Secure MACsec encryption

This chapter provides detailed guidance on securing MACsec-enabled routers, including configuring Power-on Self-Test (KAT) for FIPS compliance, managing dynamic power allocation for MACsec ports, and implementing secure MACsec pre-shared keys using Type 6 password encryption. Users can follow step-by-step procedures to ensure cryptographic integrity, robust key management, and optimal power distribution on supported routers.

Power-on Self-Test KAT for Common Criteria and FIPS

A power-on self-test (POST) is a security mechanism that

  • verifies the cryptographic integrity of hardware components at system startup,

  • prevents network traffic flow if integrity checks fail, and

  • supports compliance with security standards such as Common Criteria and FIPS.

Power-on self-tests utilize Known Answer Tests (KATs) executed immediately after powering on the cipher module in MACsec-enabled Cisco 8000 series routers. These tests check cryptographic algorithms (e.g., SHA, DES) on each physical layer chip (PHY) with hardware crypto. If any PHY fails the test, the module enters an error state and does not allow traffic, ensuring only secure, verified hardware is operational.

The POST KAT feature is now available on Cisco 8800 48x100 GbE QSFP28 Line Card (8800-LC-48H), Cisco 8800 36x400GE QSFP56-DD Line Card with MACsec (8800-LC-36FH-M), and Cisco 8606 series routers.

  • On successful POST KAT execution, the system displays logs indicating KAT Test PASSED for each port, and the corresponding line card becomes operational.

  • If POST KAT fails on any PHY, the system logs a KAT Test FAILED message, the line card enters an ERROR state, and network traffic is blocked on that card.

How MACsec pre-shared keys with Type 6 password encryption work

Summary

MACsec pre-shared keys with Type 6 password encryption safeguard Layer 2 traffic by encrypting cryptographic secrets at rest using an AES-based method linked to a local primary password-encryption key. The router encrypts PSKs for storage and decrypts them in memory only when required for MACsec operations, ensuring secure handling and rotation of secrets.

The key components involved in the process are:

  • Primary password-encryption key: A locally defined secret serving as the root key for securing all Type 6–encrypted strings on the router.

  • Type 6 encryption engine: An AES-based service that encrypts and decrypts secret values for secure storage and controlled display.

  • MACsec PSK entries: The pre-shared keys used by MACsec; stored as encrypted strings when Type 6 is enabled.

  • Configuration datastore: The running and startup configuration repositories that persist encrypted secret strings.

  • Router: Hosts the primary key, runs the Type 6 engine, encrypts and decrypts PSKs, and manages configuration persistence.

  • User: Defines the primary key, enables Type 6 encryption, configures MACsec PSKs, and performs key rotation.

Workflow

These are the stages MACsec pre-shared keys with Type 6 password encryption:

  1. Primary key setup: The administrator sets a primary password-encryption key that meets policy requirements. The router internally stores it and uses it as the root to protect all Type 6–encrypted strings.
  2. Enable Type 6 encryption: The administrator activates the AES-based Type 6 mechanism. The router binds the encryption engine to the primary key, ensuring new or updated secret strings are encrypted at rest.
  3. Enter PSKs and store securely: When MACsec PSKs are configured or modified, the router accepts plaintext input, encrypts it immediately using Type 6 with the primary key, and saves only the encrypted representation in the configuration.
  4. Use PSKs for MACsec: When MACsec needs a PSK, the router decrypts the stored Type 6 value in memory using the primary key and provides the plaintext to MACsec to establish secure sessions.
  5. Rotate the primary key (optional): When the primary key is rotated, the router re-encrypts all existing Type 6 strings, including MACsec PSKs, under the new key after the administrator authenticates and supplies the new key.

Result

The process ensures that MACsec PSKs remain encrypted at rest, prevents plaintext exposure in configurations, and supports controlled key rotation, thus enhancing the security posture of Layer 2 traffic protection.

Guidelines for MACsec FIPS-POST and KAT

Expect boot-up delays

Expect a boot-up delay of approximately 2 to 3 minutes for a line card when you enable Known Answer Test (KAT) compared to when it is not enabled.

Prevent configuration conflicts

Ensure that if Power-On Self-Test (POST) Known Answer Test (KAT) is already enabled on the PHY, you do not configure the hw-module macsec-fips-post location all command again. This prevents configuration conflicts, especially during a configuration restore. Use the show hw-module macsec-mode fips-post command to view the current running configurations in such scenarios.

Enable Power-on Self-Test KAT for MACsec FIPS cards

Ensure MACsec FIPS line cards on routers conduct Power-on Self-Test Known Answer Tests (KAT) to verify cryptographic integrity and support FIPS compliance.

