45-4
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 45 Configuring MACsec Encryption
Understanding Media Access Control Security and MACsec Key Agreement
Single-Host Mode
Figure 45-1 shows how a single EAP authenticated session is secured by MACsec using MKA.
Figure 45-1 MACsec in Single-Host Mode with a Secured Data Session
Multiple-Host Mode
In standard (not 802.1X-2010) 802. multiple-host mode, a port is open or closed based on a single
authentication. If one user, the primary secured client services client host, is authenticated, the same
level of network access is provided to any host connected to the same port. If a secondary host is a
MACsec supplicant, it cannot be authenticated and traffic would no flow. A secondary host that is a
non-MACsec host can send traffic to the network without authentication because it is in multiple-host
mode. See Figure 45-2.
Figure 45-2 MACsec in Standard Multiple-Host Mode - Unsecured
We do not recommend using multi-host mode because after the first successful client, authentication is
not required for other clients, which is not secure.
MKA Statistics
Some MKA counters are aggregated globally, while others are updated both globally and per session.
You can also obtain information about the status of MKA sessions.
This is an example of the show mka statistics command output:
SWitch# show mka statistics
MKA Global Statistics
330051
MACsec
AAA
Access-control system
Switch with
MACsec
configured
Unsecured
Host
253664
AAA
Access-control system
Switch with
MACsec
configured
Primary host
Secondary host
Secondary host
To Next Page
Loading...
Need help?
General
