cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1733
Views
5
Helpful
2
Replies

MacSec on a 3850, 40G module, and some questions.

ggalteroo
Level 1
Level 1

Hello everyone,

 I am presented with the possibility of putting together a lab to evaluate this platform.

 Initially I'll be working with two WS-C3850-24XS-S, each with a C3850-NM-2-40G. Wires, SFPs, OS version, proper feature set, etc. already taken care of.

 As odd as it may seem, I couldn't yet find a paper as to what to expect in terms of macsec performance, and whether the two 40gig ports will work in a macsec etherchannel.

 The documentation is scarce at best.

 I've found this config, which I've tried, and it seems fine this far, but. Is it stable? Is it supported? Within the port-channel there is little you can do related to cts.

 

!
interface Port-channel10
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Forty...x/1
switchport trunk encapsulation dot1q
switchport mode trunk
cts manual
no propagate sgt
sap pmk AAABBB mode-list gcm-encrypt
channel-group 10 mode on
!
interface Forty...x/2
switchport trunk encapsulation dot1q
switchport mode trunk
cts manual
no propagate sgt
sap pmk AAABBB mode-list gcm-encrypt
channel-group 10 mode on
!

 As I wondered before, if anyone can comment on how much encryption power I can get from macsec I'd be grateful. Very!

 Actually, any input will be greatly appreciated.

 

Regards,

Peter

 

2 Accepted Solutions

Accepted Solutions

Bogdan Nita
VIP Alumni
VIP Alumni

I configured a few years back MACsec on a port-channel on a couple of 3560X, using a similar config I found at https://www.petenetlive.com/KB/Article/0001000 and I did not have any problems with it.

I believe the Nexus devices can have the MACSec config on the port-channel interface.

Performance with MACSec should be close to the link speed. Here is a doc on that:

https://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdf

 

 

View solution in original post

Thanks for your input! I really appreciate it.

 

Guido

View solution in original post

2 Replies 2

Bogdan Nita
VIP Alumni
VIP Alumni

I configured a few years back MACsec on a port-channel on a couple of 3560X, using a similar config I found at https://www.petenetlive.com/KB/Article/0001000 and I did not have any problems with it.

I believe the Nexus devices can have the MACSec config on the port-channel interface.

Performance with MACSec should be close to the link speed. Here is a doc on that:

https://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdf

 

 

Thanks for your input! I really appreciate it.

 

Guido

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: