Home
Support
Product Support
Routers
Cisco 8000 Series Routers
Configuration Guides

MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

View all Saved Content

PDF

Is this helpful?

Helpful Unhelpful

Feedback

Thank you for your feedback. Your response has been recorded.

Ask about this document

Cisco Configuration Guide, Release 4.2

Table of contents

Expand all sections

About this document

YANG data models for MACsec encryption features

Using YANG Data Models

Fundamentals of MACsec encryption

MACsec encryption
Key concepts for MACsec encryption
How MACsec encryption works
Guidelines for MACsec encryption
Configure MACsec encryption

WAN MACsec encryption

WAN MACsec encryption
Applications of MACsec in WAN environments
MACsec encryption on Layer 3 subinterfaces
Alternate EAPoL Ether-type and Destination address

MACsec policy exceptions

MACsec policy exception
MACsec policy exceptions for LACP packets
MACsec policy exceptions for LLDP packets

MACsec encryption using EAP-TLS authentication

MACsec encryption using EAP-TLS authentication
How MACsec encryption using EAP-TLS authentication works
Guidelines for MACsec encryption using EAP-TLS authentication
Configure MACsec encryption using EAP-TLS authentication

MACsec encryption using SKIP

Secure Key Integration Protocol
How point-to-point MACsec encryption using SKIP works
Restrictions for MACsec encryption using SKIP
Configure point-to-point MACsec encryption using SKIP

Secure MACsec encryption

Power-on Self-Test KAT for Common Criteria and FIPS
Dynamic power management for MACsec-enabled ports
MACsec pre-shared keys with Type 6 password encryption

MACsec encryption performance and statistics

MACsec SecY statistics
MACsec SNMP MIB
Use SNMP commands to access SECY MIB
Obtain the MACsec controlled port interface index
SNMP query examples

WAN MACsec encryption

Updated: February 28, 2026

Overview

Provides guidance on deploying and configuring MACsec encryption across WAN environments, covering physical and Layer 3 subinterface applications, VLAN-based policies, and EAPoL configuration for secure, interoperable network topologies.

This chapter provides comprehensive guidance on deploying and configuring MACsec encryption for secure Ethernet encryption across WAN environments. Users can learn how to apply MACsec on physical interfaces and Layer 3 subinterfaces, set VLAN-based policies, and customize EAPoL Ether-types and destination addresses to enhance security and interoperability in diverse network topologies.

WAN MACsec encryption

Defines WAN MACsec encryption as an IEEE 802.1AE-based solution that provides end-to-end security across Layer 2 Ethernet WAN services, supporting both point-to-point and point-to-multipoint topologies.

Applications of MACsec in WAN environments

Explains the application of MACsec in VPLS/EVPN and MPLS core networks, detailing how to implement encryption on physical interfaces and link bundles to secure data between geographically distributed data centers.

MACsec encryption on Layer 3 subinterfaces

Describes how MACsec encryption on Layer 3 subinterfaces allows for independent encryption control and policy application per VLAN, while retaining unencrypted VLAN tags for proper traffic switching.

Alternate EAPoL Ether-type and Destination address

Explains the use of alternate EAPoL Ether-types and destination addresses to prevent intermediate Layer 2 devices from consuming EAPoL packets, improving reliability in service provider WAN deployments.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.