cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
309
Views
2
Helpful
3
Replies

which scenarios should we use MacSec ?

Herman2018
Level 3
Level 3

hi, we are planning the layer2 connection between HQ and branch offices. Is MacSec a good option to protect the data? If want to use Macsec, what should we do?  can anyone please advise, thanks in advance! 

3 Accepted Solutions

Accepted Solutions

M02@rt37
VIP
VIP

Hello @Herman2018 

Yes, MACsec is a solid option for protecting L2 connections between HQ and branch offices, as it provides encryption at the physical layer to safeguard against eavesdropping, tampering, and other attacks...

To implement MACsec, you'll first need to verify that your hardware supports it, as not all switches or routers come with MACsec capabilities; Cisco devices like the Catalyst 9000 series typically support it. You’ll also need the appropriate licenses, such as Network Advantage or DNA Advantage.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-12/configuration_guide/sec/b_1712_sec_9300_cg/macsec_encryption.html

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

hi, we are planning the layer2 connection between HQ and branch offices. Is MacSec a good option to protect the data? this exactly why we use MacSec to protect the L2 DCI (data center interconnect) 
Yes sure use it 

MHM

View solution in original post

Assis Teixeira
Level 1
Level 1

Hello, good morning.
I hope these procedures can give you a clue and help you on how to proceed:

First: The devices must have licensing and compatibility, for example, a common series of devices is the Catalyst 9300 and 9500, and some versions of the ISR and ASR router.

Second: The configuration is done directly on the interfaces that connect the headquarters and the branches. It is necessary to configure authentication keys on the interfaces involved. Configuration example:

interface Gi1/0/1
macsec
macsec network-link
macsec encryption security-policy must-secure
mka policy name policy1

NOTE 1: Command to check the encryption status of the interface: show macsec interface
NOTE 2: *mka (MACsec Key Agreement protocol)
NOTE 3: If you are using RADIUS, configure it to support authentication of the devices that want to use the secure connection.

Third: The ideal is to check the Cisco documentation for specific commands.

Hope this helps.

View solution in original post

3 Replies 3

M02@rt37
VIP
VIP

Hello @Herman2018 

Yes, MACsec is a solid option for protecting L2 connections between HQ and branch offices, as it provides encryption at the physical layer to safeguard against eavesdropping, tampering, and other attacks...

To implement MACsec, you'll first need to verify that your hardware supports it, as not all switches or routers come with MACsec capabilities; Cisco devices like the Catalyst 9000 series typically support it. You’ll also need the appropriate licenses, such as Network Advantage or DNA Advantage.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-12/configuration_guide/sec/b_1712_sec_9300_cg/macsec_encryption.html

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

hi, we are planning the layer2 connection between HQ and branch offices. Is MacSec a good option to protect the data? this exactly why we use MacSec to protect the L2 DCI (data center interconnect) 
Yes sure use it 

MHM

Assis Teixeira
Level 1
Level 1

Hello, good morning.
I hope these procedures can give you a clue and help you on how to proceed:

First: The devices must have licensing and compatibility, for example, a common series of devices is the Catalyst 9300 and 9500, and some versions of the ISR and ASR router.

Second: The configuration is done directly on the interfaces that connect the headquarters and the branches. It is necessary to configure authentication keys on the interfaces involved. Configuration example:

interface Gi1/0/1
macsec
macsec network-link
macsec encryption security-policy must-secure
mka policy name policy1

NOTE 1: Command to check the encryption status of the interface: show macsec interface
NOTE 2: *mka (MACsec Key Agreement protocol)
NOTE 3: If you are using RADIUS, configure it to support authentication of the devices that want to use the secure connection.

Third: The ideal is to check the Cisco documentation for specific commands.

Hope this helps.

Review Cisco Networking for a $25 gift card