Protocols And Standards; Feature And Hardware Compatibility; General Restrictions And Guidelines - HP FlexNetwork 10500 Series Security Configuration Manual

Operating mechanism for device-oriented mode
As shown in
negotiation.
In this mode, the session negotiation, secure communication, and session termination processes
are the same as the processes in client-oriented mode. However, MACsec performs a key server
selection in this mode. The port with higher MKA key server priority becomes the key server, which is
responsible for the generation and distribution of SAKs.
Figure 145 MACsec interactive process in device-oriented mode
Session
negotiation
Secure
communication

Protocols and standards

•
IEEE 802.1X-2010, Port-Based Network Access Control
•
IEEE 802.1X-2006, Media Access Control (MAC) Security

Feature and hardware compatibility

MACsec is supported only on the following ports:
•
Ports that are numbered from 1 to 8 on the following modules:
LSUM2GP44TSSE0(JH191A, JH199A).
LSUM2GT48SE0(JH192A, JH200A).
•
Ports that are numbered from 1 to 4 on the LSUM1TGS48SG0(JH197A, JH205A) module.

General restrictions and guidelines

When you configure MACsec, follow these restrictions and guidelines:
•
In device-oriented mode, the MACsec configuration takes effect on Layer 2 and Layer 3
Ethernet ports.
•
MACsec is not supported on an aggregate interface, but it is supported on the member ports of
the aggregate interface.
•
The MACsec header occupies 38 bytes in each frame. Please take into consideration the
header when you plan the network capacity.
Figure 145, the devices use the configured preshared keys to start the session
Device A
EAPOL
EAPOL-MKA: key server
EAPOL-MKA: MACsec capable
EAPOL-MKA: key name, SAK
EAPOL-MKA: SAK installed
Secured frames
Device B
493