MACsec cipher suites specify a set of encryption algorithms used to encrypt traffic on an Ethernet link that is secured with Media Access Control Security (MACsec).
MACsec supports two cipher suites, the GCM-AES-128 with a maximum key length of 128 bits and the GCM-AES-256 with a maximum key length of 256 bits. The default cipher suite is the GCM-AES-128. The 256-bit algorithm provides enhanced data security and also includes the security provided by the 128-bit algorithm.
Important
If you upgrade the VSP 8600 Series to Release 8.1 and if the MACsec Connectivity Associations (CA) are a part of the GCM-AES-256 cipher suite then you must delete and reconfigure the MACsec CAs.
If you downgrade the VSP 8600 Series to any release prior to Release 8.1, the system truncates all CAs with 256 bits CAK to 128 bits. The VSP 8600 Series supports CAs with 256 bits CAK only from Release 8.1 and later.
Note
Not all products support both a 128-bit cipher suite and a 256-bit cipher suite. For information about product support, see VOSS Feature Support Matrix.
Both the GCM-AES-128 and GCM-AES-256 cipher suites use a 32-bit packet number (PN) as part of the unique initial value for every packet transmitted with a given secure association key (SAK). The system refreshes the SAK when all the permutations of the 32-bit PN are exhausted.
You typically configure a MACsec cipher suite at the port level on the switch. The configuration is optional. When you configure a cipher suite, ensure that you configure the same cipher suite on both MACsec peers.