Mka Policies - Cisco Catalyst 4500 Series Configuration Manual

Chapter 43 Configuring MACsec Encryption

MKA Policies

You apply a defined MKA policy to an interface to enable MKA on the interface. Removing the MKA
policy disables MKA on that interface. You can configure these options:
•
•
•
Virtual Ports
You use virtual ports for multiple secured connectivity associations on a single physical port. Each
connectivity association (pair) represents a virtual port, with a maximum of two virtual ports per
physical port. Only one of the two virtual ports can be part of a data VLAN; the other must externally
tag its packets for the voice VLAN. You cannot simultaneously host secured and unsecured sessions in
the same VLAN on the same port. Because of this limitation, 802.1X multiple authentication mode is
not supported.
The exception to this limitation is in multiple-host mode when the first MACsec supplicant is
successfully authenticated and connected to a hub that is connected to the switch. A non-MACsec host
connected to the hub can send traffic without authentication because it is in multiple-host mode. We do
not recommend using multi-host mode because after the first successful client, authentication is not
required for other clients.
Virtual ports represent an arbitrary identifier for a connectivity association and have no meaning outside
the MKA Protocol. A virtual port corresponds to a separate logical port ID. Valid port IDs for a virtual
port are 0x0002 to 0xFFFF. Each virtual port receives a unique secure channel identifier (SCI) based on
the MAC address of the physical interface concatenated with a 16-bit port ID.
MACsec
A Catalyst 4500 series switch running MACsec maintains the configuration files that show which ports
on a member switch support MACsec. The stack master performs these functions:
•
•
•
•
•
A member switch performs these functions:
•
•
•
OL-25340-01
Policy name, not to exceed 16 ASCII characters.
Confidentiality (encryption) offset of 0, 30, or 50 bytes for each physical interface.
Replay protection. You can configure MACsec window size, as defined by the number of
out-of-order frames that are accepted. This value is used while installing the security associations
in the MACsec. A value of 0 means that frames are accepted only in the correct order.
Processes secure channel and secure association creation and deletion.
Sends secure association service requests to the stack members.
Processes packet number and replay-window information from local or remote ports and notifies the
key management protocol.
Sends MACsec initialization requests with the globally configured options to new switches that are
added to the stack.
Sends any per-port configuration to the member switches.
Processes MACsec initialization requests from the stack master.
Processes MACsec service requests sent by the stack master.
Sends information about local ports to the stack master.
Understanding Media Access Control Security and MACsec Key Agreement
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
43-3