MACsec Encryption Cipher Suites

MACsec cipher suites specify a set of encryption algorithms used to encrypt traffic on an Ethernet link that is secured with Media Access Control Security (MACsec).

MACsec supports two cipher suites, the GCM-AES-128 with a maximum key length of 128 bits and the GCM-AES-256 with a maximum key length of 256 bits. The default cipher suite is the GCM-AES-128. The 256-bit algorithm provides enhanced data security and also includes the security provided by the 128-bit algorithm.

Both the GCM-AES-128 and GCM-AES-256 cipher suites use a 32-bit packet number (PN) as part of the unique initial value for every packet transmitted with a given secure association key (SAK). The system refreshes the SAK when all the permutations of the 32-bit PN are exhausted.

You typically configure a MACsec cipher suite at the port level on the switch. The configuration is optional. When you configure a cipher suite, ensure that you configure the same cipher suite on both MACsec peers.

5320 Series and 5420 Series Encryption and Decryption

These products limit encryption and decryption bandwidth. 5420 Series supports a maximum of 50 Gbps. The 5320 Series models support differing encryption and decryption rates, as identified in the following table.

Table 1. 5320 Series MACsec encryption and decryption rates

Model

Encryption rate

Decryption rate

48-port models

Up to 50 Gbps

Up to 50 Gbps

24-port models

Up to 25 Gbps

Up to 25 Gbps

16-port models

Up to 25 Gbps

Up to 25 Gbps