05-27-2019 04:45 AM
Hey guys
Has anyone managed to get basic macsec link working from a Catalyst to a Nexus 9K? Both are licensed fine but the configuration differences are throwing me off.
On the Catalyst its a simple "cts manual" and putting in the key but the nexus 9k requires a keychain and policy to be created. I cant find any articles on issues with interoperability or other people with similar problems so I'm convinced im just messing something up in the config.
Both the key chain and the manual entry have the same PSK. From what I can find the Catalyst (9500) uses AES_128_GCM which ive matched on the nexus policy but the session just stays at initializing.
The Nexus logs just say "waiting for peer" while the Catalyst just flaps.
Has anyone tried this before or seen similar?
Thanks!
Eoin
Solved! Go to Solution.
05-28-2019 06:24 AM
Just as an FYI I got this sorted.
Realised in the Nexus security config doc it states SAP can't be used, only mka. I had also changed a crypto setting on the key which probably caused an issue on the original mka attempt but once I created them in tandem and matching the link popped up and looks to be working pretty flawlessly so far!
05-27-2019 05:29 AM
Hello Oin,
have a look at the following thread
It may apply to you.
What Nexus 9000 model are you using? What NX-OS version is running on it?
Hope to help
Giuseppe
05-27-2019 06:11 AM
Hi Giuseppe
Its a Nexus 93180YC-FX running NXOS 9.2(2) so it looks like I luckily just missed on that issue.
It looks like the 9ks have all the macsec policy commands but don't have the equivalent "cts" commands cisco recommend for switch to switch links
05-28-2019 06:24 AM
Just as an FYI I got this sorted.
Realised in the Nexus security config doc it states SAP can't be used, only mka. I had also changed a crypto setting on the key which probably caused an issue on the original mka attempt but once I created them in tandem and matching the link popped up and looks to be working pretty flawlessly so far!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide