Each MACsec device supports 64 TX-SAs and 64 RX-SAs. An SA (Security Association) is the key to encrypt or decrypt the data.
In accordance with the IEEE 802.1AE standard, each SecY contains a SC. An SC is a unidirectional concept; for example, Rx-SC or Tx-SC. Each SC contains at least one SA for encryption on Tx-SC and decryption on Rx-SC. Also, for extra security, each SC should be able to roll over the SA. Nokia recommends that each SC should have two SAs for rollover purposes.
Each MACsec phy, referred to as a MACsec security zone, supports 64Tx-SAs and 64 RX-SAs. Assuming two SAs per SC for SA rollover, then each security zone supports 32 RX-SC and 32 TX-SC.
Table 1 describes the port mapping to security zones.
| MDA | Ports in security zone 1 | Ports in security zone 2 | Ports in security zone 3 | SA limit per security zone |
|---|---|---|---|---|
12-port SFP+/SFP MDA-e |
Ports 1, 2, 3, 4 |
Ports 5, 6, 7, 8 |
Ports 9, 10, 11, 12 |
Rx-SA = 64 Tx-SA = 64 |