Cisco : MACSec (Media Access Control Security)

This describes how to enable MACSec (Media Access Control Security) Encryption between two Catalyst Switches. MACSec is the standard for authenticating and encrypting the data link layer between switches. IEEE 802.1.AE.

Configuring MACSec

interface TenGigabitEthernet1/0/48
   cts manual
   no propagate sgt
   sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF mode-list gcm-encrypt null no-encap

Below is an example config for Macsec with AES-256 encryption.   This config needs to be on both sides of the switches.  Was tested on a 3650-12x48UZ running ios-xe version 16.3.2.     Please update the keystring each time you use it with another random set of digits.  The length of the string has to be the same as below (64).

key chain mka_keychain macsec
    key 1234
    cryptographic-algorithm aes-256-cmac
 key-string 7586258746587645873490731985370957385753195709435175415784768466
 lifetime local 00:00:00 Jan 1 2000 infinite
 mka policy mka_policy_256
  key-server priority 2
 macsec-cipher-suite gcm-aes-256
interface GigabitEthernet1/0/1
 switchport mode trunk
 macsec network-link
 mka policy mka_policy_256
 mka pre-shared-key key-chain mka_keychain

Checking to Make sure the MKA Session is up and secure.

Switch#sh mka session

Total MKA Sessions....... 1

      Secured Sessions... 1

      Pending Sessions... 0

====================================================================================================

Interface      Local-TxSCI         Policy-Name      Inherited         Key-Server

Port-ID        Peer-RxSCI          MACsec-Peers     Status            CKN

====================================================================================================

Te1/0/48       00f6.6389.8b30/0037 test             NO                YES

55             00fe.c8d4.44b0/0037 1                Secured           1234000000000000000000000000000000000000000000000000000000000000

Verify MACSec is enabled.

Switch#sh macsec int ten1/0/48

MACsec is enabled
   Replay protect : enabled
   Replay window : 0
   Include SCI : yes
   Use ES Enable : no
   Use SCB Enable : no
   Admin Pt2Pt MAC : forceTrue(1)
   Pt2Pt MAC Operational : no
   Cipher : GCM-AES-256
   Confidentiality Offset : 0