MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

Configure MACsec encryption

Updated: February 28, 2026

Want to summarize with AI?

Log in

Overview

Configure MACsec encryption by establishing a security keychain and defining a custom policy to protect data across your physical network interfaces

Configure MACsec encryption on network interfaces to secure data.

To enable secure communication on physical interfaces, configure MACsec encryption with specific settings.

Procedure

1.

Create a MACsec keychain to manage encryption keys.
2.

Define a user-defined MACsec policy to specify security requirements.
3.

Apply the MACsec configuration to physical interfaces.

MACsec encryption is successfully configured on the specified physical interfaces.

Configure a MACsec keychain

Enable MACsec encryption and decryption on routers by configuring a MACsec keychain, ensuring secure communication between peers using the MACsec protocol.

Follow these steps to configure a MACsec keychain:

Before you begin

  • Ensure you have administrative access to the router.

  • Verify that the router supports MACsec encryption.

Procedure

1.

Create a keychain, specifying a unique keychain name.

Example:

Router# configure
Router(config)# key chain kc
2.

Enable MACsec mode for the keychain.

Example:

Router(config-kc)# macsec
3.

Configure a MACsec key for the keychain.

Example:

Router(config-kc-MacSec)# key key1
4.

Specify the key string and the cryptographic algorithm.

Example:

Router(config-kc-MacSec-KEY1)# key-string 11223344556677889900AABBCCDDEEFF00112233445566778899AABBCCDDEEFF cryptographic-algorithm AES-128-CMAC-96

  • Key-string range: The key-string range is 32 characters for AES-128 and 64 characters for AES-256. Ensure that the string length matches the requirements of the selected algorithm.

  • Cryptographic algorithm options: AES-128-CMAC-96 or AES-256-CMAC.
5.

Define the validity period for the key.

Example:

Router(config-kc-MacSec-KEY1)# lifetime 05:00:00 01 January 2019 infinite
Router(config-kc-MacSec-KEY1)# commit

Lifetime range: You can specify a lifetime range by providing a fixed timeframe (including start and expiry), or set it as infinite.
6.

Verify the keychain settings in the running configuration.

Example:

Router# show running-config key chain kc1 
key chain kc1
 macsec
  key key1
     key-string 11223344556677889900AABBCCDDEEFF00112233445566778899AABBCCDDEEFF cryptographic-algorithm AES-128-CMAC-96
     lifetime 05:00:00 01 January 2019 infinite
  !
 !

The MACsec keychain is created and ready for use with MACsec encryption.

What to do next

Apply the keychain to the router interface configuration when required.

Create a user-defined MACsec policy

Define and configure a custom MACsec policy to secure network traffic. Specify encryption, key server priority, security parameters, and additional protections.

Follow these steps to create a user-defined MACsec policy:

Before you begin

  • Ensure you have administrative access to the router.

  • Verify that the router supports MACsec encryption.

Procedure

1.

Create a MACsec policy, specifying a unique policy name.

Example:

Router# configure
Router(config)# macsec-policy mp1
2.

Configure the cipher suite for MACsec encryption.

Example:

Router(config-macsec-policy)# cipher-suite GCM-AES-XPN-128

The GCM encryption method, which uses the AES encryption algorithm, supports the following encryption suites:

  • GCM-AES-XPN-128

  • GCM-AES-XPN-256
3.

Set the confidentiality offset value.

Example:

Router(config-macsec-policy)# conf-offset CONF-OFFSET-30
4.

Configure the key server priority.

Example:

Router(config-macsec-policy)# key-server-priority 10

Range: 0 to 255 (A lower value indicates higher priority for key server selection. Default value is 16).
5.

Set the security policy:

Example:

Router(config-macsec-policy)# security-policy should-secure

  • must-secure: Allows only MACsec-encrypted traffic. The router drops traffic until the MKA session is secured.

  • should-secure: Allows unencrypted traffic until the MKA session is secured, then only encrypted traffic is allowed.
6.

Enable data delay protection.

Example:

Router(config-macsec-policy)# delay-protection
7.

Configure the replay protection window size.

Example:

Router(config-macsec-policy)# window-size 64

Range: 0 to 1024
8.

Include the Integrity Check Value (ICV) indicator in frames that arrive on the port and commit the configuration to save the MACsec policy settings.

Example:

Router(config-macsec-policy)# include-icv-indicator
Router(config-macsec-policy)# commit

To set the rekey interval, use the sak-rekey-interval command in macsec-policy configuration mode. The timer ranges from 60 to 2,592,000 seconds, the default being OFF.
9.

