hit counter script

Cisco Trustsec Switch-To-Switch Link Security Configuration Example - Cisco Catalyst 4500 Series Configuration Manual

Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs Also See for Catalyst 4500 Series:
Table of Contents

Advertisement

Chapter 43
Configuring MACsec Encryption
Command
Step 4
sap pmk key [mode-list mode1 [mode2
[mode3 [mode4]]]]
Step 5
no propagate sgt
Step 6
exit
Step 7
end
Step 8
show cts interface
]
summary
Step 9
copy running-config startup-config
This example shows how to configure Cisco TrustSec authentication in manual mode on an interface:
Switch# configure terminal
Switch(config)# interface tengiigabitethernet 1/1/2
Switch(config-if)# cts manual
Switch(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm-encrypt null no-encap
Switch(config-if-cts-manual)# no propagate sgt
Switch(config-if-cts-manual)# exit
Switch(config-if)# end

Cisco TrustSec Switch-to-Switch Link Security Configuration Example

This example shows the configuration necessary for a seed and non-seed device for Cisco TrustSec
switch-to-switch security. You must configure the AAA and RADIUS for link security. In this example,
ACS-1 through ACS-3 can be any server names and cts-radius is the Cisco TrustSec server.
Seed Device Configuration:
Switch(config)# aaa new-model
Switch(config)# radius server ACS-1 address ipv4 10.5.120.12 auth-port 1812 acct-port 1813
pac key cisco123
OL-25340-01
[
interface-id | brief |
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Purpose
(Optional) Configures the SAP pairwise master key (PMK) and
operation mode. SAP is disabled by default in Cisco TrustSec
manual mode.
key—A hexadecimal value with an even number of characters
and a maximum length of 32 characters.
The SAP operation mode options:
gcm-encrypt—Authentication and encryption
Note
Select this mode for MACsec authentication and
encryption if your software license supports MACsec
encryption.
gmac—Authentication, no encryption
no-encap—No encapsulation
null—Encapsulation, no authentication or encryption
Note
If the interface is not capable of data link encryption,
no-encap is the default and the only available SAP
operating mode. SGT is not supported.
Prevents the interface from transmitting the SGT to the peer and
is required in manual mode.
Use the no form of this command when the peer is incapable of
processing a SGT.
Exits Cisco TrustSec 802.1X interface configuration mode.
Returns to privileged EXEC mode.
(Optional) Verifies the configuration by displaying
TrustSec-related interface characteristics.
(Optional) Saves your entries in the configuration file.
Configuring Cisco TrustSec MACsec
43-13

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents