48-5
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 48 Configuring MACsec Encryption
Understanding Media Access Control Security and MACsec Key Agreement
•
Programs the hardware with the derived secure association key (SAK) for encryption and
decryption.
MACsec, MKA, and 802.1X Host Modes
You can use MACsec and the MKA Protocol with 802.1X single-host mode, multiple-host mode, or
Multi Domain Authentication (MDA) mode.
Single-Host Mode
shows how a single EAP authenticated session is secured by MACsec using MKA.
Figure 48-1
MACsec in Single-Host Mode with a Secured Data Session
Multiple-Host Mode
In standard (not 802.1X-2010) 802. multiple-host mode, a port is open or closed based on a single
authentication. If one user, the primary secured client services client host, is authenticated, the same
level of network access is provided to any host connected to the same port. If a secondary host is a
MACsec supplicant, it cannot be authenticated and traffic would no flow. A secondary host that is a
non-MACsec host can send traffic to the network without authentication because it is in multiple-host
mode. See
Figure 48-2
MACsec in Standard Multiple-Host Mode - Unsecured
We do not recommend using multi-host mode because after the first successful client, authentication is
not required for other clients, which is not secure.
330051
MACsec
AAA
Access-control system
Switch with
MACsec
configured
Unsecured
Host
253664
AAA
Access-control system
Switch with
MACsec
configured
Primary host
Secondary host
Secondary host
Содержание Catalyst 4500 Series
Страница 2: ......
Страница 4: ......
Страница 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...