cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1144
Views
0
Helpful
5
Replies

macsec pass-through on C9500

lastshadow
Level 1
Level 1

I have a requirement to pass macsec from a router across 2 C9500 to another router on the far end. i.e.

RouterA----C9500A----C9500B-----RouterB

 

The router supports the modification of the EAPOL destination mac address but not the EAPOL ethertype. I configured each router to use the other's mac address as the EAPOL destination mac. However, the C9500 seems to be consuming the EAPOL traffic. It's worth noting that I need macsec between the C9500A and C9500B. I turned that off for now but still no luck.

 

I understand that macsec is normally link-local but there are new features to make it go across provider devices such as WAN macsec and modification of ethertype/destination mac addresses to allow this. Nokia has a configuration that solves this problem, see https://infocenter.nokia.com/public/7750SR217R1A/index.jsp?topic=%2Fcom.nokia.Interface_Configuration_Guide_21.7.R1%2F802-1x_tunnelin-d10e5172.html

 

Is there a similar configuration on the C9500 that can allow macsec through a port or any workarounds? If not, are there any other Cisco switch models or series that would do this? My current software is 16.12.

 

Thanks

Peter

5 Replies 5

I recomend you take a look on this doc.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-9/configuration_guide/sec/b_169_sec_9500_cg/macsec_encryption.html#concept_rhq_qbh_l2b 

 

The way I see macsec, and implemented in a large network recently, Macsec is a Layer 2 encryption and is supposed to reside between client and switch port or between device running L2 between each other.

When it comes to Layer 3 encryption, IPSEC seems to me the reasonable choise. 

Thanks for the reply Flavio. I understand how macsec works and where it is used. A layer 3 VPN is a reasonable alternative but there are other reasons why we can't use that. The routers (I had used the name router to keep things simple, but these are actually some custom switches) need to peer with each other at layer 2. I do not want the router to form macsec with the 9500. For all intents and purposes consider the C9500 switches as provider switches and the routers as customer devices where the customer wants end to end encryption with macsec over the provider network.

 

Thanks

Peter

MACsec passthrough have been added for catalyst 9000 switches with 17.10.1 release. you can achieve the use case mentioned with 17.10.1 onwards.

with 17.10..you can. transparently forward standard ether-type 888E from the routers connected and establish MACsec between 9500 using custom ether-type(876F)..there are commands on C9k to change the ether-type.

Was anybody able to solve the issue?

****Kindly rate all useful posts*****
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco