Cisco Systems 3560-X, 3750-X MKA Policies, Virtual Ports, MACsec and Stacking

11-32

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 11 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

MKA Policies

You apply a defined MKA policy to an interface to enable MKA on the interface. Removing the MKA

policy disables MKA on that interface. You can configure these options:

• Policy name, not to exceed 16 ASCII characters.

• Confidentiality (encryption) offset of 0, 30, or 50 bytes for each physical interface.

• Replay protection. You can configure MACsec window size, as defined by the number of

out-of-order frames that are accepted. This value is used while installing the security associations

in the MACsec. A value of 0 means that frames are accepted only in the correct order.

Virtual Ports

You use virtual ports for multiple secured connectivity associations on a single physical port. Each

connectivity association (pair) represents a virtual port, with a maximum of two virtual ports per

physical port. Only one of the two virtual ports can be part of a data VLAN; the other must externally

tag its packets for the voice VLAN. You cannot simultaneously host secured and unsecured sessions in

the same VLAN on the same port. Because of this limitation, 802.1x multiple authentication mode is not

supported.

The exception to this limitation is in multiple-host mode when the first MACsec supplicant is

successfully authenticated and connected to a hub that is connected to the switch. A non-MACsec host

connected to the hub can send traffic without authentication because it is in multiple-host mode.

Virtual ports represent an arbitrary identifier for a connectivity association and have no meaning outside

the MKA Protocol. A virtual port corresponds to a separate logical port ID. Valid port IDs for a virtual

port are 0x0002 to 0xFFFF. Each virtual port receives a unique secure channel identifier (SCI) based on

the MAC address of the physical interface concatenated with a 16-bit port ID.

MACsec and Stacking

A Catalyst 3750-X stack master running MACsec maintains the configuration files that show which ports

on a member switch support MACsec. The stack master performs these functions:

• Processes secure channel and secure association creation and deletion.

• Sends secure association service requests to the stack members.

• Processes packet number and replay-window information from local or remote ports and notifies the

key management protocol.

• Sends MACsec initialization requests with the globally configured options to new switches that are

added to the stack.

• Sends any per-port configuration to the member switches.

A member switch performs these functions:

• Processes MACsec initialization requests from the stack master.

• Processes MACsec service requests sent by the stack master.

• Sends information about local ports to the stack master.

In case of a stack master changeover, all secured sessions are brought down and then reestablished. The

authentication manager recognizes any secured sessions and initiates teardown of these sessions.