ExtremeSwitching 5320 and 5420 MACsec Support

MACsec support is available on ExtremeSwitching 5320 and 5420 series switches beginning with ExtremeXOS 31.6 and 31.5, respectively. MACsec is available on all ports of all models except stacking ports. The maximum number of MACsec-enabled ports per system is 48. In the case of a stacked system, each slot supports up to 48 MACsec-enabled ports.

When MACsec-enabled ports are part of a load shared group, then a single active member port is chosen as the flood port and programmed in the hardware for a specific VLAN. Broadcast, Unknown unicast and multicast (BUM) traffic for a single VLAN always uses the single member port. Load sharing happens based on the VLAN and not on the other packet fields.

Because the load shared group with MACsec enabled ports are programmed differently on 5320 and 5420 series switches, enabling MACsec on only a few member ports can result in not utilizing the MACsec disabled ports for BUM traffic.

Tip

Tip

It is best practice to ensure that all the ports of a load shared group are either MACsec enabled or disabled.

The following informational message is displayed during enabling or disabling MACsec on member ports of a load shared group:

Note: MACsec is enabled on a portion of member ports of a load sharing group. It is recommended to enable or disable MACsec on all members of a load sharing group.

Protocol Exclusions

On 5320 and 5420 series switches, the MACsec protocol is mutually exclusive with other protocols. If MACsec is enabled, then the following list of protocols cannot be enabled. If any of the other protocols are enabled, then MACsec cannot be enabled:

Example

The following example displays an error message received after attempting to configure MACsec when AVB is enabled:

# configure macsec connectivity-association MyCA ports 1 enable 
Error: The system has audio-video-bridging (AVB) configuration that
must be disabled before MACsec can be enabled on a port. This can
be done through the "disable avb" or "unconfigure avb" commands.

Example

The following example displays an error message received after attempting to configure VPEX when MACsec is enabled:

# enable vpex
Error: Cannot enable VPEX if MACsec is enabled on any port. Please disable
MACsec with the 'configure macsec connectivity-association <ca_name> port
 <port_list> disable' command and try again.

Mixed Stack LAGs

A stacked system that contains both 5320/5420 and non-5320/5420 or other switches has the following restriction: A single LAG group cannot consist of both 5320/5420 and non-5320/5420 MACsec-enabled ports. The CLI enforces the following rules:

Note

Note

These rules also apply for 5320 switches.

Because a stack is required to have the primary and backup nodes be of the same type, multi-slot uplink LAGs with MACsec enabled can still be formed.

The following CLI error is observed when sharing is enabled on port(s) that belong to incompatible MACsec-enabled ports:

Single load sharing group cannot span MACsec-enabled ports across switches of certain types. 
Please refer to the EXOS User Guide for details. 
The following CLI error is observed when enabling MACsec on port(s) which belong to incompatible LAGs:
Single load sharing group cannot span MACsec-enabled ports across switches of certain types. 
Port %s belongs to a load sharing group that has a member port %s from an incompatible switch type with MACsec enabled. Please refer to the EXOS User Guide for details. 

Limitations

Note the following limitations with ExtremeSwitching 5320 and 5420 MACsec support:

Important

Important

In a stacked system, the MKA protocol for every MACsec-enabled port is run on the primary slot. If the primary slot has a lower-end processor or less memory than a load of 48, 96, 144, for example, the MKA or MACsec sessions can impact system performance.

Supported Platform

The details of this feature are specific to ExtremeSwitching 5320 and 5420 series switches.