out-of-order packets within the replay protection window size and drop other out-of-order
packets.
MACsec applications
MACsec supports the following application modes:
•
Client-oriented mode—Operates with 802.1X authentication and secures data transmission
between the client and the access device. In this mode, the authentication server generates
and distributes the CAK to the client and the access device.
Figure 142 Client-oriented mode
NOTE:
In client-oriented mode, an MKA-enabled port on the access device must perform port-based
802.1X access control. The authentication method must be EAP relay.
•
Device-oriented mode—Secures data transmission between devices. In this mode, the
devices do not perform identity authentication, and the same preshared key must be configured
on the MACsec ports that connect the devices. The devices use the configured preshared key
as the CAK.
Figure 143 Device-oriented mode
MACsec operating mechanism
Operating mechanism for client-oriented mode
Figure 144
illustrates how MACsec operates in client-oriented mode.
491