Cisco MACSec Notes

2015.11.05

A while back I did notes for MACSec on Juniper devices and here’s the Cisco equivalent of the 802.1AE (“MAC Sec”) implementation

  1. Your Cisco device needs to be running either an IP Base or IP Services image. MACSec is not happening otherwise.
  2. switch# cts credentials id trustsec password mypassword
  3. en then, conf t, then int Gig1/1 (or whatever)
  4. switch(config-if)# cts man
    % Enabling macsec on Gi1/1 (may take a few seconds)…
    switch(config-if-cts-manual)#no propagate sgt
    switch(config-if-cts-manual)#sap pmk abc123 mode-list gcm-encrypt
    switch(config-if-cts-manual)#no shut

Where abc123 is your shared secret. I believe this is analogous to Juniper’s cak. You can do this to aggregated links (“port-channel” for you Cisco folks) but you have to do it before you aggregate the trunks together into a single logical interface. E.g., do this on Gig1/1 and Gig1/2 and then create int Port-channel1 (channel-group 1 mode on in the interface config)

Notes:

mode-list options are:

  • gcm-encrypt (authentication and encryption)
  • gmac (auth, no encrypt)
  • null (encapsulation only; no auth, no encryption)

 

Gotchas:

  • to use 802.1x (cts dot1x) as opposed to cts man above, you have to enable 802.1x globally on each device.
  • if you select gcm as the sap mode, you need an additional macsec license from cisco (as well as the ipbase or ipservices image/license). if you select gcm without the license, the interface goes into link-down state.

Debugging:

show cts credentials

show macsec summary

show macsec interface

show authentication sessions interface gigabitethernet1/1

 

Additional reading:

The actual Cisco doc (this is for a cat4500 but translates well most places) http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1/XE_330SG/configuration/guide/config/swmacsec.html (here’s one for 3750/3560)

http://www.petenetlive.com/KB/Article/0001000.htm

http://www.virtualpackets.com/cisco-trustsec-switch-to-switch-link-security-manual-mode/