On Wed, Jun 25, 2014 at 4:51 PM, Pieter Hulshoff <phulshof@aimvalley.nl> wrote:
On 25-06-14 22:45, Christopher Morrow wrote:
today you program the key (on switches that do macsec, not in an SFP that does it for you, cause those don't exist, yet) in your router config and as near as I have seen there isn't a key distribution protocol aside from that which you write/manage yourself and which is likely using ssh/snmp(ick)/telnet(ick).
I'm not familiar with the MACsec key distribution available in current routers/switches. Are you saying Cisco doesn't support EAP and/or MKA for this purpose or just that the command protocol for configuring EAP/MKA is run via SSH/SNMP/telnet?
I had looked a bit ago (like a year or so perhaps longer) for this and it seemed like command-line on the switch functions only. This: <http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf> (for 15.0 IOS on a 3750... ymmv on others of course) it lookslike they have MKA (and eap) for user-facing ports, and some nutty cisco thing (trustsec) for switch-to-switch. I never looked at this for machine-facing ports... Oh, the manual setup for switch-to-switch is possibly what i recall from my last look at this. -chris