11-32
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
MKA Policies
You apply a defined MKA policy to an interface to enable MKA on the interface. Removing the MKA
policy disables MKA on that interface. You can configure these options:
Policy name, not to exceed 16 ASCII characters.
Confidentiality (encryption) offset of 0, 30, or 50 bytes for each physical interface.
Replay protection. You can configure MACsec window size, as defined by the number of
out-of-order frames that are accepted. This value is used while installing the security associations
in the MACsec. A value of 0 means that frames are accepted only in the correct order.
Virtual Ports
You use virtual ports for multiple secured connectivity associations on a single physical port. Each
connectivity association (pair) represents a virtual port, with a maximum of two virtual ports per
physical port. Only one of the two virtual ports can be part of a data VLAN; the other must externally
tag its packets for the voice VLAN. You cannot simultaneously host secured and unsecured sessions in
the same VLAN on the same port. Because of this limitation, 802.1x multiple authentication mode is not
supported.
The exception to this limitation is in multiple-host mode when the first MACsec supplicant is
successfully authenticated and connected to a hub that is connected to the switch. A non-MACsec host
connected to the hub can send traffic without authentication because it is in multiple-host mode.
Virtual ports represent an arbitrary identifier for a connectivity association and have no meaning outside
the MKA Protocol. A virtual port corresponds to a separate logical port ID. Valid port IDs for a virtual
port are 0x0002 to 0xFFFF. Each virtual port receives a unique secure channel identifier (SCI) based on
the MAC address of the physical interface concatenated with a 16-bit port ID.
MACsec and Stacking
A Catalyst 3750-X stack master running MACsec maintains the configuration files that show which ports
on a member switch support MACsec. The stack master performs these functions:
Processes secure channel and secure association creation and deletion.
Sends secure association service requests to the stack members.
Processes packet number and replay-window information from local or remote ports and notifies the
key management protocol.
Sends MACsec initialization requests with the globally configured options to new switches that are
added to the stack.
Sends any per-port configuration to the member switches.
A member switch performs these functions:
Processes MACsec initialization requests from the stack master.
Processes MACsec service requests sent by the stack master.
Sends information about local ports to the stack master.
In case of a stack master changeover, all secured sessions are brought down and then reestablished. The
authentication manager recognizes any secured sessions and initiates teardown of these sessions.