On Wed, Jun 25, 2014 at 4:51 PM, Pieter Hulshoff <phuls...@aimvalley.nl> wrote: > On 25-06-14 22:45, Christopher Morrow wrote: >> >> today you program the key (on switches that do macsec, not in an SFP >> that does it for you, cause those don't exist, yet) in your router >> config and as near as I have seen there isn't a key distribution >> protocol aside from that which you write/manage yourself and which is >> likely using ssh/snmp(ick)/telnet(ick). > > > I'm not familiar with the MACsec key distribution available in current > routers/switches. Are you saying Cisco doesn't support EAP and/or MKA for > this purpose or just that the command protocol for configuring EAP/MKA is > run via SSH/SNMP/telnet?
I had looked a bit ago (like a year or so perhaps longer) for this and it seemed like command-line on the switch functions only. This: <http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf> (for 15.0 IOS on a 3750... ymmv on others of course) it lookslike they have MKA (and eap) for user-facing ports, and some nutty cisco thing (trustsec) for switch-to-switch. I never looked at this for machine-facing ports... Oh, the manual setup for switch-to-switch is possibly what i recall from my last look at this. -chris
