Solved: MacSec on a 3850

Joris Deprouw · ‎11-14-2017

Hi All,

I'm migrating a 3750 switch to a 3850. On the 3750 macsec is configured.

cts manual

no propagate sgt

sap pmk 0 <pasw> mode-list gcm-encrypt

But this command does not seem to exist in my 3850.

(config-if-cts-manual)#sap pmk 0 pw mode-list ?

no-encap No encapsulation

gmc-encrypt is not available. I have found this information...

If the interface is not capable of data link encryption, no-encap is the default and the only available SAP operating mode. SGT is not supported.

What is a data link encryption capable interface?

Thanks,

J.

Joris Deprouw · ‎11-23-2017

Thanks Austin,

The softwareversion needed to be higher than 3.7.

Now the commands are available.

Br,

J

View solution in original post

Austin Sabio · ‎11-14-2017

It's supported on 3850 as long as you have IOS XE 3.7E and later.

Example:

sap pmk key [mode-list mode1 [mode2 [mode3 [mode4]]]] 

Switch# configure terminal
Switch(config)# interface tengiigabitethernet 1/1/2
Switch(config-if)# cts manual
Switch(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm-encrypt null no-encap
Switch(config-if-cts-manual)# no propagate sgt
Switch(config-if-cts-manual)# exit
Switch(config-if)# end

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/37e/consolidated_guide/b_37e_consolidated_3850_cg/b_37e_consolidated_3850_cg_chapter_01110101.html

I hope this helps and good luck.

-Austin

Joris Deprouw · ‎11-23-2017

Thanks Austin,

The softwareversion needed to be higher than 3.7.

Now the commands are available.

Br,

J

Austin Sabio · ‎11-30-2017

Great. Please don't forget to rate helpful answers to benefit others. Thank you.

-Austin