Configuring Macsec On An Interface - Cisco Catalyst 4500 Series Configuration Manual
Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs
Also See for Catalyst 4500 Series:
- Software configuration manual (2086 pages) ,
- Administration manual (1814 pages) ,
- Configuration manual (1254 pages)
Table of Contents
Advertisement
Chapter 43
Configuring MACsec Encryption
Configuring MACsec on an Interface
To configure MACsec on an interface with one MACsec session for voice and one for data, perform this
task:
Command
Step 1
configure terminal
Step 2
interface interface-id
Step 3
switchport access vlan vlan-id
Step 4
switchport mode access
Step 5
macsec
Step 6
authentication event linksec fail
action authorize vlan vlan-id
Step 7
authentication host-mode
multi-domain
Step 8
authentication linksec policy
must-secure
Step 9
authentication port-control auto
Step 10
mka policy policy-name
Step 11
dot1x pae authenticator
Step 12
spanning-tree portfast
Step 13
end
Step 14
show authentication session
interface interface-id
Step 15
copy running-config startup-config
This is an example of configuring and verifying MACsec on an interface:
Switch(config)# interface GigabitEthernet1/0/25
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport mode access
Switch(config-if)# macsec
Switch(config-if)# authentication event linksec fail action authorize vlan 2
Switch(config-if)# authentication host-mode multi-domain
Switch(config-if)# authentication linksec policy must-secure
Switch(config-if)# authentication port-control auto
OL-25340-01
Purpose
Enters global configuration mode.
Identifies the MACsec interface, and enter interface configuration mode.
The interface must be a physical interface.
Configures the access VLAN for the port.
Configures the interface as an access port.
Enables 802.1ae MACsec on the interface.
(Optional) Specifies that the switch processes authentication link-security
failures resulting from unrecognized user credentials by authorizing a
restricted VLAN on the port after a failed authentication attempt.
Configures authentication manager mode on the port to allow both a host
and a voice device to be authenticated on the 802.1X-authorized port. If
not configured, the default host mode is single.
Sets the LinkSec security policy to secure the session with MACsec if the
peer is available. If not set, the default is should secure.
Enables 802.1X authentication on the port. The port changes to the
authorized or unauthorized state based on the authentication exchange
between the switch and the client
Applies an existing MKA protocol policy to the interface, and enable
MKA on the interface. If no MKA policy was configured (by entering the
mka policy global configuration command), you must apply the MKA
default policy to the interface by entering the mka default-policy
interface configuration command.
Configures the port as an 802.1X port access entity (PAE) authenticator.
Enables spanning tree Port Fast on the interface in all its associated
VLANs. When Port Fast feature is enabled, the interface changes directly
from a blocking state to a forwarding state without making the
intermediate spanning-tree state changes.
Returns to privileged EXEC mode.
Verifies the authorized session security status.
(Optional) Saves your entries in the configuration file.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Configuring MACsec and MKA
43-7
- Quick Links:
- Resetting a Switch to Factory Default...
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
