Cisco Catalyst 4500 Series Software Configuration Manual page 1274

Understanding Cisco TrustSec MACsec
Table 48-2 Cisco TrustSec Features
Cisco TrustSec Feature
802.1AE Encryption (MACsec)
Network Device Admission Control (NDAC) NDAC is an authentication process by which each network device in the
Security Association Protocol (SAP)
Security Group Tag (SGT)
SGT is not supported in this release.
Note
SGT Exchange Protocol (SXP), including
SXPv2
When both ends of a link support 802.1AE MACsec, SAP negotiation occurs. An EAPOL-key exchange
occurs between the supplicant and the authenticator to negotiate a cipher suite, exchange security
parameters, and manage keys. Successful completion of these tasks results in the establishment of a
security association (SA).
Depending on your software version and licensing and link hardware support, SAP negotiation can use
one of these modes of operation:
•
•
•
•
Cisco TrustSec uses AES-128 GCM and GMAC and is compliant with the 802.1AE standard. GCM is
not supported on switches running the NPE or the LAN Base image.
Cisco TrustSec NDAC SAP is supported on trunk ports because it is intended only for network device
to network device links, that is, switch-to-switch links. It is not supported on:
•
•
•
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
48-20
Description
Protocol for 802.1AE-based wire-rate hop-to-hop Layer 2 encryption.
Between MACsec-capable devices, packets are encrypted on egress from the
sending device, decrypted on ingress to the receiving device, and in the clear
within the devices.
This feature is only available between 802.1AE-capable devices.
TrustSec domain can verify the credentials and trustworthiness of its peer
device. NDAC uses an authentication framework based on IEEE 802.1X
port-based authentication and uses Extensible Authentication Protocol
Flexible Authentication via Secure Tunnel (EAP-FAST) as its EAP method.
Authentication and authorization by NDAC results in Security Association
Protocol negotiation for 802.1AE encryption.
SAP is a Cisco proprietary key exchange protocol between switches. After
NDAC switch-to-switch authentication, SAP automatically negotiates keys
and the cipher suite for subsequent switch-to-switch MACsec encryption
between TrustSec peers. The protocol description is available under a
nondisclosure agreement.
An SGT is a 16-bit single label showing the security classification of a source
in the TrustSec domain. It is appended to an Ethernet frame or an IP packet.
With SXP, devices that are not TrustSec-hardware capable can receive SGT
attributes for authenticated users or devices from the Cisco Access Control
System (ACS). The devices then forward the source IP-to-SGT binding to a
TrustSec-hardware capable device for tagging and security group ACL
(SGACL) enforcement.
Galois Counter Mode (GCM)—authentication and encryption
GCM authentication (GMAC)— GCM authentication, no encryption
No Encapsulation—no encapsulation (clear text)
Null—encapsulation, no authentication or encryption
Host facing access ports (these ports support MKA MACsec)
Switch virtual interfaces (SVIs)
SPAN destination ports
Chapter 48 Configuring MACsec Encryption