467
In client-oriented mode, the access device port automatically becomes the key server. You do not
have to configure the MKA key server priority.
In device-oriented mode, the port that has higher priority becomes the key server. If a port and its
peers have the same priority, MACsec compares the secure channel identifier (SCI) values on the
ports. The port with the lowest SCI value (a combination of MAC address and port ID) becomes the
key server.
A port with priority 255 cannot become the key server. For a successful key server selection, make
sure a minimum of one participant's key server priority is not 255.
To configure the MKA key server priority:
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3.
server priority.
mka priority
priority-value
The default setting is 0.
Configuring MACsec protection parameters in
interface view
If you configure a parameter in interface view after applying an MKA policy, the configuration in
interface view overwrites the configuration of the parameter in the MKA policy. Your configuration
also removes the MKA policy application from the port. However, other parameter settings of the
MKA policy are effective on the port.
If the parameter value in interface view is the same as the value in the MKA policy, your configuration
does not take effect. The policy remains active on the port.
Configuring the MACsec confidentiality offset
The MACsec confidentiality offset specifies the number of bytes starting from the frame header.
MACsec encrypts only the bytes after the offset in a frame.
MACsec uses the confidentiality offset propagated by the key server.
To configure the MACsec confidentiality offset:
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3.
confidentiality offset.
macsec confidentiality-offset
offset-value
The default setting is 0, and the
encrypted.
The offset value can be 0, 30, or
50.
To Next Page
Loading...
Need help?
General