48-4
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 48 Configuring MACsec Encryption
Understanding Media Access Control Security and MACsec Key Agreement
Encryption Algorithms for MKA Control Packets
Cryptographic algorithm selection for MKA control protocol packets encryption is as follows:
• The cryptographic algorithm to encrypt MKA control protocol packets is configured as part of the
key chain. There can be only one cryptographic algorithm configured per key chain.
• A key server uses the configured MKA cryptographic algorithm from the key chain.
• All nonkey servers must use the same cryptographic algorithm as the key server.
If an MKA cryptographic algorithm is not configured, a default cryptographic algorithm of
AES-CMAC-128 (Cipher-based Message Authentication Code with 128-bit Advanced Encryption
Standard) is used.
The following is a sample encryption algorithm for data packets:
Switch(config)# mka policy p1
Switch(config-mka-policy)# macsec-cipher-suite [aes-128-cmac | aes-256-cmac]
The following is a sample encryption algorithm for MKA control packets:
Switch(config)# key chain key-chain-name macsec
Switch(config-keychain-macsec)# key 01
Switch(config-keychain-macsec-key)# key-string 0001
Switch(config-keychain-macsec-key)# cryptographic-algorithm [aes-128-cmac | aes-256-cmac]
Switch(config-keychain-macsec-key)# end
Virtual Ports
You use virtual ports for multiple secured connectivity associations on a single physical port. Each
connectivity association (pair) represents a virtual port, with a maximum of two virtual ports per
physical port. Only one of the two virtual ports can be part of a data VLAN; the other must externally
tag its packets for the voice VLAN. You cannot simultaneously host secured and unsecured sessions in
the same VLAN on the same port. Because of this limitation, 802.1X multiple authentication mode is
not supported.
The exception to this limitation is in multiple-host mode when the first MACsec supplicant is
successfully authenticated and connected to a hub that is connected to the switch. A non-MACsec host
connected to the hub can send traffic without authentication because it is in multiple-host mode. We do
not recommend using multi-host mode because after the first successful client, authentication is not
required for other clients.
Virtual ports represent an arbitrary identifier for a connectivity association and have no meaning outside
the MKA Protocol. A virtual port corresponds to a separate logical port ID. Valid port IDs for a virtual
port are 0x0002 to 0xFFFF. Each virtual port receives a unique secure channel identifier (SCI) based on
the MAC address of the physical interface concatenated with a 16-bit port ID.
MACsec
A Catalyst 4500 series switch supervisor running MACsec maintains the configuration files that show
which ports on the switch support MACsec. The supervisor-engine performs these functions:
• Processes secure channel and secure association creation and deletion.
To Next Page
Loading...
Need help?
General
