MAC Security (MACsec) is based on the IEEE 802.1ae standard that allows authorized systems in a network to transmit data confidentially and to protect against data transmitted or modified by unauthorized devices.
You can use MACsec for core and enterprise edge switches to do the following:
Secure site-to-site connectivity between data centers.
Provide data security on links that run over public ground.
Provide data security on links that run outside the physically secure boundaries of a site.
You can use MACsec on access switches to secure host-to-switch connectivity, and host-to-switch connectivity in an environment where both trusted and untrusted hosts coexist.
In addition to host level authentication, MACsec capable LANs provide data origin authentication, data confidentiality, and data integrity between authenticated hosts or systems. MACsec protects data from external hacking while the data passes through the public network to reach a receiver host.
MACsec enabled hosts encrypt and decrypt every frame exchanged between them using a MACsec key. The source MACsec host encrypts data frames, and the destination MACsec host decrypts the frames, ensuring delivery of the frame in its original condition to the recipient host. This ensures secure data communication.
Note
Before you enable MACsec on the 5320 Series or 5420 Series, you must configure the macsec boot flag.
You can configure MACsec encryption over any type of point-to-point Ethernet or emulated Ethernet connection, which includes:
Dark fiber
Conventional wavelength-division multiplexing/dense wavelength-division multiplexing (CWDM/DWDM) service
Multiprotocol label switching (MPLS) point-to-point (ELINE)
Provider Backbone Bridge Traffic Engineering (PBB-TE)
You can configure MACsec on physical ports only. However, the physical ports can belong to an MLT trunk group that includes: Split MultiLink Trunking (SMLT), distributed MultiLink Trunking (DMLT), or Link aggregate group (LAG).
You configure a pre-shared key on either end of the MACsec link. The pre-shared key is an interface parameter, not a switch-wide parameter.
MACsec encrypts all packets. If you configure MACsec on one or more MultiLink Trunking (MLT) port members on one side, you must configure MACsec on the same port members on the other side. If you do not do this, the port can physically be enabled, but any overlying protocols can be disabled. You do not have to provision MACsec on all MLT port members, but if you configure MACsec on an MLT port member on one side, you must also provision MACsec on the corresponding MLT port on the other side.
One way to detect a mismatch of MACsec configuration is to use Virtual Link Aggregation Control Protocol (VLACP) on the links. If VLACP is enabled on an MKA-enabled link, it takes approximately 30 seconds for the VLACP session to begin.
MACsec provides security at the data link layer or the physical layer. It provides enhancements at the MAC service sub layer for its operation and services to the upper layer.
MACsec is an interface-level feature and is disabled by default.
Note
On 5320 Series and 5420 Series, Fabric Extend is not available if you boot the switch when the MACsec boot flag is enabled.