Configuring Cisco Trustsec Switch-To-Switch Link Security In Manual Mode - Cisco Catalyst 4500 series Administration Manual
Hide thumbs
Also See for Catalyst 4500 series:
- Software configuration manual (2086 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Configuring Cisco TrustSec MACsec
Command
Step 4
sap mode-list mode1 [mode2 [mode3
[mode4]]]
Although visible in the CLI help, the timer reauthentication and propagate sgt keywords are not
Note
supported. However, the no propagate sgt keyword is supported (refer to Step 5 in the next section).
Step 5
exit
Step 6
end
Step 7
show cts interface
]
| summary
Step 8
copy running-config startup-config
This example shows how to enable Cisco TrustSec authentication in 802.1X mode on an interface using
GCM as the preferred SAP mode:
Switch# configure terminal
Switch(config)# interface tengigabitethernet 1/1/2
Switch(config-if)# cts dot1x
Switch(config-if-cts-dot1x)# sap mode-list gcm-encrypt null no-encap
Switch(config-if-cts-dot1x)# exit
Switch(config-if)# end
Configuring Cisco TrustSec Switch-to-Switch Link Security in Manual Mode
If your switch does not have access to an authentication server or if 802.1X authentication is not needed,
you can manually configure Cisco TrustSec on an interface. You must manually configure the interface
on each end of the connection.
When manually configuring Cisco TrustSec on an interface, consider these usage guidelines and
restrictions:
•
•
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
45-12
[
interface-id | brief
If no SAP parameters are defined, neither encryption nor MACsec Encapsulation are performed.
If you select GCM as the SAP operating mode, you must have a MACsec Encryption software
license from Cisco. If you select GCM without the required license, the interface is forced to a
link-down state.
Purpose
(Optional) Configures the SAP operation mode on the interface. The
interface negotiates with the peer for a mutually acceptable mode.
Enter the acceptable modes in your order of preference.
Choices for mode are:
gcm-encrypt—Authentication and encryption
•
Note
Select this mode for MACsec authentication and encryption
if your software license supports MACsec encryption.
•
gmac—Authentication, no encryption
•
no-encap—No encapsulation
null—Encapsulation, no authentication or encryption
•
If the interface is not capable of data link encryption,
Note
no-encap is the default and the only available SAP
operating mode. SGT is not supported.
Exits Cisco TrustSec 802.1X interface configuration mode.
Returns to privileged EXEC mode.
(Optional) Verifies the configuration by displaying TrustSec-related
interface characteristics.
(Optional) Saves your entries in the configuration file.
Chapter 45
Configuring MACsec Encryption
OL_28731-01
Advertisement
Chapters
Table of Contents
Troubleshooting
