Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2865
Views
5
Helpful
3
Replies

MACSEC - Catalyst to Nexus 9k

Go to solution
Eoin.Quinn
Level 1
Level 1

‎05-27-2019 04:45 AM

Hey guys

Has anyone managed to get basic macsec link working from a Catalyst to a Nexus 9K? Both are licensed fine but the configuration differences are throwing me off.

 

On the Catalyst its a simple "cts manual" and putting in the key but the nexus 9k requires a keychain and policy to be created. I cant find any articles on issues with interoperability or other people with similar problems so I'm convinced im just messing something up in the config.

 

Both the key chain and the manual entry have the same PSK. From what I can find the Catalyst (9500) uses AES_128_GCM which ive matched on the nexus policy but the session just stays at initializing.

The Nexus logs just say "waiting for peer" while the Catalyst just flaps.

 

Has anyone tried this before or seen similar?

Thanks!

Eoin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Eoin.Quinn
Level 1
Level 1

‎05-28-2019 06:24 AM

Just as an FYI I got this sorted.

Realised in the Nexus security config doc it states SAP can't be used, only mka. I had also changed a crypto setting on the key which probably caused an issue on the original mka attempt but once I created them in tandem and matching the link popped up and looks to be working pretty flawlessly so far!

View solution in original post

3 Replies 3

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-27-2019 05:29 AM

Hello Oin,

have a look at the following thread

 

https://community.cisco.com/t5/cisco-bug-discussions/cscvf86295-macsec-not-supported-on-nexus-9k-9300-fx/m-p/3803315

 

It may apply to you.

What Nexus 9000 model are you using? What NX-OS version is running on it?

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Eoin.Quinn
Level 1
Level 1
In response to Giuseppe Larosa

‎05-27-2019 06:11 AM

Hi Giuseppe

 

Its a Nexus 93180YC-FX running NXOS 9.2(2) so it looks like I luckily just missed on that issue.

 

It looks like the 9ks have all the macsec policy commands but don't have the equivalent "cts" commands cisco recommend for switch to switch links

0 Helpful

Go to solution
Eoin.Quinn
Level 1
Level 1

‎05-28-2019 06:24 AM

Just as an FYI I got this sorted.

Realised in the Nexus security config doc it states SAP can't be used, only mka. I had also changed a crypto setting on the key which probably caused an issue on the original mka attempt but once I created them in tandem and matching the link popped up and looks to be working pretty flawlessly so far!

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card