MACsec

Media Access Control security (MACsec) is an IEEE 802 standard specifying how to transparently secure all or part of a Local Area Network (LAN) at the link layer. MACsec PHY devices can do this while meeting the scalability and high-speed requirements set on such networks. MACsec is intended for wired LANs only, as wireless networks use a different protocol set. To ensure wired network security, MACsec functionality is required on newer-generation network infrastructure switches. It is supported on the Aruba 5400R (v3 modules only), 3810M, and 2930M switch families.

The MACsec protocol provides:

  • Connectionless data integrity—each MAC frame carries a separate integrity verification code, hence the term connectionless.

  • Data origin authenticity—each MAC frame is guaranteed to have been sent by an authorized MACsec station.

  • Confidentiality—each MAC frame is encrypted to prevent it from being eavesdropped.

  • Replay protection—MAC frames copied from the LAN by an attacker cannot be resent into the LAN without being detected.

  • Enhanced security for switch-to-switch infrastructure using the MACsec Key Agreement (MKA) protocol and the Static Connectivity Association Key (CAK) mode.

MACsec operation on supported Aruba switches includes:

  • Switch-to-Switch Pairwise Pre-Shared CAK mode with Single-User CAK per port.

  • New MACsec PHY for faster processing in hardware.

  • MACsec Key Agreement protocol (MKA) for automatic MACsec peer discovery, peer-participant liveliness, Key-Server election and for distribution of SAKs

  • AES-GCM-128 bit key length (CAKs/ICKs/KEKs/SAKs).

  • Configuration of "Integrity Check Only" and "Integrity Check with Confidentiality at offset 0" modes.

  • MACsec configuration through CLI and SNMP and over Telnet/SSH.

    • MACsec configuration through the HTTP/HTTPS interface is not supported.

To define a MACsec policy and assign a CA Key Name (CKN) and CA Key: 

switch(config)# macsec policy macsecpolicy 
switch(Policy-examplepolicy)# mode pre-shared-key ckn 1a2b3c4d5e6f cak f6e5d4c3b2a1

To assign the MACsec policy examplepolicy to ports 21-24: 

switch(config)# macsec apply policy macsecpolicy 21-24

For further details and configuration instructions, refer to the chapter titled “Infrastructure MACsec” in the ArubaOS-Switch Access Security Guide.