MACsec Fundamentals

MAC Security (MACsec) is based on the IEEE 802.1ae standard that allows authorized systems in a network to transmit data confidentially and to protect against data transmitted or modified by unauthorized devices.

You can use MACsec for core and enterprise edge switches to do the following:

You can use MACsec on access switches to secure host-to-switch connectivity, and host-to-switch connectivity in an environment where both trusted and untrusted hosts co-exist.

In addition to host level authentication, MACsec capable LANs provide data origin authentication, data confidentiality, and data integrity between authenticated hosts or systems. MACsec protects data from external hacking while the data passes through the public network to reach a receiver host.

MACsec enabled hosts encrypt and decrypt every frame exchanged between them using a MACsec key. The source MACsec host encrypts data frames, and the destination MACsec host decrypts the frames, ensuring delivery of the frame in its original condition to the recipient host. This ensures secure data communication.

You can configure MACsec encryption over any type of point-to-point Ethernet or emulated Ethernet connection, which includes:
  • Dark fiber

  • Conventional wavelength-division multiplexing/dense wavelength-division multiplexing (CWDM/DWDM) service

  • Multiprotocol label switching (MPLS) point-to-point (ELINE)

  • Provider Backbone Bridge Traffic Engineering (PBB-TE)

Note

Note

Before you enable MACsec on the 5420 Series, you must configure the macsec boot flag.

You can configure MACsec on physical ports only. However, the physical ports can belong to an MLT trunk group that includes: Split MultiLink Trunking (SMLT), distributed MultiLink Trunking (DMLT), or Link aggregate group (LAG).

Note

Note

For VSP 8600 Series Release 8.1 and later, MACsec is supported on 8606CQ channelized ports, 4x10 Gbps or 4x25 Gbps configurations. If you enable channelization on a port, the MACsec configuration migrates from the main port to the first subport. If you disable channlization on a port, the MACsec configuration migrates from the first subport to the main port.

You configure a pre-shared key on either end of the MACsec link. The pre-shared key is an interface parameter, not a switch-wide parameter.

Note

Note

MACsec encrypts all packets. If you configure MACsec on one or more MultiLink Trunking (MLT) port members on one side, you must configure MACsec on the same port members on the other side. If you do not do this, the port can physically be enabled, but any overlying protocols can be disabled. You do not have to provision MACsec on all MLT port members, but if you configure MACsec on an MLT port member on one side, you must also provision MACsec on the corresponding MLT port on the other side.

One way to detect a mismatch of MACsec configuration is to use Virtual Link Aggregation Control Protocol (VLACP) on the links. If VLACP is enabled on an MKA-enabled link, it takes approximately 30 seconds for the VLACP session to begin.

MACsec provides security at the data link layer or the physical layer. It provides enhancements at the MAC service sub layer for its operation and services to the upper layer.

MACsec is an interface-level feature and is disabled by default.

Note

Note

On 5420 Series, the Fabric Extend is not available if you boot the switch when the macsec boot flag is enabled on it.