Cisco Trustsec Macsec Encryption - Cisco Catalyst 4500 Series Software Configuration Manual

Security Features

Cisco TrustSec MACsec Encryption

MACsec (Media Access Control Security) is the IEEE 802.1AE standard for authenticating and
encrypting packets between two MACsec-capable devices. The Catalyst 4500 series switch supports
802.1AE encryption with MACsec Key Agreement (MKA) on downlink ports for encryption between
the switch and host devices. The switch also supports MACsec link layer switch-to-switch security by
using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association
Protocol (SAP) key exchange. Link layer security can include both packet authentication between
switches and MACsec encryption between switches (encryption is optional).
For more information on TrustSec MACsec encryption, see
Encryption."
Cisco TrustSec Security Architecture
The Cisco TrustSec security architecture builds secure networks by establishing domains of trusted
network devices. Each device in the domain is authenticated by its peers. Communication on the links
between devices in the domain is secured with a combination of encryption, message integrity check,
and data-path replay protection mechanisms. Cisco TrustSec uses the device and user credentials
acquired during authentication for classifying the packets by security groups (SGs) as they enter the
network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec
network so that they can be properly identified for the purpose of applying security and other policy
criteria along the data path. The tag, called the security group tag (SGT), allows the network to enforce
the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.
For more information, refer to the following URL:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
Cisco TrustSec Security Groups, SGTs and SGACLs
This support is provided only on Supervisor Engine 7-E, Supervisor Engine 7L-E, Supervisor Engine
Note
8-E, and Catalyst 4500X.
A security group is a grouping of users, endpoint devices, and resources that share access control
policies. Security groups are defined by the administrator in the Cisco ISE or Cisco Secure ACS. As new
users and devices are added to the Cisco TrustSec domain, the authentication server assigns these new
entities to appropriate security groups. Once a device is authenticated, Cisco TrustSec tags any packet
that originates from that device with a security group tag (SGT) that contains the security group number
of the device. The packet carries this SGT throughout the network.
Using security group access control lists (SGACLs), you can control the operations that users can
perform based on the security group assignments of users and destination resources.
For more information, refer to the following URL:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
For Cisco TrustSec SGFT and SGACL guidelines and restrictions that apply on the Catalyst 4500 series
switch, refer to "Appendix B. Notes for the Catalyst 4500 Series Switches" in the Cisco TrustSec Switch
Configuration Guide.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
1-36
Chapter 1
Chapter 48, "Configuring MACsec
Product Overview