WAN MACsec encryption
WAN MACsec encryption
Applications of MACsec in WAN environments
MACsec encryption on Layer 3 subinterfaces
Alternate EAPoL Ether-type and Destination address

WAN MACsec encryption

This chapter provides comprehensive guidance on deploying and configuring MACsec encryption for secure Ethernet encryption across WAN environments. Users can learn how to apply MACsec on physical interfaces and Layer 3 subinterfaces, set VLAN-based policies, and customize EAPoL Ether-types and destination addresses to enhance security and interoperability in diverse network topologies.

WAN MACsec encryption

WAN MACsec encryption is a solution that

provides end-to-end encryption across Layer 2 Ethernet WAN services,
supports both point-to-point (P2P) and point-to-multipoint (P2MP) topologies, and
is based on the IEEE 802.1AE standard for MACsec, which offers hop-by-hop encryption at the data link layer.

Use WAN MACsec to protect Ethernet frames with confidentiality, integrity, and origin authentication. You can extend traditional MACsec LAN encryption to WAN environments to achieve robust, standards-based, high-speed encryption across Ethernet WAN services. WAN MACsec helps you secure your data in transit across various WAN topologies while maintaining flexibility, performance, and interoperability.

Applications of MACsec in WAN environments

To elucidate the application of MACsec in Wide Area Network (WAN) environments, with a specific emphasis on its implementation in VPLS/EVPN networks and MPLS core networks. This section outlines the configuration of MACsec on physical interfaces and link bundles to improve data security between geographically distributed data centers.

Use Case 1: MACsec in a VPLS/EVPN

In a typical Virtual Private LAN Service (VPLS) network, the risk of labeled traffic injection by potential hackers is prevalent. To counter this, MACsec is implemented in a VPLS/EVPN network to encrypt data exchanged over the VPLS cloud. In this topology, MACsec is configured on the provider edge (PE)-facing interfaces of the customer edge (CE) routers.

Use Case 2: MACsec in an MPLS Core Network

MACsec can be deployed in a Multiprotocol Label Switching (MPLS) core network on either physical interfaces or link bundles, also known as Link Aggregation Groups (LAG). This setup is particularly beneficial for MPLS networks that connect data centers located in different geographies, ensuring that all data exchanged is encrypted.

Physical Interfaces: MACsec is configured on all router links within the MPLS core. This ensures secure data exchange across links connecting disparate data centers.

Figure 2. MACsec on Physical Interfaces in an MPLS Core Network
Link Bundles (LAG): When MACsec is configured on LAG members, a MACsec Key Agreement (MKA) session is established for each member. Secure Association Keys (SAK) are exchanged, allowing encryption and decryption to occur independently for each member in the group.

Figure 3. MACsec on a Link Bundle in an MPLS Core Network

MACsec encryption on Layer 3 subinterfaces

MACsec encryption on Layer 3 subinterfaces is a security mechanism that

allows encryption and authentication of network data on VLAN-based Layer 3 subinterfaces,
enables the application of multiple MACsec policies across different L3 subinterfaces under a single physical interface by retaining VLAN tags in clear text, and
provides an additional security layer for communication between separate VLANs or subnets on the same physical link by making each L3 subinterface a distinct MACsec endpoint.

MACsec on Layer 3 subinterfaces uses VLAN encapsulations—802.1Q (single-tag) or 802.1ad (double-tag)—and requires specific VLAN identifiers. Keeping VLAN tags visible enables MACsec endpoints to identify subinterface traffic without encrypting the VLAN metadata. This setup allows traffic segregation at the MACsec level because each VLAN-associated subinterface has independent encryption control.

This flexibility allows for the application of different MACsec policies to Layer 3 subinterfaces under the same physical interface. By retaining unencrypted VLAN tags, Layer 3 subinterfaces can act as MACsec endpoints. Applying MACsec policies to these subinterfaces enhances network security by adding an extra layer of protection for communications between distinct subnets.

MACsec on Layer 3 subinterfaces operates similarly to that on a physical interface. For a MACsec Key Agreement (MKA) session to succeed on any Layer 3 subinterface, an appropriate tagging protocol encapsulation and a specified VLAN identifier are necessary. Although all Layer 3 subinterfaces default to 802.1Q VLAN encapsulation, the VLAN identifier must be explicitly set.

