Use this command to set access control on a port or ports.
| unauthallowed | (Optional) Sets access control for unauthenticated connectivity. Unauthenticated refers to the port state before MKA is successful (that is, when a port‘s peer does not have MKA enabled or as a non-matching PSK configured). |
| never | (Default) port is down and all traffic (except for MKPDUs) is dropped |
| immediate | Port is up and all traffic is passed in the clear (no encryption) |
| authFail | Port is down until attempt occurs to authenticate using EAP, after which port is up and traffic passes in the clear (EAP not supported, so this value is equivalent to never). |
| unsecureallowed | (Optional) Sets access control if the MKA Key Server does not enable MACsec (that is, MKA without MACsec). This situation may occur if the peer supports MKA but not MACsec. MKA on Extreme Networks MACsec-capable ports always request MACsec, but 3rd-party equipment which supports MKA may choose to not use MACsec. |
| never | Port remains down and all traffic (except for MKPDUs) is dropped |
| immediate | Port up and all traffic is passed in the clear (no encryption) after successful EAP (EAP not supported, so this value is equivalent to Never) |
| mkaFail | Port up and all traffic is passed in the clear (no encryption) after EAP fails (EAP not supported, so this value is equivalent to Never) |
| mkaServer | (Default) port up and all traffic is passed in the clear (no encryption) if the MKA Key Server selects MKA without MACsec protection. |
| port-string | (Optional) Port or range of ports |
The option unauthallowed defaults to never. The option unsercureallowed defaults mkaServer. If you do not specify a portāstring, the access control setting is applied to all ports.
All command modes.
This example shows how to set unauthenticated connectivity to be allowed immediately for port "ge.1.10":
System(rw)->set macsec nid unauthallowed immediate ge.1.10
Print
this page
Email this topic
Feedback
View PDF
Download EPUB