Task
Display MKA policy information.
Display MKA statistics on ports.
Reset MKA sessions on ports.
Clear MKA statistics on ports.
MACsec configuration examples
Client-oriented MACsec configuration example (host as
client)
Network requirements
As shown in
performs RADIUS-based 802.1X authentication for the host to control user access to the Internet.
To ensure secure communication between the host and device, perform the following tasks on the
device:
•
Enable MACsec desire, and configure MKA to negotiate SAKs for packet encryption.
•
Set the MACsec confidentiality offset to 30 bytes.
•
Enable MACsec replay protection, and set the replay protection window size to 100.
•
Set the MACsec validation mode to strict.
Figure 148 Network diagram
Host
192.168.1.2/24
Configuration procedure
1.
Configure the RADIUS server to provide authentication, authorization, and accounting services.
Add a user account for the host. (Details not shown.)
2.
Configure IP addresses for the Ethernet ports. (Details not shown.)
3.
Configure AAA:
# Enter system view.
<Device> system-view
Figure
148, the host accesses the network through GigabitEthernet 1/0/1. The device
GE1/0/2
10.1.1.10/24
GE1/0/1
192.168.1.1/24
Device
Command
interface-number | local-sci sci-id ] [ verbose ]
display mka { default-policy | policy [ name
policy-name ] }
display mka statistics [ interface interface-type
interface-number ]
reset mka session [ interface interface-type
interface-number ]
reset mka statistics [ interface interface-type
interface-number ]
RADIUS server
10.1.1.1/24
Internet
485