Hardware support matrix for MACsec on Layer 3 subinterfaces


Cisco IOS XR Software Release	Product ID
Release 25.3.1	8711-32FH-M 8011-4G24Y4H-I
Release 25.1.1	8712-MOD-M
Release 24.4.1	8608 88-LC1-36EH 88-LC1-12TH24FH-E 88-LC1-52Y8H-EM 8212-48FH-M 8711-32FH-M
Release 24.3.1	88-LC1-52Y8H-EM
Release 7.11.1	8202-32FH-M
Release 7.11.1	88-LC0-36FH-M

Guidelines for MACsec encryption on Layer 3 subinterface

Use specific encapsulation combinations

Ensure that L3 subinterfaces belonging to a physical interface utilize either 802.1Q tag (single tag) or 802.1ad outer and 802.1Q inner tags (double tags).

Consistent VLAN tagging

Configure the same type of VLAN tag on all subinterfaces associated with a physical interface.

Adhere to VLAN identifier range

MACsec encryption on a layer 3 subinterface supports a VLAN identifier range of 1–4094.

Match encapsulation and MACsec policy

The encapsulation on the L3 subinterface and the number of VLAN tags in-clear in the MACsec policy must match. If the encapsulation is 802.1Q with a single tag, the MACsec policy must reflect 1 VLAN tag in-clear. If the encapsulation is 802.1ad outer and 802.1Q inner tags, the MACsec policy must indicate 2 VLAN tags in-clear.

Configure VLAN tags in-clear

Use the vlan-tags-in-clear command to configure VLAN tags in-clear.

Configure encapsulation on the L3 subinterface

Use the encapsulation dot1q command for 802.1Q with a single tag or encapsulation dot1ad command for 802.1ad outer and 802.1Q inner tags.

Uniform MACsec policy parameters

All subinterfaces within a physical interface must have identical MACsec policy parameters, such as allow-lacp-in-clear, allow-pause-frames-in-clear, vlan-tags-in-clear, or security policy.

Limit MACsec sessions for optimal performance

We recommend keeping the MACsec session limit at 192 on any line card or fixed port router, including all port-level and subinterface-level MACsec sessions, to optimize simultaneous hitless SAK rekey performance.

Restrictions for MACsec encryption on Layer 3 subinterface

MACsec mutual exclusivity on physical and subinterfaces

MACsec support on physical interfaces and subinterfaces is mutually exclusive. The routers don’t support simultaneously enabling MACsec on a physical interface and its subinterfaces and reject such configuration attempts. To configure MACsec on subinterfaces, clear the MACsec configurations on the corresponding physical interface and conversely.

MACsec subinterface limitation: no data delay protection

MACsec on subinterfaces does not support data delay protection.

MACsec on VLAN subinterfaces support restrictions on line cards

The Cisco 8800-LC-48H and 88-LC0-34H14FH line cards do not support MACsec on VLAN subinterfaces.

Configure MACsec encryption on VLAN subinterfaces

Enable MACsec encryption on VLAN subinterfaces using a pre-shared key chain and MACsec policies for both single-tag (802.1Q) and double-tag (802.1ad outer and 802.1Q inner) encapsulations.

