Protocols And Standards; Feature And Hardware Compatibility; General Restrictions And Guidelines - HPE FlexNetwork 10500 Series Security Configuration Manual

Operating mechanism for device-oriented mode
As shown in
negotiation.
In this mode, the session negotiation, secure communication, and session termination processes are
the same as the processes in client-oriented mode. However, MACsec performs a key server
selection in this mode. The port with higher MKA key server priority becomes the key server, which is
responsible for the generation and distribution of SAKs.
Figure 159 MACsec interactive process in device-oriented mode
Session
negotiation
Secure
communication

Protocols and standards

•
IEEE 802.1X-2010, Port-Based Network Access Control
•
IEEE 802.1X-2006, Media Access Control (MAC) Security

Feature and hardware compatibility

MACsec is supported only on the following ports:
•
Ports that are numbered from 1 to 8 on the following SE interface modules:
LSUM2GP44TSSE0(JH191A, JH199A).

LSUM2GT48SE0(JH192A, JH200A).

•
Ports that are numbered from 1 to 4 on the following SG interface modules:
LSUM1TGS48SG0(JH197A, JH205A).

LSUM2TGS48SG0(JH433A).


General restrictions and guidelines

When you configure MACsec, follow these restrictions and guidelines:
•
In device-oriented mode, the MACsec configuration takes effect on Layer 2 and Layer 3
Ethernet ports. In client-oriented mode, the MACsec configuration takes effect only on
802.1X-enabled ports.
Figure 159, the devices use the configured preshared keys to start the session
Device A
EAPOL
EAPOL-MKA: key server
EAPOL-MKA: MACsec capable
EAPOL-MKA: key name, SAK
EAPOL-MKA: SAK installed
Secured frames
Device B
A
K
M
c
s e
C
A
M
570