Configuring Ethernet Ports MAC Security Overview
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 1-29
In Static SA Mode, two or more manually configured SA keys are used to secure traffic on the point-to-
point link between two nodes. Security is maintained by periodically rotating the SA keys. Each SA key
must have a corresponding matching value on the other end of the MACSec link.
In Dynamic SA Mode, after a secure channel (TX and RX) has been successfully established between two
nodes on the point-to-point link, the MacSec Key Agreement Protocol (MKA) is enabled. The MKA
protocol selects one of the nodes to become the key server. The key server then creates a dynamic SA key
and shares it with the node at the other end over the secure channel. Once the other end also creates this
dynamic SA key, subsequent traffic is secured using the new SA. The key server periodically and
randomly creates and exchanges new SA to replace the older SA, using the MKA protocol for as long as
the MACSec link is enabled.
Note. OmniSwtich supports only Static SA Mode.
Key Management and Rotation
To support non-interrupting MACSec service, at least two keys and up to four keys are supported for each
secure channel. One key is used for actively protecting the traffic, while the other keys are programmed
into hardware to be used as backup. This would reduce the frequency that SW has to be interrupted to
setup a new key. For more information on security key management commands, see the “Managing
System Files” chapter in the OmniSwitch AOS Release 8 Switch Management Guide.
To Next Page
Loading...
