MACsec support is available on ExtremeSwitching 5420 series switches beginning with ExtremeXOS 31.5. MACsec is available on all ports of all models except stacking ports. The maximum number of MACsec-enabled ports per system is 48. In the case of a stacked system, each slot supports up to 48 MACsec-enabled ports.
When MACsec-enabled ports are part of a load shared group, then a single active member port is chosen as the flood port and programmed in the hardware for a specific VLAN. Broadcast, Unknown unicast and multicast (BUM) traffic for a single VLAN always uses the single member port. Load sharing happens based on the VLAN and not on the other packet fields.
Because the load shared group with MACsec enabled ports are programmed differently on 5420 series switches, enabling MACsec on only a few member ports can result in not utilizing the MACsec disabled ports for BUM traffic.
Tip
It is best practice to ensure that all the ports of a load shared group are either MACsec enabled or disabled.The following informational message is displayed during enabling or disabling MACsec on member ports of a load shared group:
Note: MACsec is enabled on a portion of member ports of a load sharing group. It is recommended to enable or disable MACsec on all members of a load sharing group.
On 5420 series switches, the MACsec protocol is mutually exclusive with other protocols. If MACsec is enabled, then the following list of protocols cannot be enabled. If any of the other protocols are enabled, then MACsec cannot be enabled:
The following example displays an error message received after attempting to configure MACsec when AVB is enabled:
# configure macsec connectivity-association MyCA ports 1 enable Error: The system has audio-video-bridging (AVB) configuration that must be disabled before MACsec can be enabled on a port. This can be done through the "disable avb" or "unconfigure avb" commands.
The following example displays an error message received after attempting to configure VPEX when MACsec is enabled:
# enable vpex Error: Cannot enable VPEX if MACsec is enabled on any port. Please disable MACsec with the 'configure macsec connectivity-association <ca_name> port <port_list> disable' command and try again.
A stacked system that contains both 5420 and 5520 or other switches has the following restriction: A single LAG group cannot be comprised of both 5420 and non-5420 MACsec-enabled ports. The CLI enforces the following rules:
Because a stack is required to have the primary and backup nodes be of the same type, multi-slot uplink LAGs with MACsec enabled can still be formed.
The following CLI error is observed when sharing is enabled on port(s) that belong to incompatible MACsec-enabled ports:
Single load sharing group cannot span MACsec-enabled ports across switches of certain types. Please refer to the EXOS User Guide for details.
Single load sharing group cannot span MACsec-enabled ports across switches of certain types. Port %s belongs to a load sharing group that has a member port %s from an incompatible switch type with MACsec enabled. Please refer to the EXOS User Guide for details.
Note the following limitations with ExtremeSwitching 5420 MACsec support:
Warning
In a stacked system, the MKA protocol for every MACsec-enabled port is run on the primary slot. If the primary slot has a lower-end processor or less memory than a load of 48, 96, 144, for example, the MKA or MACsec sessions may impact system performance.The details of this feature are specific to the ExtremeSwitching 5420 series.