MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

Configure point-to-point MACsec encryption using SKIP

Updated: February 28, 2026

Want to summarize with AI?

Log in

Overview

Establish quantum-safe, point-to-point MACsec encryption by configuring SKS profiles with external QKD servers and mapping them to MACsec policies. This process enables automated, secure key provisioning across your physical interfaces to ensure robust, quantum-resistant data protection.

Establish secure, point-to-point MACsec encryption between two routers using the SKIP protocol and Quantum Key Distribution (QKD) for automated, quantum-safe key management.

Use this task when you need to configure MACsec in Pre-placed Key (PPK) mode with keys provided by external QKD devices and SKIP for secure key provisioning. This enhances security by leveraging quantum key exchange for MACsec.

Before you begin

  • Configure MACsec Pre-Shared Key (PSK). For more information, see Configure a MACsec keychain.

  • Configure MACsec in the PPK mode.

  • Ensure that you have a network of external QKD devices.

  • Add the QKD server CA to the trustpoint in the router. For more information, see Configure Trustpoint section in the System Security Configuration Guide for Cisco 8000 Series Routers.

  • Import the QKD server root CA certificate in the router. For more information, see Configure Certificate Enrollment Using Cut-and-Paste section in the System Security Configuration Guide for Cisco 8000 Series Routers.

Procedure

1.

Configure the QKD profile.

  1. On Router 1, enter global configuration mode, define the SKS profile, and specify the remote KME server:

    Example:

    Router# config
Router(config)# sks profile ProfileR1toR2 type remote
Router(config-sks-profile)# kme server ipv4 192.0.2.34 port 10001 
Router(config-sks-profile)# commit

  2. On Router 2, enter global configuration mode, define the SKS profile, and specify the remote KME server:

    Example:

    Router# config
Router(config)# sks profile ProfileR2toR1 type remote
Router(config-sks-profile)# kme server ipv4 192.0.2.35 port 10001 
Router(config-sks-profile)# commit
2.

Map the QKD profile to the MACsec policy.

  1. On Router 1:

    Example:

    Router# config
Router(config)# macsec-policy R1toR2
Router(config-macsec-policy)# ppk sks-profile ProfileR1toR2
Router(config-macsec-policy)# commit

  2. On Router 2:

    Example:

    Router# config
Router(config)# macsec-policy R2toR1
Router(config-macsec-policy)# ppk sks-profile ProfileR2toR1
Router(config-macsec-policy)# commit
3.

Apply MACsec policy to the interfaces.

  1. On Router 1:

    Example:

    Router# config
Router(config)# interface hundredGigE 0/1/0/10
Router(config-if)# ipv4 address 192.0.2.1 255.255.255.0
Router(config-if)# macsec psk-keychain mac_chain policy R1toR2
Router(config)# commit

Router(config)# interface hundredGigE 0/1/0/11
Router(config-if)# ipv4 address 192.0.3.1 255.255.255.0
Router(config-if)# macsec psk-keychain mac_chain policy R1toR2
Router(config)# commit

Router(config)# interface hundredGigE 0/1/0/12
Router(config-if)# ipv4 address 192.0.4.1 255.255.255.0
Router(config-if)# macsec psk-keychain mac_chain policy R1toR2
Router(config)# commit

Router(config)# interface hundredGigE 0/1/0/9
Router(config-if)# ipv4 address 192.0.5.1 255.255.255.0 
Router(config-if)# macsec psk-keychain mac_chain policy R1toR2
Router(config)# commit

  2. On Router 2:

    Example:

    Router# config
Router(config)# interface hundredGigE 0/1/0/10
Router(config-if)# ipv4 address 192.0.2.2 255.255.255.0
Router(config-if)# macsec psk-keychain mac_chain policy R2toR1
Router(config-if)# commit

Router(config)# interface hundredGigE 0/1/0/11
Router(config-if)# ipv4 address 192.0.3.2 255.255.255.0
Router(config-if)# macsec psk-keychain mac_chain policy R2toR1
Router(config-if)# commit

Router(config)# interface hundredGigE 0/1/0/12
Router(config-if)# ipv4 address 192.0.4.2 255.255.255.0
Router(config-if)# macsec psk-keychain mac_chain policy R2toR1
Router(config-if)# commit

Router(config)# interface hundredGigE 0/1/0/9
Router(config-if)# ipv4 address 192.0.5.2 255.255.255.0
Router(config-if)# macsec psk-keychain mac_chain policy R2toR1
Router(config-if)# commit
4.

