Network Device Admission Control (Ndac); Macsec Encryption - Cisco Catalyst 6500-E Series Manual

Network Device Admission Control (NDAC)

One of the challenges faced by network administrators in any environment is guaranteeing that the physical
infrastructure is secure. The Cisco Catalyst 6500-E with Supervisor Engine 2T supports the NDAC capability as
part of its support of the broader Cisco TrustSec suite of features. Using NDAC, Cisco TrustSec authenticates a
device before allowing it to join the network, thereby making sure that no unauthorized devices are plugged into
the backbone of the unified access campus architecture. Figure 13 shows how an infrastructure using NDAC is
built.
Figure 13. NDAC Infrastructure Overview
Seed devices/authenticators are the first or closest devices to the ISE. In this case, the connectivity between the
seed device and the ISE does not have authentication, encapsulation, or encryption enabled. Seed devices
require manual configuration using traditional CLIs to define a shared secret with the ISE. Communication
between the seed device and ISE uses RADIUS over IP.
Nonseed devices/supplicants are those that do not have direct IP connectivity to the ISE and require seed
devices/authenticators to enroll and authenticate/authorize them onto the network. After the link between the
supplicant and authenticator becomes activated, a protected access credential (PAC) will be provisioned to the
supplicant, and ISE reachability information will also be downloaded. The PAC contains a shared key and an
encrypted token to be used for future secure communications with the ISE.

MACsec Encryption

Data integrity and security are requirements for organizations where sensitive information is being passed
between areas of the network that might be out of the control of the organization. To protect this information from
being accessed by unauthorized users, the Cisco Catalyst 6500-E with Supervisor Engine 2T supports 802.1AE
MACsec 128-bit AES encryption on the uplinks of the Supervisor Engine 2T as well as on all 6900 Series Module
ports (1G/10G/40G). MACsec provides hop-by-hop encryption between directly connected devices, all without
affecting the performance of the underlying traffic.
A common example where MACsec encryption is used is between buildings on a campus. In many instances an
organization might have a contiguous campus environment with its own dark fiber connections between the
buildings, but those connections might exist in a publically accessible space or at least one not totally controlled
by the organization, as shown in Figure 14.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 28