Each MACsec device supports 64 Tx-SAs and 64 Rx-SAs. An SA (Security Association) is the key to encrypt or decrypt the data.
As defined in IEEE 802.1AE, each SecY contains an SC. An SC is a unidirectional concept; for example, Rx-SC or Tx-SC. Each SC contains at least one SA for encryption on Tx-SC and decryption on Rx-SC. Also, for extra security, each SC should be able to roll over the SA, therefore, Nokia recommends for each SC to have two SAs for rollover purposes.
MACsec PHY is known as a MACsec security zone. Each MACsec security zone supports 64 Tx-SAs and 64 Rx-SAs. Assuming two SAs for each SC for SA rollover, each zone supports 32 Rx-SCs and 32 Tx-SCs.
The following table describes the port mapping to security zones.
|
Platform |
Ports in security zone 1 |
Ports in security zone 2 |
Ports in security zone 3 |
Ports in security zone 5 |
SA limit per security zone |
|---|---|---|---|---|---|
|
7210 SAS-K 2F6C4T |
Ports 1, 2, 3, 4 |
Ports 5, 6, 7, 8 |
Ports 9, 10, 11, 12 |
— |
Rx-SA = 64 Tx-SA = 64 |
|
7210 SAS-K 3SFP+ 8C |
Ports 1, 2, 3, 4 (1, 2, and 3 are 10GE ports) |
Ports 5, 6, 7, 8 |
Ports 9, 10, 11 |
— |
Rx-SA = 64 Tx-SA = 64 |
| 7210 SAS-Dxp 24p | — | — | — |
Ports 1/1/19 and 1/1/20 (1 GE ports) Ports 1/1/17 and 1/1/18 (10 GE ports) |
Rx-SA = 64 Tx-SA = 64 |