Operating mechanism for device-oriented mode
As shown in
negotiation.
In this mode, the session negotiation, secure communication, and session termination processes
are the same as the processes in client-oriented mode. However, MACsec performs a key server
selection in this mode. The port with higher MKA key server priority becomes the key server, which is
responsible for the generation and distribution of SAKs.
Figure 145 MACsec interactive process in device-oriented mode
Session
negotiation
Secure
communication
Protocols and standards
•
IEEE 802.1X-2010, Port-Based Network Access Control
•
IEEE 802.1X-2006, Media Access Control (MAC) Security
Feature and hardware compatibility
MACsec is supported only on the following ports:
•
Ports that are numbered from 1 to 8 on the following modules:
LSUM2GP44TSSE0(JH191A, JH199A).
LSUM2GT48SE0(JH192A, JH200A).
•
Ports that are numbered from 1 to 4 on the LSUM1TGS48SG0(JH197A, JH205A) module.
General restrictions and guidelines
When you configure MACsec, follow these restrictions and guidelines:
•
In device-oriented mode, the MACsec configuration takes effect on Layer 2 and Layer 3
Ethernet ports.
•
MACsec is not supported on an aggregate interface, but it is supported on the member ports of
the aggregate interface.
•
The MACsec header occupies 38 bytes in each frame. Please take into consideration the
header when you plan the network capacity.
Figure
145, the devices use the configured preshared keys to start the session
Device A
EAPOL
EAPOL-MKA: key server
EAPOL-MKA: MACsec capable
EAPOL-MKA: key name, SAK
EAPOL-MKA: SAK installed
Secured frames
Device B
493