Overview

MACsec is configured on a per-port basis to protect point-to-point links between switches. Mutual authentication is achieved by provisioning the same set of credentials (pre-shared key) on each end of a link.

Prior to authentication, all port traffic is blocked. After authentication, all port traffic is protected by the GCM-AES-128 cipher suite by default, or optionally, by GCM-AES-256. MACsec operates at Layer 2 and is therefore protocol agnostic, encrypting everything it passes. Because encryption takes place at the hardware level, line-rate traffic passes with low latency, but due to additional MACsec headers, some throughput drop occurs. MACsec operates on a hop-by-hop basis, allowing for deep packet inspection.

Note

Note

The following table lists the switches/ports that support the optional GCM-AES-256 cipher.

Table 1. Switches/Ports that Support the GCM-AES-256 Cipher
Platform Ports LRM/MACsec Adapter Required?
ExtremeSwitching X450-G2, X460-G2, X670-G2, X440-G2, X590, X620, X690, X695 series switches SFP/SFP+ ports Yes
ExtremeSwitching X465

X465-24XE: front panel ports

VIM5-4XE: all 4 ports

VIM5-4YE in X465-24MU, X465-24XE, X465-24MU-24W switches: all 4 ports

VIM5-4YE in X465-24W, X465-48T, X465-48P, X465-48W, X465i-48W,: first 2 ports only

No
ExtremeSwitching 5520 All ports, except 5520-VIM-4X and 24X 10G ports No

Authentication is provided by pre-shared-keys (PSK), which consist of a public secure connectivity association key name (CKN) and a private secure connectivity association key (CAK). Each PSK is configured against a connectivity-association namespace. Each connectivity-association can be applied to one or more MACsec-capable ports. Each port may belong to only one connectivity-association.

Note

Note

When MACsec is enabled, every protected packet is prefixed with an 8-byte (include-sci disable) or 16-byte (include-sci enable) SecTAG and suffixed with a 16-byte Integrity Check Value (ICV). If the average packet size on a port is small, then these 24 to 32 extra bytes per packet have a non-trivial impact on throughput. This is a function of the protocol, and is not a factor of this implementation.