Hi everybody;

I read Cisco Trustsec document and want to ask some questions:

1. as I understand, in Cisco TrustSec domain we need to have at least one authenticator device at anytime. if we have just 1 switch in the network, it will act as authenticator and supplicant. but if we have a medium to big network in which we want to attach new switch to one of existent switches, the switch we want to attach out new switch act as authenticator device and our new device will be supplicant. am I right?

2. refering to (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1/XE_330SG/configuration/guide/config/swmacsec.html). at the buttom of the page under "Cisco TrustSec Switch-to-Switch Link Security Configuration Example" title, they have configured one device as "seeding" and another as "non-seeding" device. if I understood well, every switch can act as authenticator if it was the first device inside the network that it can reach RADIUS server. so doesn't that mean we need to configure every switch in the network as "seeding" device? suppose our seeding device went offline, so what will happen if we have no any other switch with "seeding" device configuration in the network?

3. if we use "manual" mode versus "dot1x" mode while configuring switch-to-switch MACsec, the credentials that are configured with "cts credential" command will be used in authentication and encryption, depending to the policy (gmac, gcm-encrypt, no-encapsulation, null). for example if we use "gmac" parameter, these credentials is used just for authentication, but in the case of "gcm-encrypt", those are used for both authentication and encryption. did I understand well?

4. referring to the link that I've pasted in second bullet and the example shown at the button of the page, why they have not configured any radius server on the "non-seeding" device?