This task is essential when deploying or maintaining routers with MACsec FIPS line cards to confirm hardware cryptographic integrity.

KAT is not enabled by default. You can configure the `hw-module macsec-fips-post` command to enable POST KAT for the MACsec-enabled hardware. With this configuration, the KAT always runs as a self-test during power on. The cryptographic algorithm tests are performed on every physical layer chip (PHY) with hardware crypto once it is powered up.

  • Pass criteria for KAT: Any change in the FIPS mode configuration requires a line card reload. On reload, the FIPS POST is run as part of the line card boot sequence. The subsequent boot (based on the FIPS mode) state re-triggers the KAT. If there are multiple PHYs hardware in a module, the system performs the KAT on each PHY and returns the KAT results. If all PHYs pass the KAT, the system brings up the line card for regular usage.

  • Fail criteria for KAT: Traffic does not pass through a MACsec-enabled PID that failed KAT. If any PHY registers a KAT failure, the module enters an ERROR state and the system displays a critical ERROR SYSLOG output: KAT Test Failed. The system does not allow any traffic or data flow through the interfaces on that line card. Although the interfaces are present, they do not come up or allow traffic to flow through them on a line card that failed KAT. In a modular chassis, all other line cards, except the one that failed the KAT, will be up and running.

Before you begin

  • Install the k9sec package on the router.

  • Confirm that FIPS is supported and enabled on the line card.

Follow these steps to enable and verify Power-on Self-Test KAT for MACsec FIPS cards:

Procedure

Step 1

Use the hw-module macsec-fips-post command to configure the Power-on Self-Test KAT on the desired line card.

Example:


Router#config
Router(config)#hw-module macsec-fips-post location 0/4/CPU0
Router(config)#commit

Step 2

Use the show hw-module macsec-fips-post command to verify the Power-on Self-Test KAT on a line card.

Example:

Before configuring POST KAT:


Router#show hw-module macsec-fips-post 
Wed Jun 17 09:29:18.780 UTC
 
Location       Configured     Applied          Action         
-------------------------------------------------------------
0/0/CPU0       NO             NO               NONE          >>> LC36     
0/11/CPU0      NO             NO               NONE          >>> LC48

After configuring the command for POST KAT, and before the line card reload:


Router#show hw-module macsec-fips-post 
Wed Jun 17 09:36:31.932 UTC
 
Location       Configured     Applied          Action         
-------------------------------------------------------------
0/0/CPU0       NO             NO               NONE           
0/11/CPU0      YES            NO               RELOAD

After the line card reload:



Router#show hw-module macsec-fips-post 
Wed Jun 17 10:03:57.263 UTC
 
Location       Configured     Applied          Action         
-------------------------------------------------------------
0/0/CPU0       NO             NO               NONE           
0/11/CPU0      YES            YES              NONE

Step 3

Review system logs to verify results for KAT execution on each port.

Example:

These are sample logs displayed after a successful KAT. The system performs KAT on each port, but the ports may not be in order in the display output. 


Router#show logging | inc KAT
Wed Jun 10 12:07:29.849 UTC
LC/0/4/CPU0:Jun 9 10:37:37.521 UTC: optics_driver[159]: %L2-SECY_DRIVER-6-KAT_PASS : KAT Test PASSED for Port No: 0
LC/0/4/CPU0:Jun 9 10:37:37.522 UTC: optics_driver[159]: %L2-SECY_DRIVER-6-KAT_PASS : KAT Test PASSED for Port No: 28
LC/0/4/CPU0:Jun 9 10:37:37.522 UTC: optics_driver[159]: %L2-SECY_DRIVER-6-KAT_PASS : KAT Test PASSED for Port No: 27
LC/0/4/CPU0:Jun 9 10:37:37.522 UTC: optics_driver[159]: %L2-SECY_DRIVER-6-KAT_PASS : KAT Test PASSED for Port No: 1
LC/0/4/CPU0:Jun 9 10:39:10.393 UTC: optics_driver[159]: %L2-SECY_DRIVER-6-KAT_PASS : KAT Test PASSED for Port No: 2
LC/0/4/CPU0:Jun 9 10:39:10.393 UTC: optics_driver[159]: %L2-SECY_DRIVER-6-KAT_PASS : KAT Test PASSED for Port No: 6
LC/0/4/CPU0:Jun 9 10:39:10.393 UTC: optics_driver[159]: %L2-SECY_DRIVER-6-KAT_PASS : KAT Test PASSED for Port No: 7
LC/0/4/CPU0:Jun 9 10:39:10.393 UTC: optics_driver[159]: %L2-SECY_DRIVER-6-KAT_PASS : KAT Test PASSED for Port No: 8

