cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1214
Views
0
Helpful
3
Replies
Highlighted
Beginner

MACsec on ASR9010/ASR9910 with IOS-XR 6.1.3 not working

Hi All,

I hope you all are doing great.

I am facing a problem with MACsec technology, below are the details of my setup:

1- I am using ASR 9010 on one side and ASR9910 on the other side.

2- I am using "A99-12x100GE-CM" and "A9K-8X100GE-L-SE" Line Cards.

3- I am using IOS-XR 6.1.3 on both sides.

4- The HundredGigE interfaces are part of a Bundle-Ether.

Below is the configuration I am using on both side:

macsec-policy Encrypt
conf-offset CONF-OFFSET-30
security-policy should-secure
window-size 64
cipher-suite GCM-AES-XPN-256
include-icv-indicator
policy-exception lacp-in-clear
key-server-priority 10         
!

key chain Encrypt
 macsec
  key 1234abcd5678
   key-string password 1543595F507F7D73706267714752405459070B0B0701585440470B0B030604020C5A0955530D01534B5756085F535976141F5B4A5142445C54557878707D65627A cryptographic-algorithm aes-256-cmac
   lifetime 10:41:00 may 30 2017 infinite
!

interface HundredGigE0/5/0/5
 macsec psk-keychain Encrypt policy Encrypt
!

I am facing the following problems:

1- I was unable to bring the MACsec session Up.

2- When I removed the configuration from the interface it started to drop packets and I am no longer able to use it, the following counter started to increase "drops for unrecognized upper-level protocol".

Even if I remove all the configuration from the interface and assign it a point-to-point IP address I was not able to Ping the other side.

Finally, I have reloaded the Line Cards, and even reloaded the Router and still, the problem persisted.

Thank you so much in advance for your kind help and support.

Kind regards,

Ahmed Muhi

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Ahmed,

Both of your Linecards do not support MACsec.

Only the OTN version of 4/8x100GE linecard, or the MOD200/MOD400 with 20x10GE or 1/2x100GE MPA will support MACsec.

Thanks

Vincent

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Ahmed,

Both of your Linecards do not support MACsec.

Only the OTN version of 4/8x100GE linecard, or the MOD200/MOD400 with 20x10GE or 1/2x100GE MPA will support MACsec.

Thanks

Vincent

View solution in original post

Highlighted

Hi Vincent,

Thank you so much for your kind support and reply, highly appreciated.

Kind regards,

Ahmed Muhi

Highlighted
Enthusiast

How did you got the interface back and managed the Ping again ?

This widget could not be displayed.