48-22
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 48 Configuring MACsec Encryption
Configuring Cisco TrustSec MACsec
Note Before you configure Cisco TrustSec MACsec authentication, you should configure Cisco TrustSec seed
and non-seed devices. For 802.1X mode, you must configure at least one seed device, that device closest
to the access control system (ACS). See this section in the Cisco TrustSec Switch Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
Configuring Cisco TrustSec Switch-to-Switch Link Security in 802.1X Mode
You enable Cisco TrustSec link layer switch-to-switch security on an interface that connects to another
Cisco TrustSec device. When configuring Cisco TrustSec in 802.1X mode on an interface, follow these
guidelines:
• To use 802.1X mode, you must globally enable 802.1X on each device.
• If you select GCM as the SAP operating mode, you must have a MACsec encryption software
license from Cisco.
Note MACsec is supported on the Catalyst 4500 series switch universal k9 image. It is not supported
with the NPE license or with a LAN Base service image.
If you select GCM without the required license, the interface is forced to a link-down state.
To configure Cisco TrustSec switch-to-switch link layer security with 802.1X, perform this task:
Command Purpose
Step 1
configure terminal
Enters global configuration mode.
Step 2
interface interface-id
Enters interface configuration mode.
Step 3
cts dot1x
Configures the interface to perform NDAC authentication.
Step 4
sap mode-list mode1 [mode2 [mode3
[mode4]]]
(Optional) Configures the SAP operation mode on the interface. The
interface negotiates with the peer for a mutually acceptable mode.
Enter the acceptable modes in your order of preference.
Choices for mode are:
• gcm-encrypt—Authentication and encryption
Note Select this mode for MACsec authentication and encryption
if your software license supports MACsec encryption.
• gmac—Authentication, no encryption
• no-encap—No encapsulation
• null—Encapsulation, no authentication or encryption
Note If the interface is not capable of data link encryption,
no-encap is the default and the only available SAP
operating mode. SGT is not supported.
Note Although visible in the CLI help, the timer reauthentication and propagate sgt keywords are not
supported. However, the no propagate sgt keyword is supported (refer to Step 5 in the next section).
To Next Page
Loading...
Need help?
General