Verify the configurations in each router using the show running config command.

  1. On Router 1:

    Example:

    sks profile ProfileR1toR2 type remote
 kme server ipv4 192.0.2.34 port 10001
! 
macsec-policy R1toR2
 ppk
  sks-profile ProfileR1toR2
 !
!
interface hundredGigE 0/1/0/10
 ipv4 address 192.0.2.1 255.255.255.0
 macsec psk-keychain mac_chain policy R1toR2
!
interface hundredGigE 0/1/0/11
 ipv4 address 192.0.3.1 255.255.255.0
 macsec psk-keychain mac_chain policy R1toR2
!
interface hundredGigE 0/1/0/12
 ipv4 address 192.0.4.1 255.255.255.0
 macsec psk-keychain mac_chain policy R1toR2
!
interface hundredGigE 0/1/0/9
 ipv4 address 192.0.5.1 255.255.255.0
 macsec psk-keychain mac_chain policy R1toR2
!

  2. On Router 2:

    Example:

    sks profile ProfileR2toR1 type remote
 kme server ipv4 192.0.2.35 port 10001
!
macsec-policy R2toR1
 ppk
  sks-profile ProfileR2toR1
 !
!
interface hundredGigE 0/1/0/10
 ipv4 address 192.0.2.2 255.255.255.0
 macsec psk-keychain mac_chain policy R2toR1
!
interface hundredGigE 0/1/0/11
 ipv4 address 192.0.3.2 255.255.255.0
 macsec psk-keychain mac_chain policy R2toR1
!
interface hundredGigE 0/1/0/12
 ipv4 address 192.0.4.2 255.255.255.0
 macsec psk-keychain mac_chain policy R2toR1
!
interface hundredGigE 0/1/0/9
 ipv4 address 192.0.5.2 255.255.255.0
 macsec psk-keychain mac_chain policy R2toR1
!
5.

Verify the point-to-point MACsec encryption using SKIP on either router with the show crypto sks profile all and show crypto sks profile all commands.

Example:

Router(ios)# show crypto sks profile all
Profile Name        :ProfileR1toR2
Myidentifier       :Router1
Type               :Remote
Reg Client Count     :1

Server
IP                  :192.0.2.34
Port                :10001
Vrf                 :Notconfigured
Source Interface    :Notconfigured
Status              :Connected
Entropy             :true
Key                 :true
Algorithm           :QKD
Local identifier    :Alice
Remote identifier   :Alice

Peerlist
QKD ID               :Bob
State                :Connected

Peerlist
QKD ID               :Alice
State                :Connected	


Router(ios)# show crypto sks profile all stats
Profile Name            : ProfileR1toR2
My identifier           : Router1
Server
 IP                     : 192.0.2.34
 Port                   : 10001
 Status                 : connected
Counters
 Capability request         : 1
 Key request                : 3
 Key-id request             : 0
 Entropy request            : 0
 Capability response        : 1
 Key response               : 3
 Key-id response            : 0
 Entropy response           : 0
 Total request              : 4
 Request failed             : 0
 Request success            : 4
 Total response             : 4
 Response failed            : 0
 Response success           : 4
 Retry count                : 0
 Response Ignored           : 0
 Cancelled count            : 0
Response time
 Max Time                   : 100 ms
 Avg Time                   : 10  ms
 Min Time                   : 50  ms
Last transaction
 Transaction Id             : 9
 Transaction type           : Get key
 Transaction status         : Response data received, successfully
 Http code                  : 200 OK (200)
When the task is completed, MACsec link encryption is established between both routers using SKIP and QKD for secure key provisioning. All interfaces configured with the MACsec policy exchange encrypted and authenticated traffic.

What to do next

Monitor SKS profile status and key exchange statistics to confirm ongoing secure operation. Review logs and counters for negotiation failures or changes in link state.