cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
728
Views
0
Helpful
1
Replies

MACsec deployment architecture

romanroma
Level 1
Level 1

I have been reading about MACsec - Red Hat kernel module docs, Cisco 3750 deployment guides and some random sites. However, does the entire path need to support MACsec due to the layer 2 Frame encapsulation? Example: if three switches are between two clients - each switch will need to support the encapsulation? Since it operates at Layer 2, I would suspect a router would break the MACsec encapsulation and a new encapsulation would need to be built. So should I think of this mechanism only working within the 'broadcast domain' or  'collusion domain'?

 

Also, is the encapsulation supported at the client level, meaning two clients can negotiate the MECsec or is a central server for key exchange required? I found some info on some Linux Kernel documentation that made it sound like it was facilitated by a server or switch as a central server. (I could be wrong - out of my area of skills).

1 Reply 1

Hi

I have been reading about MACsec - Red Hat kernel module docs, Cisco 3750 deployment guides and some random sites. However, does the entire path need to support MACsec due to the layer 2 Frame encapsulation?

Nop.

 

Example: if three switches are between two clients - each switch will need to support the encapsulation?

Can´t picture this actually but the macsec works on the l2 datalink between client and switch only.

 

Since it operates at Layer 2, I would suspect a router would break the MACsec encapsulation and a new encapsulation would need to be built. So should I think of this mechanism only working within the 'broadcast domain' or 'collusion domain'?

 

Nop. It will work only between the machine and switch. Simple like that.

 

Also, is the encapsulation supported at the client level, meaning two clients can negotiate the MECsec or is a central server for key exchange required?

  The normal implamentation, those I used to deploy, we need to Cisco ISE to manage the process. But, I believe there might be different solutions out there.

 

I found some info on some Linux Kernel documentation that made it sound like it was facilitated by a server or switch as a central server. (I could be wrong - out of my area of skills).

On my company we use Anytonnect on the client side, then, we use DNAC to configure switches interfaces with proper macsec commands and Cisco ISE to manage the policy enforcement.

Review Cisco Networking for a $25 gift card