Verify the MACsec policy settings in the running configuration.

Example:

Router# show running-config macsec-policy mp1

macsec-policy mp1
 conf-offset CONF-OFFSET-30
 security-policy should-secure
 cipher-suite GCM-AES-XPN-128
 window-size 64
 include-icv-indicator
 delay-protection
 key-server-priority 10
!

The user-defined MACsec policy is created and ready for use with MACsec encryption.

What to do next

Apply the user-defined MACsec policy to the router interface configuration when required.

Configure MACsec encryption on an interface

Secure network communication on a host-facing interface using MACsec encryption.

he MACsec PSK (keychain and user-defined policy) configuration is applied to a host-facing interface of a CE router. This establishes a secure connection.

Follow these steps to configure MACsec on an interface:

Before you begin

Ensure the interface is a host-facing interface on a CE router.

Procedure

1.

Access interface configuration mode.

Example:

Router# configure
Router(config)# interface hundredGigE Hu0/1/0/10
2.

Configure the IPv4 address for the interface.

Example:

Router(config-if)# ipv4 address 192.168.30.1 255.255.255.0
3.

Apply the MACsec keychain and user-defined MACsec policy to the interface.

Example:

Router(config-if)# macsec psk-keychain kc1 policy mp1
4.

Commit the configuration to save changes.

Example:

Router(config-if)# commit
5.

Verify the MACsec configuration applied to the interface.

Example:

Router# show running-config interface HundredGigE 0/1/0/10
interface HundredGigE 0/1/0/10
 ipv4 address 192.168.30.1 255.255.255.0
 macsec psk-keychain kc1 policy mp1
!

MACsec encryption is applied to the specified interface, securing communication.

Verify MACsec session status

Confirm that MACsec encryption is correctly configured and operational on your network devices.

After configuring MACsec on your routers, perform this task to ensure security and connectivity.

Follow these steps to verify MACsec encryption:

Before you begin

  • Ensure MACsec is configured on the relevant interfaces.

  • Access the executive mode on your router.

Procedure

1.

Verify the MACsec policy configuration using the show macsec policy detail command.

Example:

Router# show macsec policy mp1 detail  
Policy Name                 : mp1
      Cipher Suite          : GCM-AES-XPN-128
      Key-Server Priority   : 10
      Window Size           : 64
      Conf Offset           : 30
      Replay Protection     : TRUE
      Delay Protection      : FALSE
      Security Policy       : Should Secure
      Vlan Tags In Clear    : 1
      LACP In Clear         : FALSE
      LLDP In Clear         : FALSE
      Pause Frame In Clear  : FALSE
      Sak Rekey Interval    : FALSE
      Include ICV Indicator : TRUE
      Use Eapol PAE in ICV  : FALSE
      Disable Suspend On Request    : FALSE
      Disable Suspend For           : FALSE
      Enable legacy fallback        : FALSE
      SKS Profile                   : N/A
      Max AN                        : 3

If the displayed values do not match your expected settings, run the show run macsec-policy command review your configuration.
2.

View summary of the MACsec sessions using the show macsec mka summary command.

Example:

Router# show macsec mka summary

NODE: node0_1_CPU0
========================================================================================
Interface-Name        Status  Cipher-Suite       KeyChain   PSK/EAP   CKN
========================================================================================
Hu0/1/0/10            Secured GCM-AES-XPN-128    kc         PRIMARY   1234

Total MACSec Sessions : 1 : 1 Secured Sessions
Pending Sessions      : 1
Suspended Sessions    : 0
3.

Verify interface peering using the show macsec mka session command.

Example:

Router# show macsec mka session

NODE: node0_1_CPU0
===============================================================================================
Interface-Name        Local-TxSCI           #Peers Status  Key-Server PSK/EAP CKN
===============================================================================================
Hu0/1/0/10            7872.5d1a.e7d4/0001   1      Secured NO         PRIMARY 1234
4.

View details of the MKA session using the show macsec mka session detail command.

