Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1748
Views
0
Helpful
5
Replies

macsec pass-through on C9500

lastshadow
Level 1
Level 1

‎03-31-2022 09:28 AM

I have a requirement to pass macsec from a router across 2 C9500 to another router on the far end. i.e.

RouterA----C9500A----C9500B-----RouterB

 

The router supports the modification of the EAPOL destination mac address but not the EAPOL ethertype. I configured each router to use the other's mac address as the EAPOL destination mac. However, the C9500 seems to be consuming the EAPOL traffic. It's worth noting that I need macsec between the C9500A and C9500B. I turned that off for now but still no luck.

 

I understand that macsec is normally link-local but there are new features to make it go across provider devices such as WAN macsec and modification of ethertype/destination mac addresses to allow this. Nokia has a configuration that solves this problem, see https://infocenter.nokia.com/public/7750SR217R1A/index.jsp?topic=%2Fcom.nokia.Interface_Configuration_Guide_21.7.R1%2F802-1x_tunnelin-d10e5172.html

 

Is there a similar configuration on the C9500 that can allow macsec through a port or any workarounds? If not, are there any other Cisco switch models or series that would do this? My current software is 16.12.

 

Thanks

Peter

Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎03-31-2022 11:13 AM

I recomend you take a look on this doc.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-9/configuration_guide/sec/b_169_sec_9500_cg/macsec_encryption.html#concept_rhq_qbh_l2b 

 

The way I see macsec, and implemented in a large network recently, Macsec is a Layer 2 encryption and is supposed to reside between client and switch port or between device running L2 between each other.

When it comes to Layer 3 encryption, IPSEC seems to me the reasonable choise. 

0 Helpful

lastshadow
Level 1
Level 1
In response to Flavio Miranda

‎04-02-2022 08:08 AM

Thanks for the reply Flavio. I understand how macsec works and where it is used. A layer 3 VPN is a reasonable alternative but there are other reasons why we can't use that. The routers (I had used the name router to keep things simple, but these are actually some custom switches) need to peer with each other at layer 2. I do not want the router to form macsec with the 9500. For all intents and purposes consider the C9500 switches as provider switches and the routers as customer devices where the customer wants end to end encryption with macsec over the provider network.

 

Thanks

Peter

0 Helpful

manshar4
Cisco Employee
Cisco Employee
In response to lastshadow

‎03-28-2023 08:28 AM

MACsec passthrough have been added for catalyst 9000 switches with 17.10.1 release. you can achieve the use case mentioned with 17.10.1 onwards.

0 Helpful

manshar4
Cisco Employee
Cisco Employee
In response to manshar4

‎03-28-2023 08:43 AM

with 17.10..you can. transparently forward standard ether-type 888E from the routers connected and establish MACsec between 9500 using custom ether-type(876F)..there are commands on C9k to change the ether-type.

0 Helpful

DanielP211
VIP
VIP

‎04-25-2023 03:13 AM

Was anybody able to solve the issue?

****Kindly rate all useful posts*****
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card