Cisco TrustSec Switch-to-Switch Link Security (Manual Mode)

MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec capable devices.

The Catalyst 3750-X and 3560-X switches support 802.1AE encryption with MACsec Key Agreement (MKA) on downlink ports for encryption between the switch and host devices. The switch also supports MACsec link layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP) key exchange.

Cisco TrustSec MACsec for switch-to-switch security is supported only on switches running the IP base or IP services feature set.

Cisco TrustSec uses AES-128 GCM and GMAC and is compliant with the 802.1AE standard.

The follow protection levels are supported when you configure SAP pairwise master key (sap pmk)

  • sap mode-list gcm-encrypt gmac no-encap : protection desirable but not mandatory.
  • sap mode-list gcm-encrypt gmac : confidentiality preferred and integrity required. The protection is selected by the supplicant according to supplicant preference.
  • sap mode-list gmac : integrity only.
  • sap mode-list gcm-encrypt : confidentiality required.
  • sap mode-list gmac gcm-encrypt : integrity required and preferred, confidentiality optional.

We will configure MACsec on a couple of port-channels between two data centers.

The links between the two data centers have been provided as L2 links.

macsec
image-88

 

 

 

 

 

 

 

 

 

Configuration:

interface Port-channel10
description *** Po10 InterDC LINKS VLANS 10,100 ***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,100
switchport mode trunk
spanning-tree bpdufilter enable
!
!
interface GigabitEthernet1/0/1
description *** DC1 LINK 1 ***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,100
switchport mode trunk
shutdown
udld port aggressive
cts manual
no propagate sgt
sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF mode-list gcm-encrypt
spanning-tree bpdufilter enable
channel-group 10 mode active
!
interface GigabitEthernet1/0/2
description *** DC1 LINK 2 ***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,100
switchport mode trunk
shutdown
udld port aggressive
cts manual
no propagate sgt
sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF mode-list gcm-encrypt
spanning-tree bpdufilter enable
channel-group 10 mode active

Add the same config to the other 3750 in DC2 and we should have a encrypted link between the two data centers.

We can verify this by running the “show macsec summary” & “show macsec interface” commands.

DC1-3750#show macsec interface gi1/0/1
MACsec is enabled
Replay protect : enabled
Replay window : 0
Include SCI : yes
Cipher : GCM-AES-128
Confidentiality Offset : 0
Capabilities
Max. Rx SA : 16
Max. Tx SA : 16
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128
Transmit Secure Channels
SCI : D40D1C4402030000
Elapsed time : 01:29:20
Current AN: 0   Previous AN: 1
SC Statistics
Auth-only (0 / 0)
Encrypt (9629197 / 0)
Receive Secure Channels
SCI :  D40D1B3895910000
Elapsed time : 01:29:20
Current AN: 0   Previous AN: 1
SC Statistics
Notvalid pkts 0      Invalid pkts 0
Valid pkts 5955254         Late pkts 0
Uncheck pkts 0       Delay pkts 0
Port Statistics
Ingress untag pkts  0        Ingress notag pkts 20
Ingress badtag pkts 0        Ingress unknownSCI pkts 0
Ingress noSCI pkts 0         Unused pkts 0
Notusing pkts 0              Decrypt bytes 508339342
Ingress miss pkts 20

We are also NOT limited to the 8 VLAN limit imposed by using Trustsec enforcement as we are running MACsec.

Leave a Comment

Time limit is exhausted. Please reload CAPTCHA.