Prerequisites for MACsec Encryption
Prerequisites for MACsec Encryption
This section list the prerequisites for MACsec encryption:
-
Enable the ssci-based-on-sci command while configuring MACsec encryption on the device to allow interoperability with non-Cisco and non-IOS XE devices.
-
Ensure that 802.1x authentication and AAA are configured on your device.
-
You must configure the flowcontrol receive desired command on all MACsec-enabled ports to enable flowcontrol explicitly.
Prerequisites for Certificate-Based MACsec
This section list the prerequisites for Certificate-Based MACsec:
-
Ensure that you have a Certificate Authority (CA) server configured for your network.
-
Generate a CA certificate.
-
Ensure that you have configured Cisco Identity Services Engine (ISE) Release 2.0.
-
Ensure that both the participating devices, the CA server, and Cisco Identity Services Engine (ISE) are synchronized using Network Time Protocol (NTP). If time is not synchronized on all your devices, certificates will not be validated.
Prerequisites for WAN MACsec
This section list the prerequisites for WAN MACsec:
-
The 802.1Q cleartag must be configured using the macsec dot1q-in-clear 1 command.
-
Support for GCM-AES-128 and GCM-AES-256 with MACsec Extended Packet Numbering (XPN).
-
A configurable option to change the EtherType of an EAP-over-LAN (EAPOL) to 0x876F.
-
Support for P2P and P2MP for VLAN-based Ethernet Line (E-LINE) and emulated LAN (ELAN) deployments.