Aug 04, 2014 encryption on cisco switches over layer 2 ethernet. Supports full cisco trustsec capabilities with hardware acceleration for security group tag imposition and ieee 802. With its software delivered approach, you have networkwide control and visibility. With supervisor engine 2t, cisco trustsec cts is included with cisco ios software. The vulnerability is in the encryption library used by the vulnerable software. Cisco trustsec cts is included with cisco ios software and does not. The msfc5 builds the cisco express forwarding information base fib table in software. Software defined segmentation with cisco trustsec on techwisetv duration. Im thinking the best way would be on the switch at both sides of the fiber connection. Cisco macsec license electronic delivery la9kmacsec10. Table 1 lists the primary cisco trustsec related features available for the first time on the cisco catalyst 6500 with the supervisor engine 2t and 6900 series line cards. Table 1 lists the primary cisco trustsec related features available for the first time on the cisco catalyst 6500. Cisco catalyst 6500 with supervisor engine 2t and all the features and the technical advancements establish. Nov 26, 2011 macsec encryption has become increasing popular and important to campus network design, but previous switch performance degraded when encrypted traffic was passing through it.
Cisco vss2t10g catalyst 6500 supervisor engine new sealed. A switch that can be configured for macsec encryption. Macsec media access control security this describes how to enable macsec media access control security encryption between two catalyst switches. The new 9200 is backed by ciscos security portfolio that includes talos, trustworthy solutions, macsec encryption, and segmentation. We need to encrypt all traffic between 2 sites over fiber. Oct 14, 2016 macsec is an ieee standard for security in wired ethernet lans. Macsec is supported on catalyst 3750x and 3560x universal ip base. I thought id post a brief note on some implications of using macsec after watching a rather informative cisco live session on the topic. We have 2 cisco catalyst 6500 e series manuals available for free pdf download. Cisco asa software ipsec denial of service vulnerability. Macsec is the standard for authenticating and encrypting the data link layer between switches. Cisco 6500 catalyst series 10 gigabit en interface. A common question customers ask is about layering security into the solution, and this article discusses just how to do that with macsec and aes128 bit encryption.
Other devices will see the vss configured 6500 as a single device which means its possible to use multi chassis etherchannel and protocols like spanningtree will only see a. Macsec port configuration in combination with rspan configuration causes the incorrect rspan of eapol frames, causing issues with macsec encryption setup. Key management and the establishment of secure associations is outside the scope of 802. There are no service modules for the cisco catalyst 3650. Cisco has hinted that it might be supported in the future but nothing hard.
With this, cisco has pioneered a host of rich capabilities such as high availability based on stateful switchover sso on stacking, granular qos. If no sap parameters are defined, cisco trustsec encapsulation or encryption is not performed. If you select gcm as the sap operating mode, you must have a macsec encryption software license from cisco. Buy a cisco macsec license electronic delivery or other network management software at.
Macsec link goes down periodically with the message. Cisco catalyst 6500 series with supervisor engine 2t. There are three bits you need to get it all working though and only cisco currently has all three bits in a commercial state. Cisco systems catalyst 6500 sup2t macsec verification. Cisco trustsec switch configuration guide cisco trustsec. Macsec encryption deploy highperformance encryption to reduce maninthemiddle threats. And now for the practical section for using macsec you will have to use a switch with supported hardware such as 3560x, 3750x, 4500 6500 series or even nexus the complete list can be found on cisco site,here in my lab i used 3750x. Telemetrybased infrastructure device integrity monitoring. The cisco catalyst 3850 is the first stackable access switching platform that enables wired plus wireless services on a single cisco ios xe software based platform. Mapping between cisco catalyst 2960xxr and 9200 series. Macsec support on the catalyst 4500x as from ios xe 3. The frulink 10g service module c3kxsm10g in switch 1 has a software. Stackable catalyst 3850 series multigigabit and 10gbps network switches give you wired and wireless together so you can scale up and protect your investments.
