Configuring MACsec protection parameters by MKA policy
Restrictions and guidelines
An MKA policy can be applied to a port or multiple ports. When you apply an MKA policy to a port, follow these restrictions and guidelines:
The settings in the MKA policy overwrite all protection parameter settings configured in interface view. The protection parameters not configured in the policy are restored to the default.
Any modifications to the MKA policy take effect immediately.
When you remove an MKA policy application from the port, the MACsec parameter settings on the port restore to the default.
When you apply a nonexistent MKA policy to the port, the port automatically uses the system-defined MKA policy named default-policy. If you create the policy, the policy will be automatically applied to the port.
Procedure
Enter system view.
system-view
Create an MKA policy and enter its view.
mka policy policy-name
By default, a system-defined MKA policy exists. The policy name is default-policy.
The settings for parameters in the system-defined policy are the same as the default settings for the parameters on a port.
You cannot delete or modify the system-defined MKA policy.
You can create multiple MKA policies.
Set the MACsec confidentiality offset.
confidentiality-offset offset-value
The default setting is 0, and the entire frame needs to be encrypted.
MACsec uses the confidentiality offset propagated by the key server.
Configure MACsec replay protection:
Enable MACsec replay protection.
replay-protection enable
By default, MACsec replay protection is enabled.
Set the replay protection window size.
replay-protection window-size size-value
The default replay protection window size is 0. The device accepts only frames that arrive in the correct order. Out-of-order or duplicated frames will be dropped.
Set a MACsec validation mode.
validation mode { check | strict }
The default setting is check.
Parameter
Description
check
Verifies incoming frames but does not drop illegal frames.
strict
Verifies incoming frames and drops illegal frames.
Apply an MKA policy:
Return to system view.
quit
Enter interface view.
interface interface-type interface-number
Apply the MKA policy to the port.
mka apply policy policy-name
By default, no MKA policy is applied to a port.