EasyManuals Logo

Cisco Catalyst 4500 Series Administration Guide

Cisco Catalyst 4500 Series
1814 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #1134 background imageLoading...
Page #1134 background image
45-12
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 45 Configuring MACsec Encryption
Configuring Cisco TrustSec MACsec
This example shows how to enable Cisco TrustSec authentication in 802.1X mode on an interface using
GCM as the preferred SAP mode:
Switch# configure terminal
Switch(config)# interface tengigabitethernet 1/1/2
Switch(config-if)# cts dot1x
Switch(config-if-cts-dot1x)# sap mode-list gcm-encrypt null no-encap
Switch(config-if-cts-dot1x)# exit
Switch(config-if)# end
Configuring Cisco TrustSec Switch-to-Switch Link Security in Manual Mode
If your switch does not have access to an authentication server or if 802.1X authentication is not needed,
you can manually configure Cisco TrustSec on an interface. You must manually configure the interface
on each end of the connection.
When manually configuring Cisco TrustSec on an interface, consider these usage guidelines and
restrictions:
• If no SAP parameters are defined, neither encryption nor MACsec Encapsulation are performed.
• If you select GCM as the SAP operating mode, you must have a MACsec Encryption software
license from Cisco. If you select GCM without the required license, the interface is forced to a
link-down state.
Step 4
sap mode-list mode1 [mode2 [mode3
[mode4]]]
(Optional) Configures the SAP operation mode on the interface. The
interface negotiates with the peer for a mutually acceptable mode.
Enter the acceptable modes in your order of preference.
Choices for mode are:
• gcm-encrypt—Authentication and encryption
Note Select this mode for MACsec authentication and encryption
if your software license supports MACsec encryption.
• gmac—Authentication, no encryption
• no-encap—No encapsulation
• null—Encapsulation, no authentication or encryption
Note If the interface is not capable of data link encryption,
no-encap is the default and the only available SAP
operating mode. SGT is not supported.
Note Although visible in the CLI help, the timer reauthentication and propagate sgt keywords are not
supported. However, the no propagate sgt keyword is supported (refer to Step 5 in the next section).
Step 5
exit
Exits Cisco TrustSec 802.1X interface configuration mode.
Step 6
end
Returns to privileged EXEC mode.
Step 7
show cts interface [interface-id | brief
| summary
]
(Optional) Verifies the configuration by displaying TrustSec-related
interface characteristics.
Step 8
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Command Purpose

Table of Contents

Other manuals for Cisco Catalyst 4500 Series

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco Catalyst 4500 Series and is the answer not in the manual?

Cisco Catalyst 4500 Series Specifications

General IconGeneral
SeriesCatalyst 4500 Series
CategorySwitch
Layer SupportLayer 2, Layer 3
Form FactorModular chassis
StackableNo
Chassis Slots3, 6, 7, 10
Power Supply OptionsAC, DC
RedundancyPower supply, Supervisor engine
Network ManagementCisco IOS Software CLI, SNMP, Cisco Prime Infrastructure
FeaturesSecurity, QoS
Port DensityUp to 384 ports per chassis
Security Features802.1X, ACLs, DHCP Snooping, Dynamic ARP Inspection, IP Source Guard
Supervisor Engine8-E

Related product manuals