Cisco catalyst 3850 switches datasheet cisco router, cisco. Cisco macsec on cisco catalyst switching platforms youtube. Unlock intentbased networking capabilities on your switches, routers, and wireless hardware through cisco dna software. Security configuration guide, cisco ios xe everest 16. To configure cisco trustsec on the cisco catalyst 6500 series switches. From what i understand the 3560 switches can only do macsec encryption. It is not supported with the npe license or with a lan base service image. We have a cisco switch on each side but the fiber it runs over is leased and encryption aes256 minimum is required on a leased. The connection has to be encryptec so macsec is the logical choice. Cisco has hinted that it might be supported in the future but nothing hardset has been released that im aware of.
Macsec encryption has become increasing popular and important to campus network design, but previous switch performance degraded when encrypted traffic was passing through it. Cisco ios configuring switch to switch macsec petenetlive. Hi all, is anyone aware of any restrictions to using macsec on the uplinks of a service module whilst the uplink ports are in an etherchannel. Securing overlay transport virtualization otv with cisco. As per the new software features in release ios xe 3.
It means that there are two options with macsec, just to verify that nobody modified the packet on the pointtopoint link and the second option to totally encrypt. Security configuration guide, cisco ios xe gibraltar 16. Macsec is an ieee standard for security in wired ethernet lans. Prevent an encryption bottleneck on highspeed links. Cisco catalyst 6500 series with supervisor engine 2t enabling. The supervisor engine 2t is designed to deliver higher performance, better scalability, and enhanced hardwareenabled features. It is possible that certain fixed software releases for this vulnerability are affected by a bug described in cisco. The cisco catalyst 6500 with supervisor engine 2t and 6900 series line cards provide complete hardware and software support for implementing a cisco trustsec network. Jan 15, 2016 the cisco catalyst 6500e with supervisor engine 2t supports flexible netflow with cisco ios software release 12. Macsec is a layer 2 protocol that relies on gcmaes128 to offer integrity and confidentiality, and. Catalyst 3750x and 3560x software configuration guide, release 15. Configuring macsec on ex, qfx and srx devices techlibrary. Do you have the right license and software installed.
Prevent an encryption bottleneck on highspeed links cisco. Then, where is the discussion about all ciscos advanced capabilities macsec256 encryption, fnf, mpls, etc, etc there are tons more. Meaning that you can setup vlans but you wont be able to route between then. The gathering of flow information is done by all forwarding engines pfc4sdfc4s individually for both ipv4 and ipv6 traffic, allowing the system to collect up to million flow entries in a 65e system. Using overlay transport virtualization for your data center interconnect is a hot trend in the cloudenabled world we live in today. Common encryption security protocols can slow down highspeed network links, but there is an alternative that lets them fly. These limitations, as well as customers needing 40100ge link encryption, are precisely why cisco reintroduced media access control security, or macsec into its product lines for routers, data center and campus switches.
The cisco catalyst 6500 supervisor engine 2t figure 1 is the newest addition to the family of supervisor engines. Network traffic encryption in linux using macsec and. Understanding media access control security macsec on mx. Cisco macsec on cisco catalyst switching platforms. Cisco software encryption library information disclosure. Jan 05, 2016 for branch routers, please check comparison of cisco integrated services routers. This vulnerability affects cisco catalyst 6500 series switches and cisco 7600 series routers that have a supervisor engine 720 module or supervisor engine 32 module running a vulnerable release of cisco ios software, if all the following conditions exist for the device. Linklayer security can include both packet authentication between switches and macsec encryption between switches encryption. The ipsec vpn systems provide a broad suite of services and a multitude of io interfaces. Audio video bridging configuration guide, cisco ios xe fuji 16. The cisco digital network architecture cisco dna gives you comprehensive intentbased networking across your campus, branch and wan with robust wired, wireless, and routing solutions. All downlink ports on the switch can run cisco trustsec macsec link layer switch toswitch security. Brocade takes on cisco in the campus network world. Just like ipsec protects network layer, and ssl protects application data, macsec protects traffic at data link layer layer 2.
