cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7637
Views
11
Helpful
7
Replies

Trustsec (Switch-to-Switch) Encryption (Manual Mode) - Please help!

michael.lorincz
Level 4
Level 4

Howdy,

I've got a customer who's trying to get trustsec setup between two 3560x switches. He's attempting to use manual mode. He does NOT have the service module.

The 3560x data sheet states the following, "Flexible NetFlow and switch-to-switch hardware encryption with the Service Module".

As well as..

"In Cisco Catalyst 3750-X and 3560-X Series Switches both the user/down-link ports (links between the switch and endpoint devices such as a PC or IP phone) and, using the service module, the network/up-link ports can be secured using MACsec. With the service module you can encrypt switch to switch links such as access to distribution, or encrypt dark fiber links within a building or between buildings."

If I read this correctly, the customer will require the service module in order to provide ANY type of encryption between switches using MACsec/Trustsec. Is this correct?

2 Accepted Solutions

Accepted Solutions

Reza Sharifi
Hall of Fame
Hall of Fame

Correct, you need a service module to do MACsec/Trustsec.

HTH

View solution in original post

Hi Mike,

Your understanding is correct.  for host to switch connectivity no need for the service module, but it is needed for switch to switch.  I have to tell you that I am surprise to see MACsec in small switches.  It is supported on the 6500 with the new Sup 2T and the nexus 7Ks. As for your other question regarding the using a different mode, I do not have an answer. Sorry.

P.S this technology is new to Cisco devices.  I am sure we will be seeing more info and docs.

Reza

View solution in original post

7 Replies 7

Reza Sharifi
Hall of Fame
Hall of Fame

Correct, you need a service module to do MACsec/Trustsec.

HTH

Hi Reza,

I really appreciate you taking the time to respond. So just to confirm, MACsec MKA (host-to-switch) authentication/encryption will work without the service module but if I want to do switch-to-switch encryption I will need the service module? What if I use a different SAP mode, for example GMAC or no-encap? Will the port come up?

I'm sure my customer will want some evidence about the Trustsec's shortcomings without the Service Module, I don't suppose you have a link explicity saying switch-to-switch encryption will not work without service module?

Thanks again for responding!

- Mike

Hi Mike,

Your understanding is correct.  for host to switch connectivity no need for the service module, but it is needed for switch to switch.  I have to tell you that I am surprise to see MACsec in small switches.  It is supported on the 6500 with the new Sup 2T and the nexus 7Ks. As for your other question regarding the using a different mode, I do not have an answer. Sorry.

P.S this technology is new to Cisco devices.  I am sure we will be seeing more info and docs.

Reza

Thanks Reza, you're awesome!

Hi Reza,

I spoke too soon! Please see Q&A cut and paste from 3560x/3750x Q&A. It appears Trustsec/MACsec should work without service module on copper ports. Or am I reading this wrong?

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/qa_c67-578933_ps10744_Products_Q_and_A_Item.html

Q. What is MACsec?

A. MACsec is IEEE 802.1ae industry standard for L2 hop-by-hop encryption.

Q. Do I need a service module for encrypting user access ports connecting to PCs, IP phone, and so on?

A. No. Cisco Catalyst 3750x/3560x supports MACsec on downlink ports connecting to user access devices such as PCs and IP phones without requiring a service module.

Q. What MACsec use cases require a service module?

• Switch to switch encryption in campus: wiring closet access to distribution or core

• Encryption using fiber ports

• Encryption over 10G

Q. What can I expect in terms of MACsec performance? Is there any degradation in switch performance?

A. No. MACsec is supported at line rate (over 1G and 10G), and the encryption is done in hardware, making sure that there is no performance degradation.

Q. Can I connect a Cisco Catalyst 3750x/3560x service module to another Cisco Catalyst 3750x/3560x service module and encrypt Ethernet link between them?

A. Yes. MACsec can be enabled between Cisco Catalyst 3750x/3560x switches with service module. Service module ports have to be configured with Cisco Security Association Protocol (SAP) for management of MACsec keys.

