[c-nsp] NX-OS - Cisco TrustSec

Lincoln Dale ltd at cisco.com
Tue May 11 19:43:12 EDT 2010


On 11/05/2010, at 2:12 PM, Manu Chao wrote:

> I need to encrypt L2 trafic over a MAN between 2 Nexus 7K. The feature CTS
> seems to be the right feature to use with 802.1x. Correct?
> 
> Question is could we have a local authentication/authorization instead
> classical Radius/ACS query/reply since it is used only for Cisco
> point-to-point backbone link?

if you wish to use link-layer security note that you don't have to use AAA based authentication for the key exchange, you can configure it manually if you wish.

both ends of the link need the same 'sap pmk' configured, configuration would simply be something like:

	feature dot1x
	feature cts
	!
	interface ethX/Y
	  description MAN link
	  cts manual
	    no propagate‐sgt
	    sap pmk abcde12345000000000000000000000000000000000000000000000000000000
	  no shutdown

the 'sap pmk' is the pairwise master key (32 bytes hex string = 128 bits).


cheers,

lincoln.


More information about the cisco-nsp mailing list