Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
2
Helpful
2
Replies

MACsec switch-switch 93xx with intermediate switches

rjde
Level 1
Level 1

‎05-25-2024 10:55 AM

hi all,

topology: C93xx #1 --> Intermediate Switches (Cisco, HP and other vendors) ----> C93xx/C3560/C92xx/C91xx #2

please, does anyone knows how to bypass MACsec frames on intermediate switches enabling MACsec between Cisco #1 and #2 devices?

I read about WAN MACsec but looks like this feature is limited to Routers not C93xx. The topology here is NOT related to WAN devices, focus here is LAN2LAN.

Also, please is there a vendor-neutral feature that can bypass MACsec frames? From Cisco Feature Navigator, looks like "MACsec Passthrough" is the onefor MKA BPDUs, but is this Cisco only?

Any experience related on LAN2LAN MACsec Passthrough (intermediate switches) working environments is very welcome!

Since now thanks team!

Labels:
2 Replies 2

Karsten Iwen
VIP
VIP

‎05-25-2024 12:37 PM

MACsec is only meant to be used to the next Bridge. If you have 9300X, you can use IPsec in your use case.

0 Helpful

rjde
Level 1
Level 1
In response to Karsten Iwen

‎05-25-2024 09:34 PM - edited ‎05-25-2024 09:56 PM

Hi Karsten,

tks for the input here!

IPsec on LAN to LAN uplinks is some complexity that I would like to avoid at all. Also, it does not fit when having 10 or more uplinks buidling IPsec everywhere...

The intention is to go deeper exploring MACsec features since looks like WAN MACsec feature exposing 802.1Q tag outside of the encrypted MACsec header could bring something here, please do you known if this is still limited to ASR 1000, ISR 4000 and Catalyst 8000 families or CAT9300 can also bring it to the table?  below TechNotes from Oct 2023.

https://www.cisco.com/c/en/us/support/docs/routers/asr-1000-series-aggregation-services-routers/221079-troubleshoot-wan-macsec-on-routers.html

Also, from CAT9300 Feature Navigator, related to Universal (Network Advantage) License, there is a feature called "MACsec connection across intermediate switches" so looks like exactly what I am looking for.  Please let me know if you have any details/experience about this specific feature.

Tks

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card