Infrastructure MACsec |
Overview
Media Access Control security (MACsec) is an IEEE 802 standard specifying how to transparently secure all or part of a Local Area Network (LAN) at the link layer. MACsec PHY devices can do this while meeting the scalability and high speed requirements generally set on such networks. MACsec is intended for wired LANs only; wireless networks use a different protocol set. To ensure wired network security, the MACsec functionality is required on the newer generation of network infrastructure switches.
The MACsec protocol provides:
Connectionless data integrity — (each MAC frame carries a separate integrity verification code, hence the term connectionless)
Data origin authenticity—(each MAC frame is guaranteed to have been sent by an authorized MACsec station)
Confidentiality — (each MAC frame is encrypted to prevent it from being eavesdropped)
Replay protection — (MAC frames copied from the LAN by an attacker cannot be resent into the LAN without being detected)
MACsec secures switch to switch infrastructure using the MKA (MACsec Key Agreement) protocol and the Static CAK (Connectivity Association Key) Mode. MACsec operation includes:
Switch-to-Switch Pairwise Pre-Shared CAK mode with Single-User (CAK) per port.
A new MACsec-PHY for faster processing via hardware.
Supports MACsec Key Agreement protocol (MKA) for automatic MACsec peer discovery, peer-participant liveliness, Key-Server election and for distribution of SAKs
Supports AES-GCM-128 bit Key-length (CAKs/ICKs/KEKs/SAKs).
Configuration includes "Integrity Check Only" and "Integrity Check with Confidentiality at offset 0" modes.
Supports MACsec CLI configurations via CLI and SNMP and over Telnet/SSH. MACsec configuration via WebUI is not supported.
MACsec is available on the following modules:
Part # |
Module Type |
Notes |
|---|---|---|
J9995A |
8-port 1/2.5/5/10GBASE-T PoE+ with MACsec v3 zl2 |
MACsec support for the J9995A module requires software release KB.15.18 or greater. |
J9993A |
8-port 1G/10GbE SFP+ with MACsec v3 zl2 |
— |
J9992A |
20-port 10/100/1000BASE-T PoE+ and 1-port 40GbE QSFP+ with MACsec v3 zl2 |
MACsec support applies only to the 10/100/1000BASE-T ports. QSFP+ ports do not support MACsec. |
J9991A |
20-port 10/100/1000BASE-T PoE+ and 4-port 1/2.5/5/10GBASE-T PoE+ with MACsec v3 zl2 |
MACsec support for the 10/100/1000BASE-T ports requires software release KB.15.17 or greater. MACsec support for the 1/2.5/5/10GBASE-T ports require software release KB.15.18 or greater. |
J9990A |
20-port 10/100/1000BASE-T PoE+ and 4-port 1G/10GbE SFP+ with MACsec v3 zl2 |
— |
J9989A |
12-port 10/100/1000BASE-T PoE+ and 12-port 1GbE SFP with MACsec v3 zl2 |
— |
J9988A |
24-port 1GbE SFP with MACsec v3 zl2 |
— |
J9987A |
24-port 10/100/1000BASE-T with MACsec v3 zl2 |
— |
J9986A |
24-port 10/100/1000BASE-T PoE+ with MACsec v3 zl2 |
— |
MACsec support also includes the following:
Support for ArubaOS-Switch manual-trunk ports.
Operation on V3 modules running in V2 compatibility mode.
802.1AE MIB support (with controlled/uncontrolled port).