Procedure

Step 1	Use Configure a MACsec keychain to create a MACsec key chain. Example: `Router# configure Router(config)# key chain kc Router(config-kc)# macsec Router(config-kc-macsec)# key 1234 Router(config-kc-macsec-1234)# key-string 1234567812345678123456781234567812345678123456781234567812345678 cryptographic-algorithm aes-256-cmac Router(config-kc-macsec-1234)# lifetime 05:00:00 1 January 2023 infinite Router(config-kc-macsec-1234)# commit`
Step 2	Use Create a user-defined MACsec policy to create a MACsec policy. Example: 802.1Q with a single tag Router# configure Router(config)# macsec-policy mp-SF1 Router(config-macsec-policy)# cipher-suite GCM-AES-XPN-256 Router(config-macsec-policy)# security-policy should-secure Router(config-macsec-policy)# allow-lldp-in-clear Router(config-macsec-policy)# key-server-priority 10 Router(config-macsec-policy)# window-size 64 Router(config-macsec-policy)# vlan-tags-in-clear 1 /* The VLAN tagging in the MACsec policy must match the encapsulation on the interface / Router(config-macsec-policy)# commit 802.1ad outer and 802.1q inner with double tags Router# configure Router(config)# macsec-policy mp-SF2 Router(config-macsec-policy)# cipher-suite GCM-AES-XPN-256 Router(config-macsec-policy)# security-policy should-secure Router(config-macsec-policy)# allow-lldp-in-clear Router(config-macsec-policy)# key-server-priority 20 Router(config-macsec-policy)# window-size 64 Router(config-macsec-policy)# vlan-tags-in-clear 2 / The VLAN tagging in the MACsec policy must match the encapsulation on the interface */ Router(config-macsec-policy)# commit The VLAN tagging in the MACsec policy must match the encapsulation on the interface.
Step 3	Use Configure MACsec encryption on an interface in combination with encapsulation dot1q or encapsulation dot1ad to apply MACsec on a subinterface. Example: 802.1Q with a single tag Router# configure Router(config)# interface HundredGigE 0/5/0/16.100 Router(config-subif)# encapsulation dot1q 100 Router(config-subif)# ipv4 address 192.168.16.1 255.255.255.0 Router(config-subif)# macsec psk-keychain kc policy mp-SF1 Router(config-subif)# commit 802.1ad outer and 802.1q inner with double tags Router# configure Router(config)# interface HundredGigE 0/5/0/30.200 Router(config-subif)# encapsulation dot1ad 200 dot1q 300 Router(config-subif)# ipv4 address 192.168.30.1 255.255.255.0 Router(config-subif)# macsec psk-keychain kc policy mp-SF2 Router(config-subif)# commit
Step 4	Use the show running config command to view the configurations. MACsec key chain configurations `Router# show running-config psk-keychain kc key chain kc macsec key 1234 key-string password 11584B5643475D5B5C7B79777C6663754B56445055030F0F0B055C504C430F0F0F020006005E0D515F0905574753520C53575D72181B5F4E5D46405858517C7C7C cryptographic-algorithm aes-256-cmac lifetime 05:00:00 january 01 2023 infinite ! ! !` MACsec policy configurations `802.1Q with a single tag Router# show running-config macsec-policy mp-SF1 macsec-policy mp-SF1 security-policy should-secure allow-lldp-in-clear window-size 64 cipher-suite GCM-AES-XPN-256 vlan-tags-in-clear 1 key-server-priority 10 ! 802.1ad outer and 802.1q inner with double tags Router# show running-config macsec-policy mp-SF2 macsec-policy mp-SF2 security-policy should-secure allow-lldp-in-clear window-size 64 cipher-suite GCM-AES-XPN-256 vlan-tags-in-clear 2 key-server-priority 20 !` Subinterface configurations `802.1Q with a single tag Router# show running-config interface HundredGigE 0/5/0/16.100 interface HundredGigE0/5/0/16.100 ipv4 address 192.168.16.1 255.255.255.0 macsec psk-keychain kc policy mp-SF1 encapsulation dot1q 100 ! 802.1ad outer and 802.1q inner with double tags Router# show running-config interface HundredGigE 0/5/0/30.200 interface HundredGigE0/5/0/30.200 ipv4 address 192.168.30.1 255.255.255.0 macsec psk-keychain kc policy mp-SF2 encapsulation dot1ad 200 dot1q 300 !`
Step 5	Use show macsec mka summary , show macsec policy and show macsec mka interface detail commands to verify MACsec encryption on VLAN subinterfaces. Example: `Router# show macsec mka summary NODE: node0_5_CPU0 ======================================================================================== Interface-Name Status Cipher-Suite KeyChain PSK/EAP CKN ======================================================================================== Hu0/5/0/16.100 Secured GCM-AES-XPN-256 kc PRIMARY 1234 Hu0/5/0/30.200 Secured GCM-AES-XPN-256 kc PRIMARY 1234` 802.1Q with a single tag Router# show macsec policy mp-SF1 detail Policy Name : mp-SF1 Cipher Suite : GCM-AES-XPN-256 Key-Server Priority : 10 Window Size : 64 Conf Offset : 0 Replay