Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1048
Views
0
Helpful
4
Replies

macsec test

ablandao1
Level 1
Level 1

‎11-28-2019 05:23 AM

Hello,

 

We are proposing to use macsec as a security layer 2 protocol. For that, we want to use a couple of cisco 3560cx switches a two pc's with macsec capabilities.

 

Is it possible to use the macsec in preshared key mode between the PC and switch?

 

as per the ios manuel should be, but just wondering if someone already implemented or deployed something similar. The point is to get rid of the 802.1X needs.

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960cx_3650cx/software/release/15-2_7_e/configuration_guide/b_1527e_consolidated_3560cx_2960cx_cg/b_1527e_consolidated_3560cx_2960cx_cg_chapter_01000100.html

 

Architecture would be something like this.

 

PC <-> SW <-> SW <-> PC

Labels:
0 Helpful
4 Replies 4

Reza Sharifi
Hall of Fame
Hall of Fame

‎11-28-2019 10:31 AM

Hi,

I have never deployed macsec but it appears that you still need dot1x with Pre Shared key for authentication.

MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP-TLS) or Pre Shared Key (PSK) framework.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960cx_3650cx/software/release/15-2_7_e/configuration_guide/b_1527e_consolidated_3560cx_2960cx_cg/b_1527e_consolidated_3560cx_2960cx_cg_chapter_01000100.html

HTH

0 Helpful

ablandao1
Level 1
Level 1
In response to Reza Sharifi

‎12-01-2019 10:32 PM

Thanks for the reply.

However in the first paragraph it states as you remarked: " MKA and MACsec
are implemented after successful authentication using the 802.1x Extensible
Authentication Protocol (EAP-TLS) *OR *Pre Shared Key (PSK) framework." So
I don't think you have to use 802.1X as authentication method, it looks
like it's just an option. What would happen if you connect a device that
have not user and password?

That's the reason I asked within the forum, as I'm wondering if someone
successfully configured it.

0 Helpful

Bthene
Level 1
Level 1
In response to ablandao1

‎12-11-2019 01:48 PM

Hi.

 

Dunno if this is exaxtly what you are asking for, Im looking into trying out MACsec switch to switch with just minimal stuff, preferable no CA,ISE.

I tried configure only MSK and nothing happened, then applyed different keys on both ends and configured without any AAA.

Link stays up, pinging SVI through trunk.

Following the configuration guide that is quite limited in specific details.

switch 3850 16.6.6 <-> switch 3650 16.6.5

 

the cts manual (Cisco TrustSec) is way more straight forward tho.

 

I have never heard of "switch to switch dot1x psk", gotta look that up if that even exist?

0 Helpful

Bthene
Level 1
Level 1
In response to Bthene

‎12-12-2019 05:42 AM

After some more testing I did get it to work as intended. Just configure everything in the right order.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card