Cisco MACSec Notes
A while back I did notes for MACSec on Juniper devices and here’s the Cisco equivalent of the 802.1AE (“MAC Sec”) implementation
- Your Cisco device needs to be running either an IP Base or IP Services image. MACSec is not happening otherwise.
- switch# cts credentials id trustsec password mypassword
- en then, conf t, then int Gig1/1 (or whatever)
- switch(config-if)# cts man
% Enabling macsec on Gi1/1 (may take a few seconds)…
switch(config-if-cts-manual)#no propagate sgt
switch(config-if-cts-manual)#sap pmk abc123 mode-list gcm-encrypt
switch(config-if-cts-manual)#no shut
Where abc123 is your shared secret. I believe this is analogous to Juniper’s cak. You can do this to aggregated links (“port-channel” for you Cisco folks) but you have to do it before you aggregate the trunks together into a single logical interface. E.g., do this on Gig1/1 and Gig1/2 and then create int Port-channel1 (channel-group 1 mode on in the interface config)
Notes:
mode-list options are:
- gcm-encrypt (authentication and encryption)
- gmac (auth, no encrypt)
- null (encapsulation only; no auth, no encryption)
Gotchas:
- to use 802.1x (cts dot1x) as opposed to cts man above, you have to enable 802.1x globally on each device.
- if you select gcm as the sap mode, you need an additional macsec license from cisco (as well as the ipbase or ipservices image/license). if you select gcm without the license, the interface goes into link-down state.
Debugging:
show cts credentials
show macsec summary
show macsec interface
show authentication sessions interface gigabitethernet1/1
Additional reading:
The actual Cisco doc (this is for a cat4500 but translates well most places) http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1/XE_330SG/configuration/guide/config/swmacsec.html (here’s one for 3750/3560)
http://www.petenetlive.com/KB/Article/0001000.htm
http://www.virtualpackets.com/cisco-trustsec-switch-to-switch-link-security-manual-mode/