Cisco Catalyst 3560-X Software Configuration Manual page 371

Chapter 1 Configuring MACsec Encryption
Configuring MACsec on an Interface
Beginning in privileged EXEC mode, follow these steps to configure MACsec on an interface with one
MACsec session for voice and one for data:
Command
Step 1 configure terminal
Step 2 interface interface-id
Step 3 switchport access vlan vlan-id
Step 4
switchport mode access
Step 5 macsec
Step 6 authentication event linksec fail action
authorize vlan vlan-id
Step 7 authentication host-mode
multi-domain
Step 8 authentication linksec policy
must-secure
Step 9 authentication port-control auto
Step 10 authentication violation protect
Step 11
mka policy policy name
Step 12 dot1x pae authenticator
Step 13 spanning-tree portfast
Step 14 end
Step 15 show authentication session interface
interface-id
Step 16
copy running-config startup-config
OL-25303-03
Purpose
Enter global configuration mode.
Identify the MACsec interface, and enter interface configuration mode.
The interface must be a physical interface.
Configure the access VLAN for the port.
Configure the interface as an access port.
Enable 802.1ae MACsec on the interface.
(Optional) Specify that the switch processes authentication link-security
failures resulting from unrecognized user credentials by authorizing a
restricted VLAN on the port after a failed authentication attempt.
Configure authentication manager mode on the port to allow both a host
and a voice device to be authenticated on the 802.1x-authorized port. If
not configured, the default host mode is single.
Set the LinkSec security policy to secure the session with MACsec if the
peer is available. If not set, the default is should secure.
Enable 802.1x authentication on the port. The port changes to the
authorized or unauthorized state based on the authentication exchange
between the switch and the client
Configure the port to drop unexpected incoming MAC addresses when a
new device connects to a port or when a device connects to a port after the
maximum number of devices are connected to that port. If not configured,
the default is to shut down the port.
Apply an existing MKA protocol policy to the interface, and enable MKA
on the interface. If no MKA policy was configured (by entering the mka
policy global configuration command), you must apply the MKA default
policy to the interface by entering the mka default-policy interface
configuration command.
Configure the port as an 802.1x port access entity (PAE) authenticator.
Enable spanning tree Port Fast on the interface in all its associated
VLANs. When Port Fast feature is enabled, the interface changes directly
from a blocking state to a forwarding state without making the
intermediate spanning-tree state changes.
Return to privileged EXEC mode.
Verify the authorized session security status.
(Optional) Save your entries in the configuration file.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
Configuring MKA and MACsec
1-7