Support User Manuals

Cisco Systems 3560X Switch User Manual

Open as PDF

of 1438

11-67

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 11 Configuring IEEE 802.1x Port-Based Authentication

Configuring 802.1x Authentication

Configuring MKA and MACsec

• Configuring an MKA Policy, page 11-67

• Configuring MACsec on an Interface, page 11-67

Configuring an MKA Policy

Beginning in privileged EXEC mode, follow these steps to create an MKA Protocol policy:

This example configures the MKA policy r

elay-policy:

Switch(config)# mka policy replay-policy

Switch(config-mka-policy)# replay-

protection window-size 300

Switch(config-mka-policy)# end

Configuring MACsec on an Interface

Beginning in privileged EXEC mode, follow these steps to configure MACsec on an interface with one

MACsec session for voice and one for data:

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

mka policy policy name Identify an MKA policy, and enter MKA policy configuration mode. The

maximum policy name length is 16 characters.

Step 3

replay-protection window-size frames Enable replay protection, and configure the window size in number of

frames. The range is from 0 to 4294967295. The default window size is 0.

Entering a window size of 0 is not the same as entering the no

r

eplay-protection command. Configuring a window size of 0 uses replay

protection with a strict ordering of frames. Entering no replay-protection

turns off MACsec replay-protection.

Step 4

end Return to privileged EXEC mode.

Step 5

show mka policy Verify your entries.

Step 6

copy running-config startup-config (Optional) Save your entries in the configuration file.

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

interface interface-id Identify the MACsec interface, and enter interface configuration mode.

The interface must be a physical interface.

Step 3

switchport access vlan vlan-id Configure the access VLAN for the port.

Step 4

switchport mode access Configure the interface as an access port.

Step 5

macsec Enable 802.1ae MACsec on the interface.

Step 6

authentication event linksec fail action

authorize vlan vlan-id

(Optional) Specify that the switch processes authentication link-security

failures resulting from unrecognized user credentials by authorizing a

restricted VLAN on the port after a failed authentication attempt.

previous next