1-11
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring MACsec Encryption
Configuring Cisco TrustSec MACsec
Note Before you configure Cisco TrustSec MACsec authentication, you should configure Cisco TrustSec seed
and non-seed devices. For 802.1x mode, you must configure at least one seed device, that device closest
to the access control system (ACS). See this section in the Cisco TrustSec Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html
Configuring Cisco TrustSec Switch-to-Switch Link Security in 802.1x Mode
You enable Cisco TrustSec link layer switch-to-switch security on an interface that connects to another
Cisco TrustSec device. When configuring Cisco TrustSec in 802.1x mode on an interface, follow these
guidelines:
• To use 802.1x mode, you must globally enable 802.1x on each device.
• If you select GCM as the SAP operating mode, you must have a MACsec encryption software
license from Cisco. MACsec is supported on Catalyst 3750-X and 3560-X universal IP base and IP
services licenses. It is not supported with the NPE license or with a LAN base service image.
If you select GCM without the required license, the interface is forced to a link-down state.
Beginning in privilege EXEC mode, follow these steps to configure Cisco TrustSec switch-to-switch link
layer security with 802.1x.
Command Purpose
Step 1
configure terminal Enters global configuration mode.
Step 2
interface interface-id Note Enters interface configuration mode.
Step 3
cts dot1x Configures the interface to perform NDAC authentication.
Step 4
sap mode-list mode1 [mode2 [mode3
[mode4]]]
(Optional) Configures the SAP operation mode on the interface. The
interface negotiates with the peer for a mutually acceptable mode.
Enter the acceptable modes in your order of preference.
Choices for mode are:
• gcm-encrypt—Authentication and encryption
Note Select this mode for MACsec authentication and encryption
if your software license supports MACsec encryption.
• gmac—Authentication, no encryption
• no-encap—No encapsulation
• null—Encapsulation, no authentication or encryption
Note If the interface is not capable of data link encryption,
no-encap is the default and the only available SAP
operating mode. SGT is not supported.
Note Although visible in the CLI help, the timer reauthentication and propagate sgt keywords are not
supported.
Step 5
exit Exits Cisco TrustSec 802.1x interface configuration mode.
Step 6
end Returns to privileged EXEC mode.