These are sample logs displayed in KAT failure scenarios:


Router#show logging | inc SECY
Thu Jul 16 09:13:29.217 UTC
LC/0/7/CPU0:Jul 16 08:41:30.709 UTC: optics_driver[152]: %L2-SECY_DRIVER-0-KAT_FAIL_DETECTED : KAT Test FAILED for Port No: 0 
LC/0/7/CPU0:Jul 16 08:41:30.709 UTC: optics_driver[152]: %L2-SECY_DRIVER-0-KAT_FAIL_DETECTED : KAT Test FAILED for Port No: 47 
LC/0/7/CPU0:Jul 16 08:41:30.709 UTC: optics_driver[152]: %L2-SECY_DRIVER-0-KAT_FAIL_DETECTED : KAT Test FAILED for Port No: 7 
LC/0/7/CPU0:Jul 16 08:41:30.709 UTC: optics_driver[152]: %L2-SECY_DRIVER-0-KAT_FAIL_DETECTED : KAT Test FAILED for Port No: 6

MACsec FIPS line cards run Power-on Self-Test KAT upon reload. Successful PASS results are logged for each port; failures are flagged for further troubleshooting.

What to do next

If any port reports KAT FAIL, investigate and resolve hardware or configuration issues before continuing with production use.

Dynamic power management for MACsec-enabled ports

Dynamic Power Management for MACsec-enabled ports is a MACsec function that

  • allocates total power to a router and its fabric or line cards based on various factors,

  • validates power availability for MACsec sessions on configured interfaces, and

  • prevents MACSec sessions from establishing if power is insufficient.

The dynamic power management feature distributes total available power to a router and its fabric cards or line cards based on factors such as the number and type of cards installed, their operating modes, card combinations, NPU (Network Processing Unit) power mode, and optics. When MACSec is configured on interfaces, the software checks internally if there is enough power to bring up all intended MACSec sessions. If the system cannot power all configured MACSec sessions, some sessions remain down regardless of the interface configuration.

When this situation occurs, the router console logs a message indicating the reason. Users can remove MACSec configurations from affected interfaces or add more Power Supply Units (PSUs) to meet new power requirements. If MACSec configurations remain on downed sessions, those sessions are not guaranteed to recover after a router or line card reload.

The router console displays a log message in such cases, indicating the reason for session failure. Users can choose to remove the MACSec configuration from the corresponding interfaces or re-provision the Power Supply Units (PSUs) based on the additional power requirement for new sessions. If MACSec configurations are not removed for sessions that are down, there is no guarantee that the same MACSec sessions that were brought up earlier will come up after a router or line card reload.

By default, dynamic power management is enabled. You can disable it using the following command in XR Config mode: no power-mgmt action .

If insufficient power is available for MACSec sessions, you might see a log message such as:

LC/0/4/CPU0:Dec 21 07:35:27.977 UTC: macsec_mka[131]: %L2-MKA-5-MACSEC_POWER_STATUS_ERR : (Hu0/4/0/9), Insufficient power

Hardware support matrix for dynamic power management for MACsec-enabled ports

Cisco IOS XR Software Release

Product ID

Release 25.1.1

8712-MOD-M

Release 24.4.1

88-LC1-36EH

88-LC1-12TH24FH-E

88-LC1-52Y8H-EM

8212-48FH-M

8711-32FH-M

Release 7.3.3

88-LC0-36FH-M

88-LC0-34H14FH

8800-LC-48H

Verify dynamic power management for MACSec-enabled ports

Confirm that power is correctly allocated and released for MACSec-enabled interfaces and that chassis and component power levels are appropriate.

Use this task to monitor and verify power allocation for MACSec interfaces on Cisco routers. This includes checking syslog messages, reviewing chassis and line card power usage, and confirming the MACSec power status at the interface level.

Procedure

Step 1

Monitor syslog messages for power allocation and release events for MACSec interfaces.

  • When power is allocated to a MACSec interface, expect a syslog entry similar to:
    LC/slot/CPU: macsec_mka: %L2-MKA-5-MACSEC_POWER_STATUS : (interface), Power allocated
  • When power is released (such as when MACSec policy is removed), expect a syslog entry similar to:
    LC/slot/CPU: macsec_mka: %L2-MKA-5-MACSEC_POWER_STATUS : (interface), Power released

Step 2

Use the show environment power command to review chassis-level power information.

