MacSec switch-to-switch in manual mode

TCAM · ‎03-06-2016

HI - Try to implement MacSec manual mode between 2 x c3850 as shown below.

Topology: c3850-G1/1/1 ---macsec-- c3850-G1/1/1

interface GigabitEthernet1/1/1
switchport access vlan 123
switchport mode access
cts manual
sap pmk 123 mode-list gcm-encrypt

Traffic is switching in between sw1 & sw2 via G1/1/1 link and hosts attached to both switches are reachable on vlan 123.

However, noticed that Tx and Rx's SC state = notInUse, Tx's Encrypt pkts counter is increasing but Rx's Decrypt bytes is Zero as shown below. Peer switch shows exactly the same outputs. Does it look correct? Is macsec working?

Transmit Secure Channels
SC state : notInUse(2)
Encrypt Pkts : 2822

Receive Secure Channels
SC state : notInUse(2)
Decrypt bytes 0

Thanks

marita · ‎04-18-2016

i seeing the same "show outputs".

c3850(macsec)---3rd party switch--(macsec)c3850

I had monitored encrypted broadcast frames via the switch.

I think if the switch was L1-tap or shared-hub, other frame could be caputured.

So, macsec looks like working...

regards.

TCAM · ‎04-19-2016

I did a packet capture right after I posted the question.

3850 seems only support SGT, it does not support full MacSec features, wireshark reveals packet uses 0x8909 Ethernet II

4500x seems support full MacSec features, wireshark reveals packet uses 0x88e5 Ethernet II

SGT uses EtherType = 0x8909

MacSec uses EtherType = 0x88e5

marita · ‎04-19-2016

Hi.

i disabled SGT, "no prpagate sgt".

cts manual
no propagate sgt
sap pmk xxxx

EtherType = 0x088e5

Frames contain 802.1AE-tag and ICV.

The Wireshark version is 2.0.2. C3850 runs 3.7.3E K9 image.

Your C3850 might not supoort...?