11-67
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication
Configuring MKA and MACsec
Configuring an MKA Policy, page 11-67
Configuring MACsec on an Interface, page 11-67

Configuring an MKA Policy

Beginning in privileged EXEC mode, follow these steps to create an MKA Protocol policy:
This example configures the MKA policy relay-policy:
Switch(config)# mka policy replay-policy
Switch(config-mka-policy)# replay-protection window-size 300
Switch(config-mka-policy)# end

Configuring MACsec on an Interface

Beginning in privileged EXEC mode, follow these steps to configure MACsec on an interface with one
MACsec session for voice and one for data:
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 mka policy policy name Identify an MKA policy, and enter MKA policy configuration mode. The
maximum policy name length is 16 characters.
Step 3 replay-protection window-size frames Enable replay protection, and configure the window size in number of
frames. The range is from 0 to 4294967295. The default window size is 0.
Entering a window size of 0 is not the same as entering the no
replay-protection command. Configuring a window size of 0 uses replay
protection with a strict ordering of frames. Entering no replay-protection
turns off MACsec replay-protection.
Step 4 end Return to privileged EXEC mode.
Step 5 show mka policy Verify your entries.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 interface interface-id Identify the MACsec interface, and enter interface configuration mode.
The interface must be a physical interface.
Step 3 switchport access vlan vlan-id Configure the access VLAN for the port.
Step 4 switchport mode access Configure the interface as an access port.
Step 5 macsec Enable 802.1ae MACsec on the interface.
Step 6 authentication event linksec fail action
authorize vlan vlan-id (Optional) Specify that the switch processes authentication link-security
failures resulting from unrecognized user credentials by authorizing a
restricted VLAN on the port after a failed authentication attempt.