Version 4.1 - 2.0 MACsec
MACsec is also another topic that may be heavily weighted out of the 2.0 topics. It is a part of TrustSec and is "the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices." It uses the "MACsec Key Agreement (MKA) on downlink ports for encryption between the switch and host devices. The switch also supports MACsec link layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP) key exchange. Link layer security can include both packet authentication between switches and MACsec encryption between switches (encryption is optional)."
So within this topic, you should know MACsec and MKA. The MACsec Key Agreement (MKA) is used "on downlink ports for encryption between the switch and host devices. The switch also supports MACsec link layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP) key exchange. Link layer security can include both packet authentication between switches and MACsec encryption between switches (encryption is optional)." The Cisco Guide on Configuring MACsec is a really good reference for this. Another reference (although less meaty) is the Wikipedia page.
It uses a default cipher suite of GCM-AES-128 or GCM-AES-256.
"By assuring that a frame comes from the station that claimed to send it, MACSec can mitigate attacks on Layer 2 protocols."
If you're at the point where you understand/know about a "seed device" in a Cisco TrustSec domain, you're probably good for this topic. (And you're probably having a hard time getting Natalie's voice out of your head.) In a vacuum (by itself), SXP and MACsec are somewhat daunting to understand and remember. But when you delve into the ISE and policies and see this stuff in action, it starts to make more sense.