03-06-2016 08:48 AM - edited 03-08-2019 04:51 AM
HI - Try to implement MacSec manual mode between 2 x c3850 as shown below.
Topology: c3850-G1/1/1 ---macsec-- c3850-G1/1/1
interface GigabitEthernet1/1/1
switchport access vlan 123
switchport mode access
cts manual
sap pmk 123 mode-list gcm-encrypt
Traffic is switching in between sw1 & sw2 via G1/1/1 link and hosts attached to both switches are reachable on vlan 123.
However, noticed that Tx and Rx's SC state = notInUse, Tx's Encrypt pkts counter is increasing but Rx's Decrypt bytes is Zero as shown below. Peer switch shows exactly the same outputs. Does it look correct? Is macsec working?
Transmit Secure Channels
SC state : notInUse(2)
Encrypt Pkts : 2822
Receive Secure Channels
SC state : notInUse(2)
Decrypt bytes 0
Thanks
04-18-2016 05:48 PM
i seeing the same "show outputs".
c3850(macsec)---3rd party switch--(macsec)c3850
I had monitored encrypted broadcast frames via the switch.
I think if the switch was L1-tap or shared-hub, other frame could be caputured.
So, macsec looks like working...
regards.
04-19-2016 07:57 AM
I did a packet capture right after I posted the question.
3850 seems only support SGT, it does not support full MacSec features, wireshark reveals packet uses 0x8909 Ethernet II
4500x seems support full MacSec features, wireshark reveals packet uses 0x88e5 Ethernet II
SGT uses EtherType = 0x8909
MacSec uses EtherType = 0x88e5
04-19-2016 05:28 PM
Hi.
i disabled SGT, "no prpagate sgt".
cts manual
no propagate sgt
sap pmk xxxx
EtherType = 0x088e5
Frames contain 802.1AE-tag and ICV.
The Wireshark version is 2.0.2. C3850 runs 3.7.3E K9 image.
Your C3850 might not supoort...?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide