Operating mechanism for device-oriented mode
As shown in
negotiation.
In this mode, the session negotiation, secure communication, and session termination processes
are the same as the processes in client-oriented mode. However, MACsec performs a key server
selection in this mode. The port with higher MKA key server priority becomes the key server, which is
responsible for the generation and distribution of SAKs.
Figure 130 MACsec interactive process in device-oriented mode
Session
negotiation
Secure
communication
Protocols and standards
•
IEEE 802.1X-2010, Port-Based Network Access Control
•
IEEE 802.1X-2006, Media Access Control (MAC) Security
Feature and hardware compatibility
MACsec is supported only on the ports that are numbered from 1 to 8 on any of the following
modules:
•
LSQM1GP24TSSE0(JH211A, JH219A).
•
LSQM1GP44TSSE0(JH210A, JH218A).
•
LSQM1GT48SE0(JH212A, JH220A).
•
LSQM1GV48SE0(JH213A, JH221A).
General restrictions and guidelines
When you configure MACsec, follow these restrictions and guidelines:
•
In device-oriented mode, the MACsec configuration takes effect on Layer 2 and Layer 3
Ethernet ports.
•
MACsec is not supported on an aggregate interface, but it is supported on the member ports of
the aggregate interface.
Figure
130, the devices use the configured preshared keys to start the session
Device A
EAPOL
EAPOL-MKA: key server
EAPOL-MKA: MACsec capable
EAPOL-MKA: key name, SAK
EAPOL-MKA: SAK installed
Secured frames
Device B
412