Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
1
Replies

MACsec deployment architecture

romanroma
Level 1
Level 1

‎01-05-2022 07:33 AM

I have been reading about MACsec - Red Hat kernel module docs, Cisco 3750 deployment guides and some random sites. However, does the entire path need to support MACsec due to the layer 2 Frame encapsulation? Example: if three switches are between two clients - each switch will need to support the encapsulation? Since it operates at Layer 2, I would suspect a router would break the MACsec encapsulation and a new encapsulation would need to be built. So should I think of this mechanism only working within the 'broadcast domain' or  'collusion domain'?

 

Also, is the encapsulation supported at the client level, meaning two clients can negotiate the MECsec or is a central server for key exchange required? I found some info on some Linux Kernel documentation that made it sound like it was facilitated by a server or switch as a central server. (I could be wrong - out of my area of skills).

Labels:
0 Helpful
1 Reply 1

Flavio Miranda
VIP
VIP

‎01-05-2022 02:17 PM

Hi

I have been reading about MACsec - Red Hat kernel module docs, Cisco 3750 deployment guides and some random sites. However, does the entire path need to support MACsec due to the layer 2 Frame encapsulation?

Nop.

 

Example: if three switches are between two clients - each switch will need to support the encapsulation?

Can´t picture this actually but the macsec works on the l2 datalink between client and switch only.

 

Since it operates at Layer 2, I would suspect a router would break the MACsec encapsulation and a new encapsulation would need to be built. So should I think of this mechanism only working within the 'broadcast domain' or 'collusion domain'?

 

Nop. It will work only between the machine and switch. Simple like that.

 

Also, is the encapsulation supported at the client level, meaning two clients can negotiate the MECsec or is a central server for key exchange required?

  The normal implamentation, those I used to deploy, we need to Cisco ISE to manage the process. But, I believe there might be different solutions out there.

 

I found some info on some Linux Kernel documentation that made it sound like it was facilitated by a server or switch as a central server. (I could be wrong - out of my area of skills).

On my company we use Anytonnect on the client side, then, we use DNAC to configure switches interfaces with proper macsec commands and Cisco ISE to manage the policy enforcement.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card