[gearsyncd,macsec]: Deterministic MACsec backend selection for gearbox ports#3926
Merged
prsunny merged 5 commits intosonic-net:masterfrom Jan 6, 2026
Merged
Conversation
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
rajshekhar-nexthop
force-pushed
the
rajshekhar.macsec_gearbox
branch
from
ec74bde to
ca0690b
Compare
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
rajshekhar-nexthop
force-pushed
the
rajshekhar.macsec_gearbox
branch
from
ca0690b to
aeca8bc
Compare
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
arista-nwolfe
approved these changes
Dec 5, 2025
Contributor
arista-nwolfe
left a comment
arista-nwolfe
left a comment
There was a problem hiding this comment.
Change LGTM, tested this against an Arista SKU which also has gearboxes that don't support macsec and the SAI call went to ASIC_DB as expected
sonic-net/sonic-buildimage#24761
judyjoseph
reviewed
Dec 10, 2025
Contributor
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
Author
Thank you, @arista-nwolfe, for testing and validating the changes on the Arista SKU. |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: rajshekhar <[email protected]>
…csec_supported fix Why I did it On gearbox ports, creating MACsec on the PHY switch fails with SAI_STATUS_NOT_IMPLEMENTED if the gearbox PHY lacks a MACsec engine. A fix for this issue has already been committed. This PR aims to create the corresponding test case to validate that fix. How I did it Have added three testcases: - test_macsec_phy_switch_default: This tests the scenario when the macsec_supported field is absent in the gearbox_config.json - test_macsec_phy_switch_explicit: This tests the scenario when the macsec_supported field is set as true in the gearbox_config.json - test_macsec_npu_switch: This tests the scenario when the macsec_supported field is set as false in the gearbox_config.json Some helpers functions: - verify_macsec_in_asic_db: This verifies if the ASIC_DB has the required entries created or not. - verify_macsec_in_gb_asic_db: This verifies if the GB_ASIC_DB has the required entries created or not. - setup_gearbox_table: The job of this function is change the value of macsec_supported field. It modifies the value as per the requirement of the testcase. It writes the file gearbox_config.json - enable_macsec_on_port: Helper function to enable macsec. - cleanup_macsec: Helper function to delete macsec configuration. Signed-off-by: rajshekhar <[email protected]>
rajshekhar-nexthop
force-pushed
the
rajshekhar.macsec_gearbox
branch
from
e5de6d2 to
0e5f3bf
Compare
Collaborator
|
/azp run |
Contributor
Author
|
Hi @prsunny , |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
Author
|
Hi @prsunny , |
Collaborator
|
Cherry-pick PR to 202511: #4126 |
mssonicbld
added
Included in 202511 Branch
and removed
Created PR to 202511 Branch
labels
arpit-nexthop
pushed a commit
to nexthop-ai/sonic-swss
that referenced
this pull request
Jan 21, 2026
…x ports (sonic-net#3926) What I did Introduce a platform capability flag in the gearbox config to determine, per PHY, whether MACsec is supported (applies to all ports mapped to that PHY). MACsec orchestration will: Use PHY switch by default on gearbox ports Use NPU/global switch only when the platform marks the PHY as not supporting MACsec Why I did it On gearbox ports, creating MACsec on the PHY switch fails (SAI_STATUS_NOT_IMPLEMENTED) if gearbox PHY does not have the MACsec engine.
