Media Access Control security (MACsec) is an IEEE 802 standard specifying how to transparently secure all or part of a Local Area Network (LAN) at the link layer. MACsec PHY devices can do this securing while meeting the scalability and high-speed requirements set on such networks. MACsec is intended for wired LANs only; wireless networks use a different protocol set. To ensure wired network security, the MACsec functionality is required on the newer generation of network infrastructure switches.

The MACsec protocol provides:

  • Connectionless data integrity — (each MAC frame carries a separate integrity verification code, hence the term connectionless)

  • Data origin authenticity—(each MAC frame is guaranteed to have been sent by an authorized MACsec station)

  • Confidentiality — (each MAC frame is encrypted to prevent it from being eavesdropped)

  • Replay protection — (MAC frames copied from the LAN by an attacker cannot be resent into the LAN without being detected)

MACsec secures switch to switch infrastructure using the MKA (MACsec Key Agreement) protocol and the Static CAK (Connectivity Association Key) Mode. MACsec operation includes:

  • Switch-to-Switch Pairwise Pre-Shared CAK mode with Single-User (CAK) per port.

  • A new MACsec PHY for faster processing through hardware.

  • Supports MACsec Key Agreement protocol (MKA) for automatic MACsec peer discovery, peer-participant liveliness, Key-Server election and for distribution of SAKs

  • Supports AES-GCM-128 bit Key-length (CAKs/ICKs/KEKs/SAKs).

  • Configuration includes "Integrity Check Only" and "Integrity Check with Confidentiality at offset 0" modes.

  • Supports MACsec CLI configurations through CLI and SNMP and over Telnet/SSH. MACsec configuration through the web interface is not supported.