11-23-2017 05:01 AM - edited 03-08-2019 12:51 PM
Hi Team,
This is regarding MACSec feature on Cisco 3850 Switch, I have gone through the data sheets and understand that all Cisco 3850 series switch support MACSec feature, I tried to configure but I couldn’t get the option to create mka policy?
Below is the Switch Model & IOS
WS-C3850-24S & cat3k_caa-universalk9
Also do i need ACS server for MACsec, Is it mandatory or optional one.
Please advice.
Regards
Jamal
11-23-2017 11:04 AM
Hi,
Do you have the right license and software installed? Have a look at this document.
If you select GCM as the SAP operating mode, you must have a MACsec encryption software license from Cisco. MACsec is supported on Catalyst 3850 and 3650 universal IP Services and IP Base licenses . It is not supported with the NPE license or with a LAN base service image.
If you select GCM without the required license, the interface is forced to a link-down state.
Link:
HTH
11-26-2017 06:13 AM
Hi Reza,
Thanks for your reply, I have Cisco 3850 Switch with IP services Image. But i dont have the option to enter below commands
Mka policy
Macsec
Even i tried with Cisco Trust Sec, sap pmk mode-list doesn't have any option
sap pmk mode-list gcm-encrypt
Is there any specific license i have to order?
Regards
Jamal
11-26-2017 10:56 AM
Hi Jamal,
You should be to apply the following commands unless your version does not support Macsec. What is the output of "sh ver"?
Switch(config)# mka policy replay-policy Switch(config-mka-policy)# confidentiality-offset 0 Switch(config-mka-policy)# replay-protection window-size 300 Switch(config-mka-policy)# end
11-26-2017 10:15 PM
Hi Reza,
Below is the show version from the switch
Switch#sh version
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.03.05SE RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 30-Oct-14 13:12 by prod_rel_team
Cisco IOS-XE software, Copyright (c) 2005-2014 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 1.18, RELEASE SOFTWARE (P)
Switch uptime is 20 hours, 6 minutes
Uptime for this control processor is 20 hours, 9 minutes
System returned to ROM by reload
System image file is "flash:packages.conf"
Last reload reason: reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: Ipservices
License Type: Permanent
Next reload license Level: Ipservices
cisco WS-C3850-24P (MIPS) processor with 4194304K bytes of physical memory.
Processor board ID FCW1925C0P2
2 Virtual Ethernet interfaces
28 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
250456K bytes of Crash Files at crashinfo:.
1609272K bytes of Flash at flash:.
0K bytes of Dummy USB Flash at usbflash0:.
0K bytes of at webui:.
Base Ethernet MAC Address : 84:b5:17:5a:ad:00
Motherboard Assembly Number : 73-15805-04
Motherboard Serial Number : FOC19252R2T
Model Revision Number : U0
Motherboard Revision Number : A0
Model Number : WS-C3850-24P
System Serial Number : FCW1925C0P2
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 32 WS-C3850-24P 03.03.05SE cat3k_caa-universalk9 INSTALL
Configuration register is 0x102
Switch#
Thanks
Jamal
01-30-2018 01:57 PM
Hi Jamal,
Looks like you need update your software. According to the release notes, the macsec feature is not supported in Cisco IOS XE Release 3.3.0SE.
Looks like you need at least 3.7.X or 16.X.X
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide