Also, I have decided to test it between two 3750x:
- 3750X-24TS (without service module)
- 3750X-48TS (without service module)
I have applied the following configuration on each switch:
I have plugged the cable between this 2 switchs and checked that SAP 'succeeded':
Interface is up and configuration looks fine. But I have prefer checked by myself that the traffic is well encrypted. The best way to do this is to use a hub. But this equipment has disappeared from IT services and is very rare!! Also we have designed our own RJ45 TAP:).
I have used this magic TAP and wireshark to sniff the traffic between our both switchs.
Below, you can see the result of a packet when it's encrypted by MACSEC (802.1ae). We can see the Ethertype (88e5) used by this protocol.
To resume, MACSEC is available on Cisco Switch (switch-to-switch) on copper interface without Service Module. This configuration is not available on 3560X. I guess, the service module is mandatory for it.
Cool - just labbing this myself. Wondering what kind of performance hit we will get by using copper ports rather than the module?
ReplyDeleteWith the module you can have 10Gi interface and 1Gi without the module and using copper.
ReplyDeleteTried to add a comment with my phone - didn't work though.
ReplyDeleteThanks for getting back. I'm referring to the encryption. From what I understand the module allows encryption to be handled in hardware. Wondering if by configuring the encryption on a copper interface the encryption might be handled in software. Our ELAN WAN lionk that I want to traverse encrypted is only and 800 Mbps link anyway.I wouldn't need a 10G link for the connnection.
Thank you