Configuring MACsec protection parameters by MKA policy

Restrictions and guidelines

An MKA policy can be applied to a port or multiple ports. When you apply an MKA policy to a port, follow these restrictions and guidelines:

Procedure

  1. Enter system view.

    system-view

  2. Create an MKA policy and enter its view.

    mka policy policy-name

    By default, a system-defined MKA policy exists. The policy name is default-policy.

    The settings for parameters in the system-defined policy are the same as the default settings for the parameters on a port.

    You cannot delete or modify the system-defined MKA policy.

    You can create multiple MKA policies.

  3. Set the MACsec confidentiality offset.

    confidentiality-offset offset-value

    The default setting is 0, and the entire frame needs to be encrypted.

    MACsec uses the confidentiality offset propagated by the key server.

  4. Configure MACsec replay protection:

    1. Enable MACsec replay protection.

      replay-protection enable

      By default, MACsec replay protection is enabled.

    2. Set the replay protection window size.

      replay-protection window-size size-value

      The default replay protection window size is 0. The device accepts only frames that arrive in the correct order. Out-of-order or duplicated frames will be dropped.

  5. Set a MACsec validation mode.

    validation mode { check | strict }

    The default setting is check.

    Parameter

    Description

    check

    Verifies incoming frames but does not drop illegal frames.

    strict

    Verifies incoming frames and drops illegal frames.

  6. Apply an MKA policy:

    1. Return to system view.

      quit

    2. Enter interface view.

      interface interface-type interface-number

    3. Apply the MKA policy to the port.

      mka apply policy policy-name

      By default, no MKA policy is applied to a port.