Christopher Morrow morrowc.lists at
Wed Jun 25 21:02:49 UTC 2014

On Wed, Jun 25, 2014 at 4:51 PM, Pieter Hulshoff <phulshof at> wrote:
> On 25-06-14 22:45, Christopher Morrow wrote:
>> today you program the key (on switches that do macsec, not in an SFP
>> that does it for you, cause those don't exist, yet) in your router
>> config and as near as I have seen there isn't a key distribution
>> protocol aside from that which you write/manage yourself and which is
>> likely using ssh/snmp(ick)/telnet(ick).
> I'm not familiar with the MACsec key distribution available in current
> routers/switches. Are you saying Cisco doesn't support EAP and/or MKA for
> this purpose or just that the command protocol for configuring EAP/MKA is
> run via SSH/SNMP/telnet?

I had looked a bit ago (like a year or so perhaps longer) for this and
it seemed like command-line on the switch functions only. This:

(for 15.0 IOS on a 3750... ymmv on others of course)

it lookslike they have MKA (and eap) for user-facing ports, and some
nutty cisco thing (trustsec) for switch-to-switch. I never looked at
this for machine-facing ports... Oh, the manual setup for
switch-to-switch is possibly what i recall from my last look at this.


More information about the NANOG mailing list