Cisco Trustsec Switch-To-Switch Link Security Configuration Example - Cisco Catalyst 4500 Series Software Configuration Manual
Cisco ios xe release 3.9.xe and cisco ios release 15.2(5)ex
Hide thumbs
Also See for Catalyst 4500 Series:
- Administration manual (1814 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Configuring Cisco TrustSec MACsec
Command
Step 4
sap pmk key [mode-list mode1 [mode2
[mode3 [mode4]]]]
Step 5
no propagate sgt
Step 6
exit
Step 7
end
Step 8
show cts interface
]
summary
Step 9
copy running-config startup-config
This example shows how to configure Cisco TrustSec authentication in manual mode on an interface:
Switch# configure terminal
Switch(config)# interface tengiigabitethernet 1/1/2
Switch(config-if)# cts manual
Switch(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm-encrypt null no-encap
Switch(config-if-cts-manual)# no propagate sgt
Switch(config-if-cts-manual)# exit
Switch(config-if)# end
Cisco TrustSec Switch-to-Switch Link Security Configuration Example
This example shows the configuration necessary for a seed and non-seed device for Cisco TrustSec
switch-to-switch security. You must configure the AAA and RADIUS for link security. In this example,
ACS-1 through ACS-3 can be any server names and cts-radius is the Cisco TrustSec server.
Seed Device Configuration:
Switch(config)# aaa new-model
Switch(config)# radius server ACS-1 address ipv4 10.5.120.12 auth-port 1812 acct-port 1813
pac key cisco123
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
48-24
[
interface-id | brief |
Purpose
(Optional) Configures the SAP pairwise master key (PMK) and
operation mode. SAP is disabled by default in Cisco TrustSec
manual mode.
key—A hexadecimal value with an even number of characters
•
and a maximum length of 32 characters.
The SAP operation mode options:
gcm-encrypt—Authentication and encryption
•
Select this mode for MACsec authentication and
Note
encryption if your software license supports MACsec
encryption.
gmac—Authentication, no encryption
•
no-encap—No encapsulation
•
null—Encapsulation, no authentication or encryption
•
Note
If the interface is not capable of data link encryption,
no-encap is the default and the only available SAP
operating mode. SGT is not supported.
Prevents the interface from transmitting the SGT to the peer and
is required in manual mode.
Use the no form of this command when the peer is incapable of
processing a SGT.
Exits Cisco TrustSec 802.1X interface configuration mode.
Returns to privileged EXEC mode.
(Optional) Verifies the configuration by displaying
TrustSec-related interface characteristics.
(Optional) Saves your entries in the configuration file.
Chapter 48
Configuring MACsec Encryption
Advertisement
Chapters
Table of Contents
Troubleshooting