Example:

Router# show environment power 
Thu Dec  9 11:12:54.239 UTC
================================================================================
CHASSIS LEVEL POWER INFO: 0
================================================================================
   Total output power capacity (N + 1)             :   31500W +     6300W
   Total output power required                     :   11208W
   Total power input                               :    3778W
   Total power output                              :    3395W

================================================================================
   Power       Supply         -------Input--------   -----Output---     Status
   Module      Type            Volts A/B   Amps A/B   Volts     Amps     
================================================================================
   0/PT0-PM0   PSU6.3KW-HV     246.0/244.3 1.2/1.2    55.3      9.9      OK
   0/PT0-PM1   PSU6.3KW-HV     245.7/244.3 1.3/1.3    55.4      10.1     OK
   0/PT0-PM2   PSU6.3KW-HV     245.7/246.3 1.5/1.2    55.4      10.3     OK
   0/PT1-PM0   PSU6.3KW-HV     246.0/246.0 1.3/1.3    55.4      10.3     OK
   0/PT1-PM1   PSU6.3KW-HV     244.3/244.6 1.3/1.3    55.1      10.7     OK
   0/PT1-PM2   PSU6.3KW-HV     245.7/245.5 1.3/1.2    55.2      10.1     OK
   0/PT2-PM0   PSU6.3KW-HV     0.0/0.0     0.0/0.0    0.0       0.0      FAILED or NO PWR
   0/PT2-PM1   PSU6.3KW-HV     0.0/0.0     0.0/0.0    0.0       0.0      FAILED or NO PWR
   0/PT2-PM2   PWR-6.3KW-HV    0.0/0.0     0.0/0.0    0.0       0.0      FAILED or NO PWR

Total of Power Modules:       3778W/15.4A              3395W/61.4A

================================================================================
   Location     Card Type               Power       Power        Status
                                                    Allocated    Used
                                                    Watts        Watts
================================================================================
   0/RP0/CPU0   8800-RP-O               95          78           ON
   0/RP1/CPU0   8800-RP-O               95          -            ON
   0/0/CPU0     88-LC0-36FH-O           934         543          ON
   0/1/CPU0      -                      102         -            RESERVED
   0/2/CPU0     8800-LC-48H-O           778         474          ON
   0/3/CPU0     -                       102         -            RESERVED
   0/4/CPU0     -                       102         -            RESERVED
   0/5/CPU0     -                       102         -            RESERVED
   0/6/CPU0     8800-LC-48H             102         -            OFF
   0/7/CPU0     -                       102         -            RESERVED
   0/8/CPU0     -                       102         -            RESERVED
   0/9/CPU0     -                       102         -            RESERVED
   0/10/CPU0    -                       102         -            RESERVED
   0/11/CPU0    -                       102         -            RESERVED
   0/FC0        -                       26          -            RESERVED
   0/FC1        8812-FC                 784         338          ON
   0/FC2        8812-FC                 784         337          ON
   0/FC3        8812-FC                 784         343          ON
   0/FC4        8812-FC                 784         338          ON
   0/FC5        8812-FC                 784         344          ON
   0/FC6        -                       26          -            RESERVED
   0/FC7        -                       26          -            RESERVED
   0/FT0        SF-D-12-FAN             1072        135          ON
   0/FT1        SF-D-12-FAN             1072        105          ON
   0/FT2        SF-D-12-FAN             1072        123          ON
   0/FT3        SF-D-12-FAN             1072        123          ON

Verify total output power capacity, required power, input/output levels, and status of each power module.

Step 3

Use the show environment power allocated location command to verify power allocated for each component on a line card.

Example:

Router# show environment power allocated location 0/2/CPU0
Thu Dec  9 09:53:49.921 UTC
================================================================================
   Location    Components               Power
                                        Allocated
                                        Watts
================================================================================
  0/2/CPU0     Data-path                772          
               MACSEC                     3          
               OPTICS                     3          
================================================================================
               Total                    778
Confirm that the appropriate wattage is allocated for the MACSec component on each relevant line card.

Step 4

Use the show environment power allocated details location command to see interface-level power allocation.

Example:

Router# show environment power allocated details location 0/2/CPU0
Thu Dec  9 09:53:49.921 UTC
================================================================================
   Location    Components               Power
                                        Allocated
                                        Watts
================================================================================
  0/2/CPU0     Data-path                772          
               0/2/0/9                  3            
               0/2/0/0                    3          
================================================================================
               Total                    778
Verify that the correct power is allocated for MACSec on each specific interface where MACSec is enabled.

Step 5

Use the show macsec mka interface detail command to verify MACSec power status at the interface level.

