[x]

Configuring MACsec protection parameters > Configuring MACsec protection parameters in interface view

 

 Next

Configuring MACsec protection parameters in interface view

  1. Enter system view.

    system-view

  2. Enter interface view.

    interface interface-type interface-number

  3. Set the MACsec confidentiality offset.

    macsec confidentiality-offset offset-value

    The default setting is 0, and the entire frame needs to be encrypted.

    MACsec uses the confidentiality offset propagated by the key server.

  4. Configure MACsec replay protection:

    1. Enable MACsec replay protection.

      macsec replay-protection enable

      By default, MACsec replay protection is enabled on the port.

    2. Set the MACsec replay protection window size.

      macsec replay-protection window-size size-value

      The default setting is 0. The device accepts only frames that arrive in the correct order. Out-of-order or duplicated frames will be dropped.

      The configured replay protection window size takes effect only when MACsec replay protection is enabled.

  5. Set a MACsec validation mode.

    macsec validation mode { check| strict }

    The default setting is check.

    To avoid data loss, use the display macsec command to verify that MKA negotiation with the peer device has succeeded before you change the mode to strict.

    Parameter

    Description

    check

    Verifies incoming frames but does not drop illegal frames.

    strict

    Verifies incoming frames and drops illegal frames.

prev

 

up

 next

Restrictions and guidelines for MACsec protection parameter configuration 

home

 Configuring MACsec protection parameters by MKA policy

© Copyright 2017 Hewlett Packard Enterprise Development LP