48-22
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 48 Configuring MACsec Encryption
Configuring Cisco TrustSec MACsec
Note
Before you configure Cisco TrustSec MACsec authentication, you should configure Cisco TrustSec seed
and non-seed devices. For 802.1X mode, you must configure at least one seed device, that device closest
to the access control system (ACS). See this section in the
Cisco TrustSec Switch Configuration Guide
:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
Configuring Cisco TrustSec Switch-to-Switch Link Security in 802.1X Mode
You enable Cisco TrustSec link layer switch-to-switch security on an interface that connects to another
Cisco TrustSec device. When configuring Cisco TrustSec in 802.1X mode on an interface, follow these
guidelines:
•
To use 802.1X mode, you must globally enable 802.1X on each device.
•
If you select GCM as the SAP operating mode, you must have a MACsec encryption software
license from Cisco.
Note
MACsec is supported on the Catalyst 4500 series switch universal k9 image. It is not supported
with the NPE license or with a LAN Base service image.
If you select GCM without the required license, the interface is forced to a link-down state.
To configure Cisco TrustSec switch-to-switch link layer security with 802.1X, perform this task:
Command
Purpose
Step 1
configure terminal
Enters global configuration mode.
Step 2
interface
interface-id
Enters interface configuration mode.
Step 3
cts dot1x
Configures the interface to perform NDAC authentication.
Step 4
sap mode-list
mode1
[
mode2
[
mode3
[
mode4
]]]
(Optional) Configures the SAP operation mode on the interface. The
interface negotiates with the peer for a mutually acceptable mode.
Enter the acceptable modes in your order of preference.
Choices for
mode
are:
•
gcm-encrypt
—Authentication and encryption
Note
Select this mode for MACsec authentication and encryption
if your software license supports MACsec encryption.
•
gmac
—Authentication, no encryption
•
no-encap
—No encapsulation
•
null
—Encapsulation, no authentication or encryption
Note
If the interface is not capable of data link encryption,
no-encap
is the default and the only available SAP
operating mode. SGT is not supported.
Note
Although visible in the CLI help, the
timer reauthentication
and
propagate sgt
keywords are not
supported. However, the
no propagate sgt
keyword is supported (refer to Step 5 in the next section).
Содержание Catalyst 4500 Series
Страница 2: ......
Страница 4: ......
Страница 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...