MACsec is configured on a per-port basis to protect point-to-point links between switches. Mutual authentication is achieved by provisioning the same set of credentials (pre-shared key) on each end of a link.
Prior to authentication, all port traffic is blocked. After authentication, all port traffic is protected by the GCM-AES-128 cipher suite by default, or optionally, by GCM-AES-256. MACsec operates at Layer 2 and is therefore protocol agnostic, encrypting everything it passes. Because encryption takes place at the hardware level, line-rate traffic passes with low latency, but due to additional MACsec headers, some throughput drop occurs. MACsec operates on a hop-by-hop basis, allowing for deep packet inspection.
Note
The following table lists the switches/ports that support the optional GCM-AES-256 cipher.
| Platform | Ports | LRM/MACsec Adapter Required? |
|---|---|---|
| ExtremeSwitching 5320 | All ports of all models except stacking ports. | No |
| ExtremeSwitching 5420 | All ports of all models except stacking ports. | No |
| ExtremeSwitching 5520 | All ports, except 5520-VIM-4X and 24X 10G ports | No |
| ExtremeSwitching 5720 | All ports of all models except stacking ports. | No |
Authentication is provided by pre-shared-keys (PSK), which consist of a public secure connectivity association key name (CKN) and a private secure connectivity association key (CAK). Each PSK is configured against a connectivity-association namespace. Each connectivity-association can be applied to one or more MACsec-capable ports. Each port may belong to only one connectivity-association.
Note
When MACsec is enabled, every protected packet is prefixed with an 8-byte (include-sci disable) or 16-byte (include-sci enable) SecTAG and suffixed with a 16-byte Integrity Check Value (ICV). If the average packet size on a port is small, then these 24 to 32 extra bytes per packet have a non-trivial impact on throughput. This is a function of the protocol, and is not a factor of this implementation.Note
MACsec-enabled port mirroring for egress traffic is not supported on 5420 switches.