Configuring Macsec Protection Parameters By Mka Policy; Configuring An Mka Policy - HP FlexNetwork 10500 Series Security Configuration Manual

To avoid data loss, use the default validation mode check on the MACsec devices in case of MKA
negotiation failure. After you use the display macsec command to verify that MKA negotiation has
succeeded, change the validation mode to strict.
To configure the MACsec validation mode:
Step
1. Enter system view.
2. Enter interface view.
3. Configure the MACsec
validation mode.
Configuring MACsec protection parameters by
MKA policy

Configuring an MKA policy

Step
1. Enter system view.
2. Create an MKA policy, and
enter MKA policy view.
3. (Optional.) Configure the
MACsec confidentiality
offset.
4. (Optional.) Configure
MACsec replay protection.
5. Configure the MACsec
validation mode.
Command
system-view
interface interface-type
interface-number
macsec validation mode
{ check | strict }
Command
system-view
mka policy policy-name
macsec confidentiality-offset
offset-value
a. Enable MACsec replay
protection:
replay-protection
enable
b. Configure the replay
protection window size:
replay-protection
window-size size-value
macsec validation mode
{ check | strict }
497
Remarks
N/A
N/A
The default setting is check.
If you execute this command
multiple times, the most recent
configuration takes effect.
Remarks
N/A
By default, an MKA policy named
default-policy exists.
The settings for parameters in the
default policy are the same as the
default settings for the
parameters on a port.
You cannot delete or modify the
default MKA policy.
You can create multiple MKA
policies.
The default setting is 0.
MACsec uses the confidentiality
offset propagated by the key
server.
By default, MACsec replay
protection is enabled.
The default replay protection
window size is 0. Frames are
accepted only in the correct order.
The default setting is check.