Technical data
Cisco SM-X Layer 2/3 EtherSwitch Service Module Configuration Guide for Cisco 4451-X ISR
Software Features
4
Cisco SM-X Layer 2/3 EtherSwitch Service Module Configuration Guide for Cisco 4451-X ISR
IEEE 802.1x Protocol
The IEEE 802.1x standard defines a client/server-based access control and authentication protocol that
prevents clients from connecting to a LAN through publicly accessible ports unless they are
authenticated. The authentication server authenticates each client connected to a port before making
available any services offered by the router or the LAN.
Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication
Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP)
traffic through the port to which the client is connected. After authentication, normal traffic can pass
through the port. See Configuring IEEE 802.1x Port-Based Authentication chapter in the Catalyst 3560
Switch Software Configuration Guide, Cisco IOS Release 15.0(2)SE and Later..
Licensing and Software Activation
The Cisco SM-X Layer 2/3 ESM utilizes the Cisco licensing software activation mechanism for different
levels of technology software packages. This mechanism is referred to as technology package licensing and
leverages the universal technology package based licensing solution. A universal image containing all levels
of a software package is loaded on your Cisco SM-X Layer 2/3 ESM. During startup, the Cisco SM-X Layer
2/3 ESM determines the highest level of license and loads the corresponding software features.
The Cisco SM-X Layer 2/3 ESM has a right to use (RTU) license, also known as honor-based license.
The RTU license on Cisco SM-X Layer 2/3 ESM supports the following three feature sets:
• LAN Base: Enterprise access Layer 2 switching features
• IP Base: Enterprise access Layer 3 switching features
• IP Services: Advanced Layer 3 switching (IPv4 and IPv6) features
You can deploy a specific feature package by applying corresponding software activation licenses. See
Upgrading your License Using Right-To-Use Features for more information on licensing and software
activation.
MACsec Encryption
Media Access Control Security (MACsec) encryption is the IEEE 802.1AE standard for authenticating and
encrypting packets between two MACsec-capable devices. MACsec encryption is defined in 802.1AE to
provide MAC-layer encryption over wired networks by using out-of-band methods for encryption keying.
The MACsec Key Agreement (MKA) protocol provides the required session keys and manages the required
encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x
Extensible Authentication Protocol (EAP) framework. Only host facing links (links between network access
devices and endpoint devices such as a PC or IP phone) can be secured using MACsec.
The Cisco SM-X Layer 2/3 ESM supports 802.1AE encryption with MACsec Key Agreement (MKA) on
downlink ports for encryption between the module and host devices. The module also supports MACsec link
layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and
the Security Association Protocol (SAP) key exchange. Link layer security can include both packet authenti-
cation between switches and MACsec encryption between switches (encryption is optional) See, “Configur-
ing MACsec Encryption” chapter in the Catalyst 3560 Switch Software Configuration Guide, Cisco IOS
Release 15.0(2)SE and Later for information on configuring this feature.