Protection : TRUE Delay Protection : FALSE Security Policy : Should Secure Vlan Tags In Clear : 1 LACP In Clear : FALSE LLDP In Clear : TRUE Pause Frame In Clear : FALSE Sak Rekey Interval : OFF Include ICV Indicator : FALSE Use Eapol PAE in ICV : FALSE Disable Suspend On Request : FALSE Disable Suspend For : FALSE Enable legacy fallback : FALSE SKS Profile : N/A Max AN : 3 Impose Overhead on Bundle : FALSE 802.1ad outer and 802.1q inner with double tags Router# show macsec policy mp-SF2 detail Policy Name : mp-SF2 Cipher Suite : GCM-AES-XPN-256 Key-Server Priority : 20 Window Size : 64 Conf Offset : 0 Replay Protection : TRUE Delay Protection : FALSE Security Policy : Should Secure Vlan Tags In Clear : 2 LACP In Clear : FALSE LLDP In Clear : TRUE Pause Frame In Clear : FALSE Sak Rekey Interval : OFF Include ICV Indicator : FALSE Use Eapol PAE in ICV : FALSE Disable Suspend On Request : FALSE Disable Suspend For : FALSE Enable legacy fallback : FALSE SKS Profile : N/A Max AN : 3 Impose Overhead on Bundle : FALSE Router# show macsec mka interface detail Interface Name : HundredGigE0/5/0/16.100 Interface Namestring : HundredGigE0/5/0/16.100 Interface short name : Hu0/5/0/16.100 Interface handle : 0x2800b00 Interface number : 0x2800b00 MacSecControlledIfh : 0x2800b08 MacSecUnControlledIfh : 0x2800b10 Interface MAC : e069.bafd.e3a0 Ethertype : 888E EAPoL Destination Addr : 0180.c200.0003 MACsec Shutdown : FALSE Config Received : TRUE IM notify Complete : TRUE MACsec Power Status : Allocated Interface CAPS Add : TRUE RxSA CAPS Add : TRUE TxSA CAPS Add : TRUE IM notify with VLAN Info : TRUE Supported VLAN encaps : TRUE SecTAG Offset validation : TRUE VLAN : Outer tag (etype=0x8100, id=100, priority=0, cfi=0) Principal Actor : Primary MKA PSK Info Key Chain Name : kc MKA Cipher Suite : AES-256-CMAC CKN : 12 34 MKA fallback_PSK Info fallback keychain Name : - NA - Policy : mp-SF1 SKS Profile : N/A Traffic Status : Protected Rx SC 1 Rx SCI : e069bafde3a80064 Rx SSCI : 1 Peer MAC : e0:69:ba:fd:e3:a8 Is XPN : YES SC State : Provisioned SAK State[0] : Provisioned Rx SA Program Req[0] : 2023 Oct 27 05:41:51.701 Rx SA Program Rsp[0] : 2023 Oct 27 05:41:51.705 SAK Data SAK[0] : * SAK Len : 32 SAK Version : 1 HashKey[0] : * HashKey Len : 16 Conf offset : 0 Cipher Suite : GCM-AES-XPN-256 CtxSalt[0] : c2 b0 88 9d d6 c0 9d 3f 0a b7 99 37 CtxSalt Len : 12 ssci : 1 Tx SC Tx SCI : e069bafde3a00064 Tx SSCI : 2 Active AN : 0 Old AN : 255 Is XPN : YES Next PN : 1, 0, 0, 0 SC State : Provisioned SAK State[0] : Provisioned Tx SA Program Req[0] : 2023 Oct 27 05:41:51.713 Tx SA Program Rsp[0] : 2023 Oct 27 05:41:51.715 SAK Data SAK[0] : * SAK Len : 32 SAK Version : 1 HashKey[0] : * HashKey Len : 16 Conf offset : 0 Cipher Suite : GCM-AES-XPN-256 CtxSalt[0] : c2 b0 88 9e d6 c0 9d 3f 0a b7 99 37 CtxSalt Len : 12 ssci : 2 Interface Name : HundredGigE0/5/0/30.200 Interface Namestring : HundredGigE0/5/0/30.200 Interface short name : Hu0/5/0/30.200 Interface handle : 0x2800b30 Interface number : 0x2800b30 MacSecControlledIfh : 0x2800b38 MacSecUnControlledIfh : 0x2800b40 Interface MAC : e069.bafd.e410 Ethertype : 888E EAPoL Destination Addr : 0180.c200.0003 MACsec Shutdown : FALSE Config Received : TRUE IM notify Complete : TRUE MACsec Power Status : Allocated Interface CAPS Add : TRUE RxSA CAPS Add : TRUE TxSA CAPS Add : TRUE IM notify with VLAN Info : TRUE Supported VLAN encaps : TRUE SecTAG Offset validation : TRUE VLAN : Outer tag (etype=0x88a8, id=200, priority=0, cfi=0) : Inner tag (etype=0x8100, id=300, priority=0, cfi=0) Principal Actor : Primary MKA PSK Info Key Chain Name : kc MKA Cipher Suite : AES-256-CMAC CKN : 12 34 MKA fallback_PSK Info fallback keychain Name : - NA - Policy : mp-SF2 SKS Profile : N/A Traffic Status : Protected Rx SC 1 Rx SCI : e069bafde41800c8 Rx SSCI : 1 Peer MAC : e0:69:ba:fd:e4:18 Is XPN : YES SC State : Provisioned SAK State[0] : Provisioned Rx SA Program Req[0] : 2023 Oct 27 05:44:01.270 Rx SA Program Rsp[0] : 2023 Oct 27 05:44:01.274 SAK Data SAK[0] : * SAK Len : 32 SAK Version : 1 HashKey[0] : * HashKey Len : 16 Conf offset : 0 Cipher Suite : GCM-AES-XPN-256 CtxSalt[0] : 02 52 27 e4 ba 7f 16 62 52 d8 a6 e8 CtxSalt Len : 12 ssci : 1 Tx SC Tx SCI : e069bafde41000c8 Tx SSCI : 2 Active AN : 0 Old AN : 255 Is XPN : YES Next PN : 1, 0, 0, 0 SC State : Provisioned SAK State[0] : Provisioned Tx SA Program Req[0] : 2023 Oct 27 05:44:01.282 Tx SA Program Rsp[0] : 2023 Oct 27 05:44:01.284 SAK Data SAK[0] : * SAK Len : 32 SAK Version : 1 HashKey[0] : * HashKey Len : 16 Conf offset : 0 Cipher Suite : GCM-AES-XPN-256 CtxSalt[0] : 02 52 27 e7 ba 7f 16 62 52 d8 a6 e8 CtxSalt Len : 12 ssci : 2

