suas Camadas