Configuring Cisco Trustsec Switch-To-Switch Link Security In 802.1X Mode - Cisco Catalyst 4500 Series Configuration Manual

Chapter 43 Configuring MACsec Encryption
Before you configure Cisco TrustSec MACsec authentication, you should configure Cisco TrustSec seed
Note
and non-seed devices. For 802.1X mode, you must configure at least one seed device, that device closest
to the access control system (ACS). See this section in the Cisco TrustSec Switch Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

Configuring Cisco TrustSec Switch-to-Switch Link Security in 802.1X Mode

You enable Cisco TrustSec link layer switch-to-switch security on an interface that connects to another
Cisco TrustSec device. When configuring Cisco TrustSec in 802.1X mode on an interface, follow these
guidelines:
•
•
Note
To configure Cisco TrustSec switch-to-switch link layer security with 802.1X, perform this task:
Command
Step 1
configure terminal
Step 2
interface interface-id
Step 3
cts dot1x
Step 4
sap mode-list mode1 [mode2 [mode3
[mode4]]]
Although visible in the CLI help, the timer reauthentication and propagate sgt keywords are not
Note
supported. However, the no propagate sgt keyword is supported (refer to Step 5 in the next section).
OL-25340-01
To use 802.1X mode, you must globally enable 802.1X on each device.
If you select GCM as the SAP operating mode, you must have a MACsec encryption software
license from Cisco.
MACsec is supported on the Catalyst 4500 series switch universal k9 image. It is not supported
with the NPE license or with a LAN Base service image.
If you select GCM without the required license, the interface is forced to a link-down state.
Purpose
Enters global configuration mode.
Enters interface configuration mode.
Configures the interface to perform NDAC authentication.
(Optional) Configures the SAP operation mode on the interface. The
interface negotiates with the peer for a mutually acceptable mode.
Enter the acceptable modes in your order of preference.
Choices for mode are:
• gcm-encrypt—Authentication and encryption
Note Select this mode for MACsec authentication and encryption
if your software license supports MACsec encryption.
gmac—Authentication, no encryption
•
no-encap—No encapsulation
•
null—Encapsulation, no authentication or encryption
•
If the interface is not capable of data link encryption,
Note
no-encap is the default and the only available SAP
operating mode. SGT is not supported.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Configuring Cisco TrustSec MACsec
43-11