Which two options are valid for configuring IEEE 802.1AE MACSec between switches in a TrustSec network?

4 thoughts on “Which two options are valid for configuring IEEE 802.1AE MACSec between switches in a TrustSec network?”

1. Answer AB

   setting may be configured manually per port (not very common) or
   dynamically as an authorization result from the Cisco Identity Services Engine (ISE)
   (much more common). If ISE returns an encryption policy with the authorization result,
   the policy issued by ISE overrides anything set using the switch CLI

   Reply

2. Downlink MACsec policy is configured as an element in the authorization profile in Cisco ISE. To specify MACsec policy for endpoints, you enable MACsec policy and then select the policy option. The options are must-not-secure, must-secure and should-secure. This populates the value for the linksec-policy attribute, a Cisco AV pair sent to the network access device as part of the RADIUS access-accept message.

   The MACsec policy defined in ISE will interact with policies configured on and capabilities of both the NAD and the supplicant. For example, if the ISE policy is must-secure and either the supplicant or the switch are not MACsec capable, then access will be rejected. Should-secure will secure if all components are capable and willing, but will allow unsecured access if a component is not MACsec capable or is configured with must-not-secure.

   Reply

3. D is wrong

   Reply

4. Looking at the actual switch configuration, we must enable MACsec on the switch, under interface config mode, with the keyword MACsec. And we also do the mka default-policy command. And also our authentication linksec policy, which the default setting, as we mentioned above, is should-secure. You also have the options of must-secure and mustnot-secure. And again, you want to avoid any conflicts with the policy which would be obtained from Cisco ISE.

   Reply