[172612] in North American Network Operators' Group
Re: MACsec SFP
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Wed Jun 25 17:02:58 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <53AB3638.8040300@aimvalley.nl>
Date: Wed, 25 Jun 2014 17:02:49 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Pieter Hulshoff <phulshof@aimvalley.nl>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Wed, Jun 25, 2014 at 4:51 PM, Pieter Hulshoff <phulshof@aimvalley.nl> wrote:
> On 25-06-14 22:45, Christopher Morrow wrote:
>>
>> today you program the key (on switches that do macsec, not in an SFP
>> that does it for you, cause those don't exist, yet) in your router
>> config and as near as I have seen there isn't a key distribution
>> protocol aside from that which you write/manage yourself and which is
>> likely using ssh/snmp(ick)/telnet(ick).
>
>
> I'm not familiar with the MACsec key distribution available in current
> routers/switches. Are you saying Cisco doesn't support EAP and/or MKA for
> this purpose or just that the command protocol for configuring EAP/MKA is
> run via SSH/SNMP/telnet?
I had looked a bit ago (like a year or so perhaps longer) for this and
it seemed like command-line on the switch functions only. This:
<http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf>
(for 15.0 IOS on a 3750... ymmv on others of course)
it lookslike they have MKA (and eap) for user-facing ports, and some
nutty cisco thing (trustsec) for switch-to-switch. I never looked at
this for machine-facing ports... Oh, the manual setup for
switch-to-switch is possibly what i recall from my last look at this.
-chris
