next

Infrastructure MACsec

Overview

Media Access Control security (MACsec) is an IEEE 802 standard specifying how to transparently secure all or part of a Local Area Network (LAN) at the link layer. MACsec PHY devices can do this while meeting the scalability and high speed requirements generally set on such networks. MACsec is intended for wired LANs only; wireless networks use a different protocol set. To ensure wired network security, the MACsec functionality is required on the newer generation of network infrastructure switches.

The MACsec protocol provides:

  • Connectionless data integrity — (each MAC frame carries a separate integrity verification code, hence the term connectionless)

  • Data origin authenticity—(each MAC frame is guaranteed to have been sent by an authorized MACsec station)

  • Confidentiality — (each MAC frame is encrypted to prevent it from being eavesdropped)

  • Replay protection — (MAC frames copied from the LAN by an attacker cannot be resent into the LAN without being detected)

MACsec secures switch to switch infrastructure using the MKA (MACsec Key Agreement) protocol and the Static CAK (Connectivity Association Key) Mode. MACsec operation includes:

  • Switch-to-Switch Pairwise Pre-Shared CAK mode with Single-User (CAK) per port.

  • A new MACsec-PHY for faster processing via hardware.

  • Supports MACsec Key Agreement protocol (MKA) for automatic MACsec peer discovery, peer-participant liveliness, Key-Server election and for distribution of SAKs

  • Supports AES-GCM-128 bit Key-length (CAKs/ICKs/KEKs/SAKs).

  • Configuration includes "Integrity Check Only" and "Integrity Check with Confidentiality at offset 0" modes.

  • Supports MACsec CLI configurations via CLI and SNMP and over Telnet/SSH. MACsec configuration via WebUI is not supported.

MACsec is available on the following modules:

Part #

Module Type

Notes

J9995A

8-port 1/2.5/5/10GBASE-T PoE+ with MACsec v3 zl2

MACsec support for the J9995A module requires software release KB.15.18 or greater.

J9993A

8-port 1G/10GbE SFP+ with MACsec v3 zl2

J9992A

20-port 10/100/1000BASE-T PoE+ and 1-port 40GbE QSFP+ with MACsec v3 zl2

MACsec support applies only to the 10/100/1000BASE-T ports. QSFP+ ports do not support MACsec.

J9991A

20-port 10/100/1000BASE-T PoE+ and 4-port 1/2.5/5/10GBASE-T PoE+ with MACsec v3 zl2

MACsec support for the 10/100/1000BASE-T ports requires software release KB.15.17 or greater. MACsec support for the 1/2.5/5/10GBASE-T ports require software release KB.15.18 or greater.

J9990A

20-port 10/100/1000BASE-T PoE+ and 4-port 1G/10GbE SFP+ with MACsec v3 zl2

J9989A

12-port 10/100/1000BASE-T PoE+ and 12-port 1GbE SFP with MACsec v3 zl2

J9988A

24-port 1GbE SFP with MACsec v3 zl2

J9987A

24-port 10/100/1000BASE-T with MACsec v3 zl2

J9986A

24-port 10/100/1000BASE-T PoE+ with MACsec v3 zl2

MACsec support also includes the following:

  • Support for ProVision manual-trunk ports.

  • Operation on V3 modules running in V2 compatibility mode.

  • 802.1AE MIB support (with controlled/uncontrolled port).

prev

 		  

 next

Event Log messages 

home

 MACsec configuration commands

Copyright © 2015 Hewlett-Packard Development Company, LP