Overview

MACsec is configured on a per-port basis to protect point-to-point links between switches. Mutual authentication is achieved by provisioning the same set of credentials (pre-shared key) on each end of a link.

Prior to authentication, all port traffic is blocked. After authentication, all port traffic is protected by the GCM-AES-128 cipher suite by default, or optionally, by GCM-AES-256. MACsec operates at Layer 2 and is therefore protocol agnostic, encrypting everything it passes. Because encryption takes place at the hardware level, line-rate traffic passes with low latency, but due to additional MACsec headers, some throughput drop occurs. MACsec operates on a hop-by-hop basis, allowing for deep packet inspection.

Note

Note

The following table lists the switches/ports that support the optional GCM-AES-256 cipher.

Table 1. Switches/Ports that Support the GCM-AES-256 Cipher
Platform Ports LRM/MACsec Adapter Required?
ExtremeSwitching 5320 All ports of all models except stacking ports. No
ExtremeSwitching 5420 All ports of all models except stacking ports. No
ExtremeSwitching 5520 All ports, except 5520-VIM-4X and 24X 10G ports No
ExtremeSwitching 5720 All ports of all models except stacking ports. No

Authentication is provided by pre-shared-keys (PSK), which consist of a public secure connectivity association key name (CKN) and a private secure connectivity association key (CAK). Each PSK is configured against a connectivity-association namespace. Each connectivity-association can be applied to one or more MACsec-capable ports. Each port may belong to only one connectivity-association.

Note

Note

When MACsec is enabled, every protected packet is prefixed with an 8-byte (include-sci disable) or 16-byte (include-sci enable) SecTAG and suffixed with a 16-byte Integrity Check Value (ICV). If the average packet size on a port is small, then these 24 to 32 extra bytes per packet have a non-trivial impact on throughput. This is a function of the protocol, and is not a factor of this implementation.
Note

Note

MACsec-enabled port mirroring for egress traffic is not supported on 5420 switches.