MACsec cipher suites specify a set of encryption algorithms used to encrypt traffic on an Ethernet link that is secured with Media Access Control Security (MACsec).
MACsec supports two cipher suites, the GCM-AES-128 with a maximum key length of 128 bits and the GCM-AES-256 with a maximum key length of 256 bits. The default cipher suite is the GCM-AES-128. The 256-bit algorithm provides enhanced data security and also includes the security provided by the 128-bit algorithm.
Both the GCM-AES-128 and GCM-AES-256 cipher suites use a 32-bit packet number (PN) as part of the unique initial value for every packet transmitted with a given secure association key (SAK). The system refreshes the SAK when all the permutations of the 32-bit PN are exhausted.
You typically configure a MACsec cipher suite at the port level on the switch. The configuration is optional. When you configure a cipher suite, ensure that you configure the same cipher suite on both MACsec peers.
These products limit encryption and decryption bandwidth. 5420 Series supports a maximum of 50 Gbps. The 5320 Series models support differing encryption and decryption rates, as identified in the following table.
Model |
Encryption rate |
Decryption rate |
---|---|---|
48-port models |
Up to 50 Gbps |
Up to 50 Gbps |
24-port models |
Up to 25 Gbps |
Up to 25 Gbps |
16-port models |
Up to 25 Gbps |
Up to 25 Gbps |