Example:

Router# show macsec mka session detail

NODE: node0_1_CPU0

MKA Detailed Status for MKA Session
===================================
Status: Secured - Secured MKA Session with MACsec

Local Tx-SCI                     : 7872.5d1a.e7d4/0001
Local Tx-SSCI                    : 1
Interface MAC Address            : 7872.5d1a.e7d4
MKA Port Identifier              : 1
Interface Name                   : Hu0/1/0/10
CAK Name (CKN)                   : 1234
CA Authentication Mode           : PRIMARY-PSK
Keychain Member Identifier (MI)  : kc
Message Number (MN)              : C12A70FEE1212B835BDDDCBA
Authenticator                    : 3009
Key Server                       : NO
MKA Cipher Suite                 : NO : AES-128-CMAC
Configured MACSec Cipher Suite   : GCM-AES-XPN-128

Latest SAK Status                : Rx & Tx
Latest SAK AN                    : 0
Latest SAK KI (KN)               : 018E2F0D63FF2ED6A5BF270E00000001 (1)
Old SAK Status                   : FIRST-SAK
Old SAK AN                       : 0
Old SAK KI (KN)                  : FIRST-SAK (0)

SAK Transmit Wait Time           : 0s (Not waiting for any peers to respond)
SAK Retire Time                  : 0s (No Old SAK to retire)
Time to SAK Rekey                : NA
Time to exit suspension          : NA

MKA Policy Name                  : mp-SF
Key Server Priority              : 10
Delay Protection                 : TRUE
Replay Window Size               : 64
Include ICV Indicator            : TRUE
Confidentiality Offset           : 30
Algorithm Agility                : 80C201
SAK Cipher Suite                 : 0080C20001000003 (GCM-AES-XPN-128)
MACsec Capability                : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired                   : YES

# of MACsec Capable Live Peers   : 1
# of MACsec Capable Live Peers Responded : 0

Live Peer List:
-------------------------------------------------------------------------------
SSCI               MI                 MN   Rx-SCI               KS-Priority
-------------------------------------------------------------------------------
018E2F0D63FF2ED6A5BF270E 2699 008a.962d.7400/0001 2 16

Potential Peer List:
-------------------------------------------------------------------------------
SSCI               MI                 MN   Rx-SCI               KS-Priority
-------------------------------------------------------------------------------

Peers Status:
Last Tx MKPDU                    : 2019 Oct 08 09:07:06.475
Peer Count                       : 1

RxSCI                            : 008A962D74000001
MI                               : 018E2F0D63FF2ED6A5BF270E
Peer CAK                         : Match
Latest Rx MKPDU                  : 2019 Oct 08 09:07:06.032
5.

View detailed MKA session information for a specific interface using the show macsec mka session interface command.

Example:

Router# show macsec mka session interface hundredGigE 0/1/0/10

==============================================================================================
Interface-Name        Local-TxSCI           #Peers Status Key-Server PSK/EAP CKN
===============================================================================================
Hu0/1/0/10            7872.5d1a.e7d4/0001   1      Secured NO         PRIMARY 1234
Hu0/1/0/10            7872.5d1a.e7d4/0001   1      Secured NO         FALLBACK 5678

The Status field should indicate Secured for the MKA session. A status of Pending or INITIALIZING means MACsec encryption is not successfully configured.
6.

Verify MACsec session counter statistics using the show macsec mka statistics command.

Example:

Router# show macsec mka statistics interface hundredGigE 0/1/0/10

MKA Statistics for Session on interface (Hu0/1/0/10)
=======================================================
Reauthentication Attempts.. 0

CA Statistics
Pairwise CAKs Derived... 0
Pairwise CAK Rekeys..... 0
Group CAKs Generated.... 0
Group CAKs Received..... 0

SA Statistics
SAKs Generated.......... 0
SAKs Rekeyed............ 0
SAKs Received........... 1
SAK Responses Received.. 0

MKPDU Statistics
MKPDUs Transmitted...... 3097
"Distributed SAK".. 0
"Distributed CAK".. 0
MKPDUs Validated & Rx... 2788
"Distributed SAK".. 1
"Distributed CAK".. 0

MKA IDB Statistics
MKPDUs Tx Success.......... 3097
MKPDUs Tx Fail............. 0
MKPDUS Tx Pkt build fail... 0
MKPDUS No Tx on intf down.. 3
MKPDUS No Rx on intf down.. 0
MKPDUs Rx CA Not found..... 0
MKPDUs Rx Error............ 0
MKPDUs Rx Success.......... 2788
MKPDUs Rx Invalid Length... 0
MKPDUs Rx Invalid CKN...... 0
MKPDUs Rx force suspended.. 0
MKPDUs Tx force suspended.. 0

