I have a really similar setup

gilles.risch · ‎08-26-2015

Hi all,

The current setup:

We have 4 Cisco Catalyst 4500X switches in two different buildings. In each building we have a VSS, both VSSes are interconnected by a PAgP port-channel composed of link 1 and link 2.

+-------------------+    VSL   +-------------------+
| Switch 1: (4500X) |==========| Switch 2: (4500X) |
+-------------------+          +-------------------+
          ¦                              ¦
          ¦                              ¦
          ¦                              ¦
          ¦ Link 1                       ¦ Link 2
          ¦                              ¦
          ¦                              ¦
          ¦                              ¦
+-------------------+    VSL   +-------------------+
| Switch 3: (4500X) |==========| Switch 4: (4500X) |
+-------------------+          +-------------------+

We would link to use MACsec encryption on between both VSSes in manual mode, without authentication server. Is that possible and which firmware version is needed for the setup?
Has someone a comparable installation, what are the pitfalls that one has to pay attention?

Regards,
Gilles

gilles.risch · ‎08-27-2015

Hello,

some more information:

Link 1 and 2 are point to point dark fibers
The switches are running 3.5.x

Gilles

alex.net · ‎09-24-2015

I have a really similar setup...but it's not easy to find documentation.

Is it necessary an additional module?

By the way, 3.5.x is fine

From the Release notes:

MACSec Encryption on Cisco Catalyst 4500-X

- IEEE 802.1ae MACSec Layer 2 encryption

- IEEE 802.1ae MACSec encryption on user-facing ports

- IEEE 802.1ae MACSec encryption between switch-to-switch links using Cisco Security Association

A.

VSS + MACsec