Cisco Catalyst 4500 series Administration Manual page 1131

Chapter 45 Configuring MACsec Encryption
Table 45-2
explanations, see the Cisco TrustSec Switch Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/arch_over.html#wp10545
61
Table 45-2 Cisco TrustSec Features
Cisco TrustSec Feature
802.1AE Encryption (MACsec)
Network Device Admission Control (NDAC) NDAC is an authentication process by which each network device in the
Security Association Protocol (SAP)
Security Group Tag (SGT)
Note SGT is not supported in this release.
SGT Exchange Protocol (SXP), including
SXPv2
When both ends of a link support 802.1AE MACsec, SAP negotiation occurs. An EAPOL-key exchange
occurs between the supplicant and the authenticator to negotiate a cipher suite, exchange security
parameters, and manage keys. Successful completion of these tasks results in the establishment of a
security association (SA).
Depending on your software version and licensing and link hardware support, SAP negotiation can use
one of these modes of operation:
•
•
•
•
Cisco TrustSec uses AES-128 GCM and GMAC and is compliant with the 802.1AE standard. GCM is
not supported on switches running the NPE or the LAN Base image.
OL_28731-01
summarizes the Cisco TrustSec features supported on the switch. For more detailed
Description
Protocol for 802.1AE-based wire-rate hop-to-hop Layer 2 encryption.
Between MACsec-capable devices, packets are encrypted on egress from the
sending device, decrypted on ingress to the receiving device, and in the clear
within the devices.
This feature is only available between 802.1AE-capable devices.
TrustSec domain can verify the credentials and trustworthiness of its peer
device. NDAC uses an authentication framework based on IEEE 802.1X
port-based authentication and uses Extensible Authentication Protocol
Flexible Authentication via Secure Tunnel (EAP-FAST) as its EAP method.
Authentication and authorization by NDAC results in Security Association
Protocol negotiation for 802.1AE encryption.
SAP is a Cisco proprietary key exchange protocol between switches. After
NDAC switch-to-switch authentication, SAP automatically negotiates keys
and the cipher suite for subsequent switch-to-switch MACsec encryption
between TrustSec peers. The protocol description is available under a
nondisclosure agreement.
An SGT is a 16-bit single label showing the security classification of a source
in the TrustSec domain. It is appended to an Ethernet frame or an IP packet.
With SXP, devices that are not TrustSec-hardware capable can receive SGT
attributes for authenticated users or devices from the Cisco Access Control
System (ACS). The devices then forward the source IP-to-SGT binding to a
TrustSec-hardware capable device for tagging and security group ACL
(SGACL) enforcement.
Galois Counter Mode (GCM)—authentication and encryption
GCM authentication (GMAC)— GCM authentication, no encryption
No Encapsulation—no encapsulation (clear text)
Null—encapsulation, no authentication or encryption
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
Understanding Cisco TrustSec MACsec
45-9