arista-nwolfe
added a commit
to arista-nwolfe/sonic-buildimage
that referenced
this pull request
Jan 23, 2026
This change is dependent on sonic-net/sonic-swss#3926 merging first. Signed-off-by: Nathan Wolfe <[email protected]>
ganglyu
pushed a commit
to ganglyu/sonic-swss
that referenced
this pull request
Jan 26, 2026
…x ports (sonic-net#3926) What I did Introduce a platform capability flag in the gearbox config to determine, per PHY, whether MACsec is supported (applies to all ports mapped to that PHY). MACsec orchestration will: Use PHY switch by default on gearbox ports Use NPU/global switch only when the platform marks the PHY as not supporting MACsec Why I did it On gearbox ports, creating MACsec on the PHY switch fails (SAI_STATUS_NOT_IMPLEMENTED) if gearbox PHY does not have the MACsec engine. Signed-off-by: ganglyu <[email protected]>
1 task
baorliu
pushed a commit
to baorliu/sonic-swss
that referenced
this pull request
Feb 23, 2026
…x ports (sonic-net#3926) What I did Introduce a platform capability flag in the gearbox config to determine, per PHY, whether MACsec is supported (applies to all ports mapped to that PHY). MACsec orchestration will: Use PHY switch by default on gearbox ports Use NPU/global switch only when the platform marks the PHY as not supporting MACsec Why I did it On gearbox ports, creating MACsec on the PHY switch fails (SAI_STATUS_NOT_IMPLEMENTED) if gearbox PHY does not have the MACsec engine. Signed-off-by: Baorong Liu <[email protected]>
rlhui
pushed a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Mar 8, 2026
sonic-net/sonic-swss#3926 introduces the ability to indicate whether a gearbox phy supports macsec or not. This allows the macsecorch to send the macsec SAI calls to the switching asic (syncd) instead of the gearbox phy (gbsyncd). arista_7280r4(k)_32qf_32df is a platform that has this same behavior (GB doesn't support macsec). The parent PR for this SKU is #24206 Signed-off-by: Nathan Wolfe <[email protected]> Co-authored-by: Arvindsrinivasan Lakshmi Narasimhan <[email protected]>
mssonicbld
added a commit
to mssonicbld/sonic-buildimage
that referenced
this pull request
Mar 8, 2026
This change depends on sonic-net/sonic-swss#3926 merging first. sonic-net/sonic-swss#3926 introduces the ability to indicate whether a gearbox phy supports macsec or not. This allows the macsecorch to send the macsec SAI calls to the switching asic (syncd) instead of the gearbox phy (gbsyncd). `arista_7280r4(k)_32qf_32df` is a platform that has this same behavior (GB doesn't support macsec). The parent PR for this SKU is sonic-net#24206 #### Which release branch to backport (provide reason below if selected) <!-- - Note we only backport fixes to a release branch, *not* features! - Please also provide a reason for the backporting below. - e.g. - [x] 202006 --> - [ ] 202205 - [ ] 202211 - [ ] 202305 - [ ] 202311 - [ ] 202405 - [ ] 202411 - [ ] 202505 - [x] 202511 Signed-off-by: Sonic Build Admin <[email protected]>
8 tasks
jackson-micas
pushed a commit
to jackson-micas/sonic-buildimage
that referenced
this pull request
Mar 10, 2026
sonic-net/sonic-swss#3926 introduces the ability to indicate whether a gearbox phy supports macsec or not. This allows the macsecorch to send the macsec SAI calls to the switching asic (syncd) instead of the gearbox phy (gbsyncd). arista_7280r4(k)_32qf_32df is a platform that has this same behavior (GB doesn't support macsec). The parent PR for this SKU is sonic-net#24206 Signed-off-by: Nathan Wolfe <[email protected]> Co-authored-by: Arvindsrinivasan Lakshmi Narasimhan <[email protected]> Signed-off-by: jackson <[email protected]>
mssonicbld
added a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Mar 12, 2026
…#25960) This change depends on sonic-net/sonic-swss#3926 merging first. sonic-net/sonic-swss#3926 introduces the ability to indicate whether a gearbox phy supports macsec or not. This allows the macsecorch to send the macsec SAI calls to the switching asic (syncd) instead of the gearbox phy (gbsyncd). `arista_7280r4(k)_32qf_32df` is a platform that has this same behavior (GB doesn't support macsec). The parent PR for this SKU is #24206 #### Which release branch to backport (provide reason below if selected) <!-- - Note we only backport fixes to a release branch, *not* features! - Please also provide a reason for the backporting below. - e.g. - [x] 202006 --> - [ ] 202205 - [ ] 202211 - [ ] 202305 - [ ] 202311 - [ ] 202405 - [ ] 202411 - [ ] 202505 - [x] 202511 Signed-off-by: Sonic Build Admin <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What I did
Introduce a platform capability flag in the gearbox config to determine, per PHY, whether MACsec is supported (applies to all ports mapped to that PHY). MACsec orchestration will:
Have added three DVS testcases:
test_macsec_phy_switch_default: This tests the scenario when the macsec_supported field is absent in the gearbox_config.json
test_macsec_phy_switch_explicit: This tests the scenario when the macsec_supported field is set as true in the gearbox_config.json
test_macsec_npu_switch: This tests the scenario when the macsec_supported field is set as false in the gearbox_config.json
Why I did it
On gearbox ports, creating MACsec on the PHY switch fails (SAI_STATUS_NOT_IMPLEMENTED) if gearbox PHY does not have the MACsec engine.
How I verified it
Manually verified on DUT by adding macsec_supported=false in gearbox_config.json and configuring the macsec on the PHY port. Also ran the dvs testcase and made sure it is passing
sudo pytest -v tests/test_macsec_gearbox.pyDetails if related
HLD: sonic-net/SONiC#2072
gearbox_config.json changes are posted here: https://github.com/sonic-net/sonic-buildimage/pull/24169/files#diff-737ea59a7eba8ea0ed71a15a052868815f7faad351fd353736ad196932bed57a
Co-authored by @shreyansh-nexthop