MACsec is an IEEE 802.1AE standards based Layer 2 hop-by-hop encryption method.

Traffic is encrypted on the wire between two MACsec peers and is unencrypted to process internally on the switch.

It allows the switch to look for objects inside of the packet such as SGT enforcement or Quality of Service priortisation.

MACsec can utilise onboard ASICs to perform encryption and decryption rather than having to offload to a crypto engine.

MACsec is based on the ethernet frame format with an additional 16-byte MACsec Security Tag field (802.1AE header) and a 16-byte Integrity Check Value (ICV) field.

These additional headers mean that all devices within the flow of the MACsec communications must support MACsec for these fields to used and secure traffic.

MACsec provides authentication using Galois Method Authentication Code (GMAC) or authenticated encryption using Galois /Counter Mode Advanced Encryption Standard (AES-GCM)

Fields in MACsec

MACset Ethertype

Set to 0x88e5 to designate the frame type as MACsec


Tag Control / Association Number field, designating the version number, version number, and integrity


Short Length field, designates the length of the encrypted data

Packet Number

Packet number for replay protection and building the initialisation vector


Secure Channel Identifier for classifying the connection to the virtual port

Types of MACsec

There are two types of MACsec.

Security Association Protocol

Proprietary Cisco keyring protocol used between Cisco switches

MACsec Key Agreement Protocol

MACsec Key Agreement Protocol provides required session keys and manages required encryption keys. 802.1AE encryption with MKA is supported between endpoints and switches as well as between switches

MACsec on Downlink

Download MACsec is a term used to describe the encrypted link between an endpoint and a switch.

The encryption between the two devices is handled by MACsec Key Agreement Protocol.

This requires a MACsec-capable switch and a MACsec-capable supplicant on the endpoint.

The encryption on the endpoint may be handled in hardware or in software using the CPU with software like Cisco AnyConnect.

The Cisco switch can force encryption or make it optional. The setting can be configured manually per port or dynamically as an authorisation option from Cisco ISE.

The Cisco ISE policy returned will override any setting set on the switch CLI

MACsec on Uplink

Uplink MACsec is the term for encrypting between switches.

Default uplink MACsec uses Cisco proprietary SAP encryption with AES-GCM-128.

Uplink MACsec may be negotiated manually or dynamically. A dynamic setting will require 802.1x authentication between the switches.



, ,




Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.