EasyManuals Logo

Cisco Catalyst 4500 Series Software Configuration Guide

Cisco Catalyst 4500 Series
2086 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #116 background imageLoading...
Page #116 background image
1-36
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 1 Product Overview
Security Features
Cisco TrustSec MACsec Encryption
MACsec (Media Access Control Security) is the IEEE 802.1AE standard for authenticating and
encrypting packets between two MACsec-capable devices. The Catalyst 4500 series switch supports
802.1AE encryption with MACsec Key Agreement (MKA) on downlink ports for encryption between
the switch and host devices. The switch also supports MACsec link layer switch-to-switch security by
using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association
Protocol (SAP) key exchange. Link layer security can include both packet authentication between
switches and MACsec encryption between switches (encryption is optional).
For more information on TrustSec MACsec encryption, see Chapter 48, “Configuring MACsec
Encryption.
Cisco TrustSec Security Architecture
The Cisco TrustSec security architecture builds secure networks by establishing domains of trusted
network devices. Each device in the domain is authenticated by its peers. Communication on the links
between devices in the domain is secured with a combination of encryption, message integrity check,
and data-path replay protection mechanisms. Cisco TrustSec uses the device and user credentials
acquired during authentication for classifying the packets by security groups (SGs) as they enter the
network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec
network so that they can be properly identified for the purpose of applying security and other policy
criteria along the data path. The tag, called the security group tag (SGT), allows the network to enforce
the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.
For more information, refer to the following URL:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
Cisco TrustSec Security Groups, SGTs and SGACLs
Note This support is provided only on Supervisor Engine 7-E, Supervisor Engine 7L-E, Supervisor Engine
8-E, and Catalyst 4500X.
A security group is a grouping of users, endpoint devices, and resources that share access control
policies. Security groups are defined by the administrator in the Cisco ISE or Cisco Secure ACS. As new
users and devices are added to the Cisco TrustSec domain, the authentication server assigns these new
entities to appropriate security groups. Once a device is authenticated, Cisco TrustSec tags any packet
that originates from that device with a security group tag (SGT) that contains the security group number
of the device. The packet carries this SGT throughout the network.
Using security group access control lists (SGACLs), you can control the operations that users can
perform based on the security group assignments of users and destination resources.
For more information, refer to the following URL:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
For Cisco TrustSec SGFT and SGACL guidelines and restrictions that apply on the Catalyst 4500 series
switch, refer to "Appendix B. Notes for the Catalyst 4500 Series Switches" in the Cisco TrustSec Switch
Configuration Guide.

Table of Contents

Other manuals for Cisco Catalyst 4500 Series

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco Catalyst 4500 Series and is the answer not in the manual?

Cisco Catalyst 4500 Series Specifications

General IconGeneral
SeriesCatalyst 4500 Series
CategorySwitch
Layer SupportLayer 2, Layer 3
Form FactorModular chassis
StackableNo
Chassis Slots3, 6, 7, 10
Power Supply OptionsAC, DC
RedundancyPower supply, Supervisor engine
Network ManagementCisco IOS Software CLI, SNMP, Cisco Prime Infrastructure
FeaturesSecurity, QoS
Port DensityUp to 384 ports per chassis
Security Features802.1X, ACLs, DHCP Snooping, Dynamic ARP Inspection, IP Source Guard
Supervisor Engine8-E

Related product manuals