Cisco Catalyst 3560-X Software Configuration Manual page 375

Hide thumbs Also See for Catalyst 3560-X:

Command reference manual (1188 pages)

Software configuration manual (1438 pages)

Manual (276 pages)

Table of Contents

Configuring MACsec Encryption

Before you configure Cisco TrustSec MACsec authentication, you should configure Cisco TrustSec seed

and non-seed devices. For 802.1x mode, you must configure at least one seed device, that device closest

to the access control system (ACS). See this section in the Cisco TrustSec Configuration Guide:

http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html

Configuring Cisco TrustSec Switch-to-Switch Link Security in 802.1x Mode

You enable Cisco TrustSec link layer switch-to-switch security on an interface that connects to another

Cisco TrustSec device. When configuring Cisco TrustSec in 802.1x mode on an interface, follow these

Beginning in privilege EXEC mode, follow these steps to configure Cisco TrustSec switch-to-switch link

layer security with 802.1x.

configure terminal

interface interface-id

sap mode-list mode1 [mode2 [mode3

Although visible in the CLI help, the timer reauthentication and propagate sgt keywords are not

To use 802.1x mode, you must globally enable 802.1x on each device.

If you select GCM as the SAP operating mode, you must have a MACsec encryption software

license from Cisco. MACsec is supported on Catalyst 3750-X and 3560-X universal IP base and IP

services licenses. It is not supported with the NPE license or with a LAN base service image.

If you select GCM without the required license, the interface is forced to a link-down state.

Enters global configuration mode.

Enters interface configuration mode.

Configures the interface to perform NDAC authentication.

(Optional) Configures the SAP operation mode on the interface. The

interface negotiates with the peer for a mutually acceptable mode.

Enter the acceptable modes in your order of preference.

Choices for mode are:

gcm-encrypt—Authentication and encryption

Select this mode for MACsec authentication and encryption

if your software license supports MACsec encryption.

gmac—Authentication, no encryption

no-encap—No encapsulation

null—Encapsulation, no authentication or encryption

If the interface is not capable of data link encryption,

no-encap is the default and the only available SAP

operating mode. SGT is not supported.

Exits Cisco TrustSec 802.1x interface configuration mode.

Returns to privileged EXEC mode.

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

Configuring Cisco TrustSec MACsec

Troubleshooting

Catalyst 3750-x

Cisco Catalyst 3560-X Software Configuration Manual page 375

Troubleshooting

Related Manuals for Cisco Catalyst 3560-X

Related Products for Cisco Catalyst 3560-X

This manual is also suitable for:

Table of Contents