AWS Direct Connect MACSec supported switches.

AWS Direct Connect supports MACsec (Media Access Control Security) encryption for dedicated connections, but the specific switch requirements are not explicitly stated in the provided information. However, there are some key points to consider:

1. MACsec is supported on 10 Gbps, 100 Gbps, and 400 Gbps dedicated Direct Connect connections at selected points of presence.

2. For MACsec to work, your device must have direct layer 2 adjacency with the AWS Direct Connect device. This means your switch needs to support MACsec capabilities.

3. The supported MACsec cipher suites are:

   • For 10 Gbps connections: GCM-AES-256 and GCM-AES-XPN-256
   • For 100 Gbps and 400 Gbps connections: GCM-AES-XPN-256

4. Your switch should support these cipher suites and be capable of implementing MACsec at the required connection speeds.

5. AWS uses the MACsec Extended Packet Numbering (XPN) feature, which supports a 64-bit Packet Number (PN) value. This is important for high-speed links to avoid frequent Security Association Key (SAK) rekeying.

While specific switch models are not mentioned, you should look for Cisco switches or other vendor switches that support these MACsec features, particularly the required cipher suites and XPN capability at the connection speeds you need.

It's recommended to consult with your network equipment vendor (Cisco or others) to identify models that meet these requirements. Additionally, you may want to work with your AWS account team or AWS Support to get more specific guidance on compatible switch models for your Direct Connect MACsec implementation.
Sources
MAC Security in AWS Direct Connect - AWS Direct Connect
AWS Direct Connect and VPNs - Amazon EC2 Overview and Networking Introduction for Telecom Companies
Secure Association Key(SAK) rotation in MACsec on DX | AWS re:Post