Overview

NOTE:

MACsec is supported on the 2930M switch family. It is not supported on the 2930F switch family.

Media Access Control security (MACsec) is an IEEE 802 standard specifying how to secure all or part of a LAN at the link layer transparently. MACsec PHY devices can do this while meeting the scalability and high-speed requirements set on such networks. MACsec is intended for wired LANs only; wireless networks use a different protocol set. To ensure wired network security, the MACsec functionality is required on the newer generation of network infrastructure switches.

The MACsec protocol provides:

  • Connectionless data integrity — (each MAC frame carries a separate integrity verification code, hence the term connectionless).

  • Data origin authenticity—(an assurance that only authorized MACsec stations send MAC frames).

  • Confidentiality — (each MAC frame is encrypted to prevent it from being eavesdropped).

  • Replay protection — (MAC frames copied from the LAN by an attacker cannot be resent into the LAN without being detected).

MACsec secures switch to switch infrastructure using the MKA (MACsec Key Agreement) protocol and the Static CAK (Connectivity Association Key) Mode. MACsec operation includes:

  • Switch-to-Switch Pairwise Pre-Shared CAK mode with Single-User (CAK) per port.

  • A new MACsec-PHY for faster processing through hardware.

  • Supports MACsec Key Agreement protocol (MKA) for automatic MACsec peer discovery, peer-participant liveliness, Key-Server election and for distribution of SAKs

  • Supports AES-GCM-128 bit Key-length (CAKs/ICKs/KEKs/SAKs).

  • Configuration includes "Integrity Check Only" and "Integrity Check with Confidentiality at offset 0" modes.

  • Supports MACsec CLI configurations through CLI and SNMP and over Telnet/SSH. MACsec configuration through the web interface is not supported.