MACsec is enabled and secured on the specified VLAN subinterfaces. The running configuration reflects the key chain, policies, and subinterface settings, and verification outputs show the interfaces in Secured/Protected state with GCM-AES-XPN-256 and the expected policy attributes.

Alternate EAPoL Ether-type and Destination address

EAPoL Ether-types and destination addresses are WAN MACsec configuration parameters that

identify the protocol type and destination MAC used by EAPoL frames during MACsec key agreement,
allow alternate values to prevent Layer 2 intermediate devices from consuming EAPoL packets, and
support per-interface and per-subinterface configuration with inheritance from the parent interface to improve reliability and flexibility.

EAPoL: Extensible Authentication Protocol over LAN; the protocol that transports MACsec Key Agreement (MKA) control traffic at Layer 2.
Ether-type: A 16-bit field in an Ethernet frame that indicates the upper-layer protocol carried (for EAPoL, the standard value is 0x888E).
Destination MAC address: The Layer 2 address used to deliver EAPoL frames (for EAPoL, the standard multicast address is 01:80:C2:00:00:03).

In WAN MACsec deployments, utilizing the standard EAPoL Ether-Type (0x888E) and destination MAC address (01:80:C2:00:00:03) can result in intermediate Layer 2 devices intercepting and consuming EAPoL packets across a service provider network. To prevent such interference and enhance MACsec session establishment between peers, configuration of an alternate EAPoL Ether-Type, an alternate destination MAC address, or both, on a MACsec-enabled interface, is recommended.

Alternate EAPoL Ether-type: The supported alternate Ether-type is 0x876F. This can be configured to avoid packet interception.
Alternate destination MAC address: Options include using the broadcast address FF:FF:FF:FF:FF or the nearest bridge group address. This configuration helps in reducing interference.
Subinterface configuration: Specific EAPoL parameters can be explicitly set for each subinterface. If not set, subinterfaces will inherit the EAPoL configuration from the parent physical interface.

