Re: MACsec SFP

[Christopher Morrow <morrowc.lists () gmail com>]

On Wed, Jun 25, 2014 at 4:51 PM, Pieter Hulshoff <phulshof () aimvalley nl> wrote:
> On 25-06-14 22:45, Christopher Morrow wrote:
> > today you program the key (on switches that do macsec, not in an SFP
> > that does it for you, cause those don't exist, yet) in your router
> > config and as near as I have seen there isn't a key distribution
> > protocol aside from that which you write/manage yourself and which is
> > likely using ssh/snmp(ick)/telnet(ick).
>
>
> I'm not familiar with the MACsec key distribution available in current
> routers/switches. Are you saying Cisco doesn't support EAP and/or MKA for
> this purpose or just that the command protocol for configuring EAP/MKA is
> run via SSH/SNMP/telnet?

I had looked a bit ago (like a year or so perhaps longer) for this and
it seemed like command-line on the switch functions only. This:
  
<http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf>

(for 15.0 IOS on a 3750... ymmv on others of course)

it lookslike they have MKA (and eap) for user-facing ports, and some
nutty cisco thing (trustsec) for switch-to-switch. I never looked at
this for machine-facing ports... Oh, the manual setup for
switch-to-switch is possibly what i recall from my last look at this.

-chris