Example:

Router# show macsec mka interface hundredGigE 0/2/0/9 detail 
Tue Dec 21 08:10:41.571 UTC 
Interface Name : HundredGigE0/2/0/9 
 Interface Namestring : HundredGigE0/2/0/9 
 Interface short name : Hu0/2/0/9 
 Interface handle : 0x2000480 
 Interface number : 0x2000480 
 MacSecControlledIfh : 0x20005b8 
 MacSecUnControlledIfh : 0x20005c0 
 Interface MAC : 34ed.1b5b.d047 
 Ethertype : 888E 
 EAPoL Destination Addr : 0180.c200.0003 
 MACsec Shutdown : FALSE 
 Config Received : TRUE 
 IM notify Complete : TRUE 
 MACsec Power Status : Allocated 
 Interface CAPS Add : TRUE 
 RxSA CAPS Add : TRUE 
 TxSA CAPS Add : TRUE 
 MKA PSK Info 
  Key Chain Name : psk 
  MKA Cipher Suite : AES-128-CMAC 
  CKN : 22 22 
 MKA fallback_PSK Info 
  fallback keychain Name : - NA - 
 Policy : p3

Confirm that the MACsec Power Status field shows Allocated for interfaces with MACSec enabled.

Power is appropriately allocated or released for MACSec-enabled ports. Syslog entries confirm power status changes, and show commands verify that power is provisioned and reported as expected at the chassis, line card, and interface levels.

MACsec pre-shared keys with Type 6 password encryption

A MACsec pre-shared key with Type 6 password encryption is a router security configuration that

  • securely stores MACsec Connectivity Association Keys (CAKs) in encrypted form,

  • depends on a locally configured primary key to operate, and

  • uses AES‑256 symmetric encryption to protect MACsec key material in the router configuration.

  • Primary key: The local password or key the router uses to encrypt and decrypt all MACsec CAKs stored in configuration. The device does not save this key in configuration and it is not viewable.

  • Type 6 password encryption: A Cisco encryption scheme that applies AES‑256 symmetric encryption to sensitive secrets in configuration, enabling the system to decrypt on demand to establish secure communication.

  • MACsec CAK / PSK: The static pre-shared key MACsec uses to form a Connectivity Association between peers.

When enabled, the PSK does not appear in clear text in running, startup, or archived configurations; the router stores only an encrypted value that it can decrypt locally when needed. Type 6 password encryption functions only when a primary key is configured.

Benefits of securing MACsec pre-shared keys with Type 6 password encryption

  • Protects MACsec PSKs from exposure in plain text.

  • Utilizes AES‑256 encryption for robust and modern cryptographic protection.

  • Supports compliance with regulatory and organizational security policies.

  • Reduces insider threat risks from configuration file inspection.

Configure MACsec pre-shared keys with Type 6 password encryption

Configure MACsec pre-shared keys with Type 6 encrypted passwords for secure key management.

Perform this task to set up or modify MACsec PSK with Type 6 password encryption.

Procedure

Step 1

Use the key config-key password-encryption command to create the primary key.

Example:

Router# config
Router(config)# key config-key password-encryption
Enter new key:
Enter confirm key:
Router(config)# commit

  • When prompted, set a new password with the following requirements:

    • Minimum length: 6 characters

    • Maximum length: 64 characters

    • Allowed characters: uppercase letters [A-Z], lowercase letters [a-z], and digits [0-9]

Step 2

Use the key chain command to configure the macsec keychain.

Example:

Router# config
Router(config)# key chain kc1 macsec
Router(config-kc1-MacSec)# key 1111
Router(config-kc1-MacSec-1111)# key-string 1234567890123456789012345678902212345678901234567890123456789022 cryptographic-algorithm aes-256-cmac
Router(config-kc1-MacSec-1111)# lifetime 00:00:00 1 October 2019 infinite
Router(config-kc1-MacSec-1111)# commit

Modify the primary key if needed:

  • If a primary key exists, enter the current key when prompted before setting a new key.

  • Modifying the primary key re-encrypts all existing Type 6 key strings with the new key.

  • Ensure the password6 encryption aes command is configured to enable re-encryption; otherwise, the update will fail.

Primary key deletion will bring down MACsec traffic if MKA sessions are up with Type 6 keys. To avoid traffic disruptions, configure a new set of PSK key pairs [key (CKN) and key string (CAK)] with latest timestamps with the lifetime of infinite validity on both the peers and ensure the successful CAK rekey to the newly configured CKN and CAK.

Delete the primary key when necessary:

Router# config
Router(config)# no password6 encryption aes
Router(config)# commit
Router(config)# exit
Router# key config-key password-encryption delete

The primary key and Type 6 password encryption are successfully configured, modified, or deleted, and the MACsec key chain is configured with Type 6 encrypted pre-shared keys, ensuring secure key management.