Cisco TrustSec

208 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

3-7

Cisco TrustSec Configuration Guide

OL-22192-02

Chapter 3 Configuring Identities, Connections, and SGTs

Configuring Cisco TrustSec and MACsec in Manual Mode on an Uplink Port

Step 4

Router(config-if-cts-manual)# [no] sap pmk

key [mode-list mode1 [mode2 [mode3

[mode4]]]]

(Optional) Configures the SAP pairwise master key

(PMK) and operation mode. SAP is disabled by

default in Cisco TrustSec manual mode.

• key—A hexadecimal value with an even number

of characters and a maximum length of 32

characters.

The SAP operation mode options are:

• gcm— Authentication and encryption

• gmac— Authentication, no encryption

• no-encap— No encapsulation

• null— Encapsulation, no authentication or

encryption

Note MACsec with SAP is not supported on the

Catalyst 3K switches.

Note If the interface is not capable of SGT

insertion or data link encryption, no-encap

is the default and the only available SAP

operating mode.

Step 5

Router(config-if-cts-manual)# [no] policy

dynamic identity peer-name

(Optional) Configures Identity Port Mapping (IPM)

to allow dynamic authorization policy download

from authorization server based on the identity of

the peer. See the additional usage notes following

this task.

• peer-name—The Cisco TrustSec device ID for

the peer device. The peer name is case sensitive.

Note Ensure that you have configured the Cisco

TrustSec credentials (see “Configuring

Credentials and AAA for a Cisco TrustSec

Seed Device” section on page 3-2).

Router(config-if-cts-manual)# [no] policy

static sgt tag [trusted]

(Optional) Configures a static authorization policy.

See the additional usage notes following this task.

• tag—The SGT in decimal format. The range is

1 to 65533.

• trusted—Indicates that ingress traffic on the

interface with this SGT should not have its tag

overwritten.

Step 6

Router(config-if-cts-manual)# [no]

propagate sgt

(Optional) The no form of this command is used

when the peer is incapable of processing an SGT.

The no propagate sgt command prevents the

interface from transmitting the SGT to the peer.

Step 7

Router(config-if-cts-manual)# exit

Exits Cisco TrustSec manual interface configuration

mode.

Step 8

Router(config-if)# shutdown

Disables the interface.

Command Purpose

Table of Contents

Related product manuals

Cisco WS-C2948G-GE-TX

Preview: Cisco WS-X6148-GE-TX - Switch

Cisco WS-X6148-GE-TX - Switch

Preview: Cisco 500 Series

Cisco 500 Series

Preview: Cisco WS-C2950-12

Cisco WS-C2950-12

Preview: Cisco Catalyst 3560

Cisco Catalyst 3560

Preview: Cisco MDS 9000 Series

Cisco MDS 9000 Series

Preview: Cisco Nexus 3000 series

Cisco Nexus 3000 series

Preview: Cisco Nexus 7000 Series

Cisco Nexus 7000 Series

Preview: Cisco Catalyst 2960 Series

Cisco Catalyst 2960 Series

Preview: Cisco Catalyst 4500 Series

Cisco Catalyst 4500 Series

Preview: Cisco Catalyst 4900 Series

Cisco Catalyst 4900 Series

Preview: Cisco Catalyst 8500 Series

Cisco Catalyst 8500 Series