MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

Key concepts for MACsec encryption

Updated: February 28, 2026

Want to summarize with AI?

On this page

Overview

MACsec Key Agreement protocol
MACsec Pre-shared Key
Fallback PSK and active fallback
Secure Association Key
MACsec frame format
MACsec keychain
MACsec policy

Overview

Describes essential MACsec components including the MKA protocol, Pre-shared Keys, CKN, CAK, Secure Association Keys, key server roles, and policy parameters that govern secure Ethernet link communication.

MACsec Key Agreement protocol

MACsec Key Agreement (MKA) is a protocol that manages the secure exchange of cryptographic keys for MACsec. It establishes and maintains secure associations between devices, enabling encrypted communication over Ethernet links. MKA handles key distribution, authentication, and rekeying processes to ensure continuous data confidentiality and integrity.

MACsec Pre-shared Key

MACsec Pre-shared Key (PSK) is a static key shared between devices before communication begins. It serves as a basis for authenticating devices and deriving session keys in MACsec. PSK simplifies deployment in environments where dynamic key management is not feasible but requires secure key distribution and management practices.

Connectivity Association Key Name (CKN): CKN is an identifier used to associate devices within a MACsec connectivity association. It uniquely identifies the keying material group and helps devices recognize peers that share the same security context. CKN ensures that only authorized devices participate in the secure communication.
Connectivity Association Key (CAK): CAK is the primary cryptographic key shared among devices in a MACsec connectivity association. It is used to derive session keys for encrypting and authenticating data frames. CAK must be securely distributed and protected to maintain the integrity and confidentiality of the MACsec session.

Fallback PSK and active fallback

Fallback PSK is a session recovery mechanism that activates when the primary PSK fails to establish a secured MKA session, ensuring a PSK is always available for MACsec encryption and decryption. Cisco IOS XR software enhances fallback PSK with the active fallback, which initiates a fallback MKA session when fallback configuration is present on the interface. Active fallback ensures faster session convergence on fallback during primary key deletion, expiry, or mismatch. It also accelerates traffic recovery under the should-secure security policy when both primary and fallback keys mismatch.

Secure Association Key

The actual encryption key that the key server generates and distributes to the key client. Each secure channel uses a new Secure Association Key (SAK) for data encryption.

Key server: A router selected during the MKA process that is responsible for generating and distributing the SAK. Its selection is based on configured priority values, where a numerically lower value indicates higher preference.
Key client: The peer router that receives the SAK from the key server.

MACsec frame format

The MACsec frame format defines the structure of a frame after Media Access Control Security (MACsec) encryption. It consists of specific components that ensure data confidentiality, integrity, and authenticity at Layer 2.

Table 1. MACsec frame components
MACsec frame component	What it is	Used for
SecTAG	A security tag, 8 to 16 bytes in length (16 bytes if Secure Channel Identifier (SCI) encoding is used, otherwise 8 bytes). It also provides replay protection.	Identifying the Secure Association Key (SAK) used for the frame and detecting out-of-sequence frames.
Secure Data	The portion of the frame containing data encrypted using MACsec, with a length of 2 or more octets.	Carrying encrypted data within the frame.
ICV (Integrity Check Value)	A value that provides an integrity check for the entire frame, typically ranging from 8 to 16 bytes in length.	Ensuring the integrity of the frame; frames with an ICV that does not match the expected value are dropped at the receiving port.

MACsec keychain

A MACsec keychain is a collection of cryptographic keys used to authenticate peers that need to exchange encrypted information. It defines the keys, their associated key strings (passwords), the cryptographic algorithm to be used, and the validity period for each key.

Table 2. MACsec keychain elements
MACsec keychain element	What it is	Used for
Key (CKN)	An identifier for the MACsec secret key.	Identifying each key entry in a MACsec keychain.
Key-string (CAK)	The actual secret key in the MACsec encryption.	Encrypting data based on the cryptographic algorithm used.
Cryptographic Algorithm	Specifies the encryption algorithm.	Determining how the key-string (CAK) is used for encryption.
Lifetime	Defines the validity period of the key, either as a duration or indefinitely.	Ensuring the key is used only within its valid time frame for security purposes.

MACsec policy

A MACsec policy defines the security parameters and behaviors for Media Access Control Security (MACsec) encryption in routers. It specifies the cryptographic algorithms, key management preferences, and traffic handling rules for secure Layer 2 communication.

MACsec policy encompasses several key parameters that govern MACsec operation:

Table 3. MACsec policy parameters
MACsec policy parameter	What it is	What it does
Cipher Suite	The encryption algorithm used for MACsec.	Provides the cryptographic strength and method for MACsec data encryption.
Confidentiality Offset	An offset value for MACsec encryption.	Modifies the starting point of encryption within a frame. Changes are recommended only when the port is administratively down to prevent traffic loss.
Key Server Priority	A value that determines a router's preference to be selected as the key server in an MKA session. A numerically lower value indicates higher preference.	Influences which router becomes the key server, responsible for generating and maintaining the Secure Association Key (SAK).
Security Policy	Defines the traffic handling behavior based on MACsec encryption status.	Controls whether unencrypted traffic is allowed before the MKA session secures, or if only encrypted traffic is permitted.
Data Delay Protection	A feature that ensures MACsec-protected data frames do not exceed a specific delay threshold.	Rejects MACsec-protected traffic that experiences excessive delay (over 2 seconds) to maintain real-time performance.
Replay Protection Window Size	The maximum number of out-of-sequence frames that are accepted.	Protects against replay attacks by defining the acceptable window for frame reordering.
Include ICV Indicator	A configuration option for including an optional Integrity Check Value (ICV) Indicator in the transmitted MACsec Key Agreement PDU (MKPDU).	Ensures interoperability with other vendor MACsec implementations that expect this specific indicator in the MKPDU.
SAK Rekey Interval	A timer value for periodically rekeying the MACsec Secure Association Key (SAK).	Periodically updates the data encryption key (SAK) to enhance security by limiting the lifespan of a single key. This configuration is effective on the node acting as the key server.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.