This structured approach ensures a reliable and interference-free MACsec deployment across WAN environments.

Table 1. Hardware Support Matrix for alternate EAPoL Ether-type and Destination address
Cisco IOS XR Software Release	Product ID
Release 25.4.1	8711-32FH-M
Release 25.3.1	88-LC1-52Y8H-EM 8212-48FH-M
Release 7.10.1	8608
Release 7.5.2	8202-32FH-M
Release 7.3.3	8-LC0-34H14FH
Release 7.3.15	88-LC0-36FH-M
Release 7.0.12	88-LC-48H

Configure EAPoL Ether-type 0x876F

Configure the EAPoL Ether-type 0x876F on a router interface to enable enhanced authentication protocols.

This task involves setting up the EAPoL Ether-type and applying MACsec on an interface to ensure secure communication.

Procedure

Step 1	Use Configure a MACsec keychain to create a MACsec key chain.
Step 2	(Optional) Use Create a user-defined MACsec policy to create a MACsec policy.
Step 3	Use eapol eth-type 876F to configure the EAPoL ether-type. Example: `Router(config)# interface HundredGigE0/1/0/2 Router(config-if)# eapol eth-type 876F Router(config-if)# commit`
Step 4	Use Configure MACsec encryption on an interface command to apply MACsec on a interface. Example: `Router(config)# interface HundredGigE0/1/0/2 Router(config-if)# macsec psk-keychain kc fallback-psk-keychain fb Router(config-if)# commit`
Step 5	Use the show running config command to view the configurations. Example: `Router# show running-config interface HundredGigE0/1/0/2 interface HundredGigE0/1/0/2 eapol eth-type 876F macsec psk-keychain kc fallback-psk-keychain fb !`
Step 6	Use show macsec mka summary and show macsec mka session commands to verify EAPoL Ether-type 0x876F on an interface. Example: `Router# show macsec mka interface HundredGigE0/1/0/2 detail \| i Ethertype Ethertype : 876F` `Router# show macsec mka session interface HundredGigE0/1/0/2.1 =============================================================================================== Interface-Name Local-TxSCI #Peers Status Key-Server PSK/EAP CKN =============================================================================================== Hu0/1/0/2 0201.9ab0.77cd/0001 1 Secured YES PRIMARY 1234 Hu0/1/0/2 0201.9ab0.77cd/0001 1 Active YES FALLBACK 9999`

The EAPoL Ether-type 0x876F is configured and MACsec is applied to the specified interface.

Configure EAPoL destination broadcast address

Configure the EAPoL destination address to use the broadcast address FF:FF:FF:FF:FF to ensure EAPoL packets are flooded to all receivers in the underlying L2 network

This task involves setting the EAPoL destination address to broadcast and applying MACsec on an interface for secure communication.

Procedure

Step 1	Use Configure a MACsec keychain to create a MACsec key chain.
Step 2	(Optional) Use Create a user-defined MACsec policy to create a MACsec policy.
Step 3	Use eapol destination-address broadcast-address command to configure the EAPoL destination address to broadcast. Example: `Router(config)# interface HundredGigE0/1/0/2 Router(config-if)# eapol destination-address broadcast-address Router(config-if)# commit`
Step 4	Use Configure MACsec encryption on an interface to apply MACsec on a interface. Example: `Router(config)# interface HundredGigE0/1/0/2 Router(config-if)# macsec psk-keychain kc fallback-psk-keychain fb Router(config-if)# commit`
Step 5	Use the show running config command to view the EAPoL destination address to broadcast configurations. Example: `Router# show running-config interface HundredGigE0/1/0/2 interface HundredGigE0/1/0/2 eapol destination-address ffff.ffff.ffff macsec psk-keychain kc fallback-psk-keychain fb !`
Step 6	Use show macsec mka summary and show macsec mka session commands to verify EAPoL destination address to broadcast on an interface. Example: `Router# show macsec mka interface HundredGigE0/1/0/2 detail \| i EAPoL EAPoL Destination Addr : ffff.ffff.ffff` `Router# show macsec mka session interface HundredGigE0/1/0/2 =============================================================================================== Interface-Name Local-TxSCI #Peers Status Key-Server PSK/EAP CKN =============================================================================================== Hu0/1/0/2 02df.3638.d568/0001 1 Secured YES PRIMARY 1234 Hu0/1/0/2 02df.3638.d568/0001 1 Active YES FALLBACK 9999`

The EAPoL destination address is configured to broadcast, and MACsec is applied to the specified interface.