Q. Are there any other Cisco network devices to which the service module can connect over a MACsec encrypted link?

A. Yes. Cisco switches including Cisco Catalyst 3750x/3560x, Cat 6k with Supervisor 2T and Cisco Nexus® 7k use the same key management protocol (SAP) and interoperate with each other. Service module ports have to be configured Cisco SAP for key management.

Q. Can I use MKA key management for encrypting switch-to-switch links?

A. No. MKA is only supported for end user access ports such as PC, phone, and other user access devices. Typically downlink ports connect to end user access ports and need to be configured with MKAny time a switch-to-switch link needs to be encrypted, both ends of the link have to be configured with Cisco SAP for key management.

Q. Could I connect two Cisco Catalyst 3750x/3560x copper ports and encrypt the link between them using MACsec?

A. This is not a common use case, due to distance limitations of copper. But this is a supported scenario and does not require the service module. Any time a switch-to-switch link needs to be encrypted, both ends of the link have to be configured with Cisco SAP for key management.

Q. If a 3560C compact switch is connected to a Cisco Catalyst 3750x/3560x on the downlink port, how do I set up MACsec between them?

A. Any time a switch-to-switch link needs to be encrypted, both ends of the link have to be configured with Cisco SAP for key management. Compact switch support for switch-to-switch encryption is planned for a future release. With this future release, link between Cisco Catalyst 3750x/3560x and 3k-C compact switch can be encrypted with Cisco SAP.

Q. Is there a requirement for a specific client for user access port encryption?

A. Yes. Cisco AnyConnect 3.0 client is required for MACsec encryption on a client.

Q. Could I use MACsec and NEAT (CISP) together on a port?

A. No. MACsec and NEAT are mutually exclusive. MACsec provides L2 hop-by-hop encryption, which makes NEAT redundant.

Q. Could I just use MACsec for switch-to-switch authentication (Cisco Network Device Admission Control [NDAC]) without encryption of traffic?

A. Yes.

Q. Does switch-to-switch encryption require Cisco NDAC?

A. Yes, encryption is performed after successful switch-to-switch authentication (NDAC).

Q. What infrastructure do you need for setting up switch-to-switch encryption with the service module?

A. In order to successfully set up switch to switch MACsec encryption, the following are needed:

a) Cisco Catalyst 3750x with the service module one end.

b) Cisco Catalyst 3750x with the service module OR Cisco Catalyst 6k Sup 2T OR Cisco Nexus 7k on the other end

c) ACS server ver 5.2 or higher for initial SAP key

Q. I don't have an ACS Server. Can I still enable encryption between the switches?

A. Yes. Using statically configured keys on both switches, encryption can be enabled without the ACS server.

Hi Michael

I read it like you do, ie that it is possible to connect two 3750x switches. However i know from experience that this was not the case when macsec was presented in the software, you only could use a nexus 7K i think it was to connect to it.

When i spoke to Cisco about it and explained my case (similar to yours) they said that noone had thought that anyone would want to use it in that way.(ie a 3750x encrypting/decrypting to/from another 3750x)

Personally I want the functionality to be used within different parts of a datacenter aswell as WAN links.

anytime the wire leaves and/or enters the rack module.

I gave up doing it since I knew the software did not support it but I have heard that new software (I think it was 12.2.53 and later) should support it. so I will give it a try again to get it working.

I do have access to both 3750X switches and have the modules for them to play around with so we can make tests.

I will test this and see what I can do about this.

The modules however needs IOS15 to work properly.

(why ? I do not understand !)

And to add insult to injury it needs to have a "late" 3750x as a host, if your 3750x is to early it will not work with that 3750x. Found this out the hard way.

There is a program for exchanging "old" 3750x that is to be used with this module, but you need to have purchased the module first.

Good luck

HTH

Thanks HTH, great info! I appreciate the response. Customer confirmed copper to copper works (without the SM) but fiber links will not come up. Thanks again!

- Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: