This describes how to enable MACSec (Media Access Control Security) Encryption between two Catalyst Switches. MACSec is the standard for authenticating and encrypting the data link layer between switches. IEEE 802.1.AE.
Configuring MACSec
interface TenGigabitEthernet1/0/48 cts manual no propagate sgt sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF mode-list gcm-encrypt null no-encap
Below is an example config for Macsec with AES-256 encryption. This config needs to be on both sides of the switches. Was tested on a 3650-12x48UZ running ios-xe version 16.3.2. Please update the keystring each time you use it with another random set of digits. The length of the string has to be the same as below (64).
key chain mka_keychain macsec key 1234 cryptographic-algorithm aes-256-cmac key-string 7586258746587645873490731985370957385753195709435175415784768466 lifetime local 00:00:00 Jan 1 2000 infinite mka policy mka_policy_256 key-server priority 2 macsec-cipher-suite gcm-aes-256
interface GigabitEthernet1/0/1 switchport mode trunk macsec network-link mka policy mka_policy_256 mka pre-shared-key key-chain mka_keychain
Checking to Make sure the MKA Session is up and secure.
Switch#sh mka session
Total MKA Sessions....... 1
Secured Sessions... 1
Pending Sessions... 0
====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
Port-ID Peer-RxSCI MACsec-Peers Status CKN
====================================================================================================
Te1/0/48 00f6.6389.8b30/0037 test NO YES
55 00fe.c8d4.44b0/0037 1 Secured 1234000000000000000000000000000000000000000000000000000000000000
Verify MACSec is enabled.
Switch#sh macsec int ten1/0/48
MACsec is enabled
Replay protect : enabled
Replay window : 0
Include SCI : yes
Use ES Enable : no
Use SCB Enable : no
Admin Pt2Pt MAC : forceTrue(1)
Pt2Pt MAC Operational : no
Cipher : GCM-AES-256
Confidentiality Offset : 0