Configure EAPoL destination bridge group address

Set the EAPoL destination address to the nearest bridge group address (e.g., 01:80:C2:00:00:00) on a physical interface, with the configuration inherited by the MACsec-enabled subinterface.

This task involves configuring the EAPoL destination address on a physical interface and applying MACsec to a subinterface for enhanced security.

Procedure

Step 1	Use Configure a MACsec keychain to create a MACsec key chain.
Step 2	(Optional) Use Create a user-defined MACsec policy to create a MACsec policy.
Step 3	Use eapol destination-address bridge-group-address command to configure the EAPoL destination bridge group address on a MACsec-enabled physical interface. Example: `Router(config)# interface HundredGigE0/1/0/1 Router(config-if)# eapol destination-address bridge-group-address Router(config-if)# commit`
Step 4	Use Configure MACsec encryption on an interface to apply MACsec on a interface. Example: `Router(config)# interface HundredGigE0/1/0/1.1 Router(config-subif)# encapsulation dot1q 1 Router(config-subif)# macsec psk-keychain kc fallback-psk-keychain fb outer(config-subif)# commit`
Step 5	Use the show running config command to view the configurations. Example: This example shows the running configuration for the EAPoL destination bridge group address on the MACsec-enabled physical interface. `Router# show running-config interface Hu0/1/0/1 interface HundredGigE0/1/0/1 eapol destination-address 0180.c200.0000` This example shows the running configuration for the EAPoL destination bridge group address on the MACsec-enabled subinterface. `Router# show running-config interface HundredGigE0/1/0/1.1 interface HundredGigE0/1/0/0.1 macsec psk-keychain kc fallback-psk-keychain fb encapsulation dot1q 1 !`
Step 6	Use show macsec mka summary and show macsec mka session commands to verify APoL destination bridge group address on the MACsec-enabled subinterface. Example: `Router# show macsec mka interface HundredGigE0/1/0/1.1 detail \| i EAPoL EAPoL Destination Addr : 0180.c200.0000` `Router# show macsec mka session interface HundredGigE0/1/0/1.1 =============================================================================================== Interface-Name Local-TxSCI #Peers Status Key-Server PSK/EAP CKN =============================================================================================== Hu0/1/0/1.1 0201.9ab0.85af/0001 1 Secured YES PRIMARY 1234 Hu0/1/0/1.1 0201.9ab0.85af/0001 1 Active YES FALLBACK 9999`

The EAPoL destination bridge group address is configured, and MACsec is applied to the specified subinterface.

MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Releases

Bias-Free Language

Results

Chapter: WAN MACsec encryption

WAN MACsec encryption

WAN MACsec encryption

Applications of MACsec in WAN environments

Use Case 1: MACsec in a VPLS/EVPN

Use Case 2: MACsec in an MPLS Core Network

MACsec encryption on Layer 3 subinterfaces

Hardware support matrix for MACsec on Layer 3 subinterfaces

Guidelines for MACsec encryption on Layer 3 subinterface

Use specific encapsulation combinations

Consistent VLAN tagging

Adhere to VLAN identifier range

Match encapsulation and MACsec policy

Configure VLAN tags in-clear

Configure encapsulation on the L3 subinterface

Uniform MACsec policy parameters

Limit MACsec sessions for optimal performance

Restrictions for MACsec encryption on Layer 3 subinterface

MACsec mutual exclusivity on physical and subinterfaces

MACsec subinterface limitation: no data delay protection

MACsec on VLAN subinterfaces support restrictions on line cards

Configure MACsec encryption on VLAN subinterfaces

Procedure

Example:

Example:

Example:

Example:

Alternate EAPoL Ether-type and Destination address

Configure EAPoL Ether-type 0x876F

Procedure

Example:

Example:

Example:

Example:

Configure EAPoL destination broadcast address

Procedure

Example:

Example:

Example:

Example:

Configure EAPoL destination bridge group address

Procedure

Example:

Example:

Example:

Example:

Was this Document Helpful?

Contact Cisco