MKPDU Failures
MKPDU Rx Validation (ICV)................. 0
MKPDU Rx Bad Peer MN...................... 0
MKPDU Rx Non-recent Peerlist MN........... 0
MKPDU Rx Drop SAKUSE, KN mismatch......... 0
MKPDU Rx Drop SAKUSE, Rx Not Set.......... 0
MKPDU Rx Drop SAKUSE, Key MI mismatch..... 0
MKPDU Rx Drop SAKUSE, AN Not in Use....... 0
MKPDU Rx Drop SAKUSE, KS Rx/Tx Not Set.... 0
MKPDU Rx Drop Packet, Ethertype Mismatch.. 0
MKPDU Rx Drop Packet, Source MAC NULL..... 0
MKPDU Rx Drop Packet, Destination MAC NULL 0
MKPDU Rx Drop Packet, Payload NULL........ 0

SAK Failures
SAK Generation................... 0
Hash Key Generation.............. 0
SAK Encryption/Wrap.............. 0
SAK Decryption/Unwrap............ 0

CA Failures
ICK Derivation................... 0
KEK Derivation................... 0
Invalid Peer MACsec Capability... 0

MACsec Failures
Rx SC Creation................... 0
Tx SC Creation................... 0
Rx SA Installation............... 0
Tx SA Installation............... 0

Review the counters for MACsec PDUs transmitted, validated, and received, and check for transmission errors.
7.

Verify MACsec encryption and hardware interface descriptor block (IDB) information using the show macsec ea idb interface command.

Example:

Router# show macsec ea idb interface hundredGigE 0/1/0/10

IDB Details:
if_sname                   : Hu0/1/0/10
if_handle                  : 0x8001e0
MacSecControlledIfh        : 0x800330
MacSecUnControlledIfh      : 0x800338
Replay window size         : 64
Local MAC                  : 78:72:5d:1a:e7:d4
Rx SC Option(s)            : Validate-Frames Replay-Protect
Tx SC Option(s)            : Protect-Frames Always-Include-SCI
Security Policy            : SHOULD SECURE
Delay Protection           : TRUE
Sectag offset              : 0

Rx SC 1
Rx SCI                     : 008a962d74000001
Peer MAC                   : 00:8a:96:2d:74:00
Stale SAK Data             : NO
SAK[0]                     : ***
SAK Len                    : 16
SAK Version                : 1
HashKey[0]                 : ***
HashKey Len                : 16
Conf offset                : 30
Cipher Suite               : GCM-AES-XPN-128
CtxSalt[0]                 : 01 8f 2f 0f 63 ff 2e d6 a5 bf 27 0e
ssci                       : 2
Rx SA Program Req[0]: 2019 Oct 08 07:37:14.870
Rx SA Program Rsp[0]: 2019 Oct 08 07:37:14.902

Tx SC
Tx SCI                     : 78725d1ae7d40001
Active AN                  : 0
Old AN                     : 255
Next PN                    : 1, 0, 0, 0
SAK Data                   : ***
SAK[0]                     : 16
SAK Len                    : 1
SAK Version                : ***
HashKey[0]                 : 16
HashKey Len                : 30
Conf offset                : GCM-AES-XPN-128
Cipher Suite               : 01 8f 2f 0c 63 ff 2e d6 a5 bf 27 0e
CtxSalt[0]                 : 1
ssci                       : 2019 Oct 08 07:37:14.908
Tx SA Program Req[0]: 2019 Oct 08 07:37:14.931
Tx SA Program Rsp[0]: 2019 Oct 08 07:37:14.931
8.

Verify hardware programming using the show macsec platform hardware sa interface command.

Example:

Router# show macsec platform hardware sa interface hundredGigE 0/1/0/10
---------------------------------------------------------------
Tx SA Details:
----------------------------------------------------------------
SCI : 7872.5d1a.e7d4/0001
Crypto Algo : GCM-AES-XPN-128
AES Key Len : 128 bits
AN : 0
Initial Packet Number : 1
Current Packet Number : 1
Maximum Packet Number : 3221225400
XForm in Use : YES
Action Type : SA Action Egress
Direction : Egress
Conf Offset : 00000030
Drop Type : 0x00000003
SA In Use : YES
ConfProtect : YES
IncludeSCI : YES
ProtectFrame : YES
UseEs : NO
UseSCB : NO
----------------------------------------------------------------
Rx SA Details:
----------------------------------------------------------------
SCI : 008a.962d.7400/0001
Replay Window : 64
Crypto Algo : GCM-AES-XPN-128
AES Key Len : 128 bits
AN : 0
Initial Packet Number : 1