MACSEC SWITCH TO SWITCH WITH PRE-SHARED-KEY 3800 AND SXP 2960x

 The on-switch configuration is pretty simple. First, we will create a key chain that will contain both the Connectivity Key Name (CKN) and the Connectivity Association Key (CAK). The CKN must be an even number of Hex digits and the CAK must be 32 or 64 Hex digits. Optionally we can create a MACsec Key Agreement policy.  Finally, we will enable MACsec network link on the interface, apply the MKA policy and the key. The configuration for the CKN and the CAK must be the same on both sides of the link.

 

Configure terminal
key chain mka-keys macsec
  !
  !  Must match on both sides.
  !  Must be an even number of digits 
  !  Connectivity Key Name (CKN)
   key HEX-CKN-EVEN#
      !
      !  Must match on both sides
      !  MKA Authentication Cipher
      cryptographic-algorithm aes-256-cmac
      !
      !  Must match on both sides
      !    Must be 32 characters for 128 bits  
      ! OR Must be 64 characters for 256 bits
      ! Connectivity Association Key (CAK)
      key-string ----32-OR-64-HEX-CHARS----
!
mka policy mkapolicy1
  ! 128 bit is supported by Cat 9200
  ! 256 bit is supported by Cat 9300
   macsec-cipher-suite gcm-aes-128
!
!
!  Interface Configuration
!
int g1/0/1
 macsec network-link
 mka policy mkapolicy1
 mka pre-shared-key key-chain mka-keys
!
end
! 

 

 Ce qui est POSSIBLE avec SXP

Vous pouvez faire en sorte que le Switch A informe le Switch B de l'identité de ses utilisateurs via une connexion TCP (SXP), même s'il ne peut pas chiffrer le lien.

Configuration pour lier deux 2960-X via SXP :

1. Sur le Switch A (IP 192.168.1.1) :
   bash

   conf t
   cts sxp enable
   cts sxp connection peer 192.168.1.2 source 192.168.1.1 password SECRET mode local speaker
   

   Use code with caution.
2. Sur le Switch B (IP 192.168.1.2) :
   bash

   conf t
   cts sxp enable
   cts sxp connection peer 192.168.1.1 source 192.168.1.2 password SECRET mode loc