MACsec overview

Media Access Control Security (MACsec) is a Layer 2 security technology that provides point-to-point security on Ethernet links between nodes.

Note: MACsec is supported on Ruckus ICX 7450 and ICX 7650 devices.

MACsec, defined in the IEEE 802.1AE-2006 standard, is based on symmetric cryptographic keys. MACsec Key Agreement (MKA) protocol, defined as part of the IEEE 802.1x-2010 standard, operates at Layer 2 to generate and distribute the cryptographic keys used by the MACsec functionality installed in the hardware.

As a hop-to-hop Layer 2 security feature, MACsec can be combined with Layer 3 security technologies such as IPsec for end-to-end data security.

Supported MACsec hardware configurations

MACsec key-enabled security can be deployed on a point-to-point LAN between two connected ICX 7450 or ICX 7650 devices over interfaces that share a preconfigured static key, the Connectivity Association Key (CAK).

On a licensed ICX 7450 or ICX 7650 device, 10-Gbps ports can be configured for MACsec. Licenses are available per device as described in the Ruckus FastIron Software Licensing Guide.

Note: On ICX 7450 devices, MACsec is available only on 4 X 10GF modules present in slots 2, 3, or 4.
Note: On ICX 7650 devices, MACsec is available on on 10-Gbps fiber ports, available on ports 25 through 48 of the base module or ICX 7650-48F devices or on slot 2 when a 4 X 10GF module is installed.

MACsec RFCs and standards

FastIron MACsec complies with the following industry standards:

  • IEEE Std 802.1X-2010: Port-Based Network Access Control
  • IEEE Std 802.1AE-2006: Media Access Control (MAC) Security
  • RFC 3394: Advanced Encryption Standard (AES) Key Wrap Algorithm
  • RFC 5649: Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm

Refer to "Port MAC Security (PMS)" for information on other IEEE 802.1X features.

MACsec considerations

Review the following considerations before deploying MACsec:

  • As a prerequisite, MACsec must be licensed on each device where it is used.
  • MACsec introduces an additional transit delay, due to the increase in the MAC Service Data Unit (MSDU) size.
  • MACsec and Flexible authentication cannot be configured on the same port.
  • On an ICX 7450 device, ports on a 4 X 10GF removable module installed in device slot 2 can be used for MACsec or stacking but not both simultaneously. In rear modules 3 and 4, MACsec can be supported at all times because stacking is not available on those modules. For more information on converting module 2 ports between MACsec and stacking, refer to the Ruckus FastIron Stacking Configuration Guide.