After you enable macsec on a pointtopoint ethernet link, all traffic traversing the link is macsec secured through the use of data integrity checks and, if configured, encryption. Macsec the cisco catalyst 3750x and 3560x series switches offer exceptional security with integrated hardware support for macsec defined in ieee 802. Between macseccapable devices, packets are encrypted on egress. Compared to the scale and feature richness the of catalyst 9300 series switches, catalyst 9200 series switches focus on offering rightsized switching for simple branch deployments. We have a cisco switch on each side but the fiber it runs over is leased and encryption aes256 minimum is required on a leased line. The macsec key agreement mka protocol provides the required session. Between macsec capable devices, packets are encrypted on egress from the transmitting device, decrypted on ingress to the receiving device, and in the clear within the devices. The cisco catalyst 3650 is hardware ready for macsec, and software.
The switch also supports macsec linklayer switchtoswitch security by using cisco trustsec network device admission control ndac and the security association protocol sap key exchange. Cisco software contains a vulnerability that could allow an unauthenticated, remote attacker to access sensitive information on a targeted system. Media access control security or macsec is the layer 2 hop to hop network traffic protection. Cisco macsec recently there is an increased demand for layer2 encryption, more and more customers are now buying high speed pointtopoint links, due to their low cost, and use them to extend their layer2 network to remote locations, but they still need these links to be encrypted and secure. With macsec, encryption rates equal the link speed rates minus a small amount of overhead. Linklayer security can include both packet authentication between switches and macsec encryption between switches encryption is optional. Macsec ess has evolved layer2 encryption to enable robust security for your enterprise. Macsec encryption is the other part of the macsec capability and its optional but most likely always enabled. Acquiring and downloading the junos os software, acquiring and downloading the macsec feature license, configuring the pic mode of the macseccapable interfaces ex4200 switches only, configuring macsec using static connectivity association key cak mode recommended for enabling macsec on switchtoswitch links, configuring macsec to secure a switchtohost link, configuring macsec using. Macsec provides mac layer encryption over wired networks using outofband methods for encryption keying. Catalyst 4500 series switch software configuration.
In order to support new cisco trustsec functionality such as sgt and ieee 802. Hitless failover and inservice software upgrades mean. We have a situation where we need to encrypt the traffic on a layer 2 vlan. Reduce security hacks with policybased segmentation across the entire network fabric. The information below comes from cisco but, given macsec is a standard, id expect it to be quite close for everyone else. Cisco ios software for cisco catalyst 6500 series switches.
On mx series routers, you enable macsec by using the static cak security mode. Cisco catalyst ipsec vpn systems take advantage of the cisco 7600catalyst 6500 ipsec vpn services module and provide up to 2 gbps of triple data encryption standard 3des encryption. Solved encryption on cisco switches over layer 2 ethernet. For accuracy and completeness, this should have been mentioned. Cisco content hub cisco catalyst 3850 series switches. The virtual switching system vss allows two cisco catalyst 6500 or 4500 chassis to bond together so that is seen as a single virtual swich to the rest of the network. The cisco catalyst 3650 natively supports the features supported by the service module in the 3560x. See configuring media access control security macsec on mx series routers. In order to successfully set up switch to switch macsec encryption, the following are needed. Macsec is supported on catalyst 3750x and 3560x universal ip base and ip services licenses. Cisco wan macsec encryption solution to protect your network duration. The new addition to cisco catalyst 9000 series family is the catalyst 9200, which targets the midmarket. Macsec is asic based linerate encryption provided by some platforms. Note macsec is supported on the catalyst 4500 series switch universal k9 image.
Encryption over fiber between 2 sites cisco spiceworks. To help customers determine their exposure to vulnerabilities in cisco ios and ios xe software, cisco provides a tool, the cisco ios software checker, that identifies any cisco security advisories that impact a specific software. To configure macsec linktolink encryption, the sap negotiation parameters must be defined. This blog, will give an overview of what macsec is, how it differs from other security standards, and present some ideas about how it can be used. With supervisor engine 2t, cisco trustsec cts is included with cisco ios software and does not require a separate feature license. Jul 11, 2019 media access control security or macsec is the layer 2 hop to hop network traffic protection.
Hi, im trying to develop a concept to connect two 6500 using dwdm. Learn the details of the technology and how to leverage it. The following example shows how to change the cisco trustsec password between a catalyst 6500 switch and a cisco secure acs. Understanding media access control security macsec.