1-9
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring MACsec Encryption
Understanding Cisco TrustSec MACsec
When both ends of a link support 802.1AE MACsec, SAP negotiation occurs. An EAPOL-key exchange
occurs between the supplicant and the authenticator to negotiate a cipher suite, exchange security
parameters, and manage keys. Successful completion of these tasks results in the establishment of a
security association (SA).
Depending on your software version and licensing and link hardware support, SAP negotiation can use
one of these modes of operation:
• Galois Counter Mode (GCM)—authentication and encryption
• GCM authentication (GMAC)— GCM authentication, no encryption
• No Encapsulation—no encapsulation (clear text)
• Null—encapsulation, no authentication or encryption
Cisco TrustSec uses AES-128 GCM and GMAC and is compliant with the 802.1AE standard. GCM is
not supported on switches running the NPE or the LAN base image.
Cisco TrustSec NDAC SAP is supported on trunk ports because it is intended only for network device
to network device links, that is, switch-to-switch links. It is not supported on:
• Host facing access ports (these ports support MKA MACsec)
• Switch virtual interfaces (SVIs)
• SPAN destination ports
Ta b l e 1- 2 C i s c o Tr u s t S e c F e a t u re s
Cisco TrustSec Feature Description
802.1AE Encryption (MACsec) Protocol for 802.1AE-based wire-rate hop-to-hop Layer 2 encryption.
Between MACsec-capable devices, packets are encrypted on egress from the
sending device, decrypted on ingress to the receiving device, and in the clear
within the devices.
This feature is only available between 802.1AE-capable devices.
Network Device Admission Control (NDAC) NDAC is an authentication process by which each network device in the
TrustSec domain can verify the credentials and trustworthiness of its peer
device. NDAC uses an authentication framework based on IEEE 802.1x
port-based authentication and uses Extensible Authentication Protocol
Flexible Authentication via Secure Tunnel (EAP-FAST) as its EAP method.
Authentication and authorization by NDAC results in Security Association
Protocol negotiation for 802.1AE encryption.
Security Association Protocol (SAP) SAP is a Cisco proprietary key exchange protocol between switches. After
NDAC switch-to-switch authentication, SAP automatically negotiates keys
and the cipher suite for subsequent switch-to-switch MACsec encryption
between TrustSec peers. The protocol description is available under a
nondisclosure agreement.
Security Group Tag (SGT) An SGT is a 16-bit single label showing the security classification of a source
in the TrustSec domain. It is appended to an Ethernet frame or an IP packet.
SGT Exchange Protocol (SXP), including
SXPv2
With SXP, devices that are not TrustSec-hardware capable can receive SGT
attributes for authenticated users or devices from the Cisco Access Control
System (ACS). The devices then forward the source IP-to-SGT binding to a
TrustSec-hardware capable device for tagging and security group ACL
(SGACL) enforcement.
To Next Page
Loading...
