MACSEC passthrough on C9500

DanielP211 · ‎04-18-2023

Hello,

I have two third-party device connected to one C9500 and I would like to establish MacSec between them. I know by default macsec traffic is forwarded to MKA MAC address 01:80:C2:00:00:03, and that the default ether-type is 0x888e. Cisco enables you to change the default values of both, but the third-party devices doesent have this option. Does anybody know if this is possible?

I tried playing around with eapol dst-addr and eapol eth-type but to no success.

TY

****Kindly rate all useful posts*****

Flavio Miranda · ‎04-18-2023

Hi

Which version do you have?

Configures an ethernet type (Hexadecimal) for the EAPoL Frame on the interface.

Note

From Cisco IOS Release XE 3.17, the macsec eth-type command has been replaced by the eapol eth-type command.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-3s/macsec-xe-3s-book.html#task_1573E9C7150F4451981F493D0B7859CB

DanielP211 · ‎04-25-2023

I have 17.6, but tried 17.10 also. The eapol eth-type dosent solve the issue for me. I'm testing it it the lab - I have two 9200 connected to one 9500 and cannot establish macsec over the switch.

****Kindly rate all useful posts*****

MHM Cisco World · ‎04-18-2023

I dont get, this issue between Cisco SW or between Cisco SW and 3'rd device ?

DanielP211 · ‎04-25-2023

Sorry for the late reply. The issue is that Cisco automatically sends the macsec packets to its CPU. But I want it to passthrough it.

****Kindly rate all useful posts*****