Cisco TrustSec - Page 158

208 pages

Save Page as PDF

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

7-72

Cisco TrustSec Configuration Guide

OL-22192-01

Chapter 7 Cisco TrustSec Command Summary

sap (cts manual interface submode)

sap (cts manual interface submode)

Use the sap mode-list command to manually specify the Pairwise Master Key (PMK) and the Security

Association Protocol (SAP) authentication and encryption modes to negotiate MACsec link encryption

between two interfaces. Use the no form of the command to revert to the default.

[no] sap pmk hex_value [modelist {gcm-encrypt | gmac | no-encap | null} [gcm-encrypt | gmac

| no-encap | null] . . . ]

Syntax Description

Defaults The default encryption is sap modelist gcm-encrypt null. When the peer interface does not support

dot1x, 802.1AE MACsec, or 802.REV layer-2 link encryption, the default encryption is null.

Command Modes CTS manual interface configuration submode (config-if-cts-manual)

Supported User Roles Administrator

Command History

Usage Guidelines The Security Association Protocol (SAP) is an encryption key derivation and exchange protocol based

on a draft version of the 802.11i IEEE protocol. In a TrustSec configuration, the keys are used for

MACsec link-to-link encryption between two interfaces.

If 802.1X authentication is not possible, SAP, and the Pairwise Master Key (PMK) can be manually

configured between two interfaces with the sap pmk command. When using 802.1X authentication, both

sides (supplicant and authenticator) receive the PMK and the MAC address of the peer’s port from the

Cisco Secure Access Control Server.

Examples The following example shows a SAP configuration for a Gigabit Ethernet interface:

router(config)# interface gigabitEthernet 2/1

router(config-if)# cts manual

router(config-if-cts-manual)# sap pmk FFFEE mode-list gcm-encrypt

pmk hex_value Hex-data PMK (without leading 0x; enter even number of hex chars else last

char prefixed with 0)

modelist List of advertised modes (prioritized from highest to lowest)

gcm-encrypt Specifies GCM authentication, GCM encryption

gmac Specifies GCM authentication, no encryption

no-encap Specifies no encapsulation

null Specifies encapsulation present, no authentication, no encryption

Release Modification

12.2(50) SY This command was introduced on the Catalyst 6500 Series Switches.

Table of Contents

Related product manuals

Cisco WS-C2948G-GE-TX

Preview: Cisco WS-X6148-GE-TX - Switch

Cisco WS-X6148-GE-TX - Switch

Preview: Cisco 500 Series

Cisco 500 Series

Preview: Cisco WS-C2950-12

Cisco WS-C2950-12

Preview: Cisco Catalyst 3560

Cisco Catalyst 3560

Preview: Cisco MDS 9000 Series

Cisco MDS 9000 Series

Preview: Cisco Nexus 3000 series

Cisco Nexus 3000 series

Preview: Cisco Nexus 7000 Series

Cisco Nexus 7000 Series

Preview: Cisco Catalyst 2960 Series

Cisco Catalyst 2960 Series

Preview: Cisco Catalyst 4500 Series

Cisco Catalyst 4500 Series

Preview: Cisco Catalyst 4900 Series

Cisco Catalyst 4900 Series

Preview: Cisco Catalyst 8500 Series

Cisco Catalyst 8500 Series