MACsec cipher suites specify a set of encryption algorithms used to encrypt traffic on an Ethernet link that is secured with Media Access Control Security (MACsec).
MACsec supports two cipher suites, the GCM-AES-128 with a maximum key length of 128 bits and the GCM-AES-256 with a maximum key length of 256 bits. The default cipher suite is the GCM-AES-128. The 256-bit algorithm provides enhanced data security and also includes the security provided by the 128-bit algorithm.
Note
Not all products support both a 128-bit cipher suite and a 256-bit cipher suite. For information about product support, see Fabric Engine and VOSS Feature Matrix.
Both the GCM-AES-128 and GCM-AES-256 cipher suites use a 32-bit packet number (PN) as part of the unique initial value for every packet transmitted with a given secure association key (SAK). The system refreshes the SAK when all the permutations of the 32-bit PN are exhausted.
You typically configure a MACsec cipher suite at the port level on the switch. The configuration is optional. When you configure a cipher suite, ensure that you configure the same cipher suite on both MACsec peers.