Mka Policies - Cisco Catalyst 4500 Series Software Configuration Manual
Cisco ios xe release 3.9.xe and cisco ios release 15.2(5)ex
Hide thumbs
Also See for Catalyst 4500 Series:
- Administration manual (1814 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Chapter 48
Configuring MACsec Encryption
The packet body in an EAPOL Protocol Data Unit (PDU) is referred to as a MACsec Key Agreement
PDU (MKPDU). MKA sessions and participants are deleted when the MKA lifetime (6 seconds) passes
with no MKPDU received from a participant. For example, if a client disconnects, the participant on the
switch continues to operate MKA until 6 seconds have elapsed after the last MKPDU is received from
the client.
These sections provide more details:
•
•
•
•
•
•
•
MKA Policies
By default, the MKA protocol default policy is enabled on an interface. However, you can apply a
defined MKA policy to an interface. Removing the MKA policy configures the default MKA policy on
that interface.
You can configure these options:
•
•
•
Key Lifetime and Hitless Key Rollover
A MACsec key chain (MKA) can have multiple pre-shared keys (PSKs) each configured with a key ID
and an optional lifetime. A key lifetime specifies the time period the key is valid. In the absence of a
lifetime configuration, the default lifetime is unlimited. MKA rolls over to the next configured valid
pre-shared key in the key chain, when a valid key expires. Time zone of the key can be local or UTC.
Default time zone is UTC.
MKA rolls over to the next configured valid pre-shared key in the key chain, when a valid key expires.
Use the key chain key-chain-name macsec to configure the MACsec key chain.
To roll over to the next key within the same key chain, configure a second key in the key chain, and a
lifetime for the first key. When the lifetime of the first key expires, it automatically rolls over to the next
key in the list. If the same key is configured on both sides of the link at the same time, then the key
rollover is hitless, that is, key rolls over without traffic interruption.
The lifetime of the keys need to be overlapped to achieve hitless key rollover.
Note
MKA Policies, page 48-3
Key Lifetime and Hitless Key Rollover, page 48-3
Encryption Algorithms for MKA Control Packets, page 48-4
Virtual Ports, page 48-4
MACsec, page 48-4
MACsec, MKA, and 802.1X Host Modes, page 48-5
MKA Statistics, page 48-6
Policy name, not to exceed 16 ASCII characters.
Confidentiality (encryption) offset of 0, 30, or 50 bytes for each physical interface.
Replay protection. You can configure MACsec window size, as defined by the number of
out-of-order frames that are accepted. This value is used while installing the security associations
in the MACsec. A value of 0 means that frames are accepted only in the correct order.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Understanding Media Access Control Security and MACsec Key Agreement
48-3
Advertisement
Chapters
Table of Contents
Troubleshooting
