MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

Alternate EAPoL Ether-type and Destination address

Updated: February 28, 2026

Want to summarize with AI?

Log in

Overview

Explains the use of alternate EAPoL Ether-types and destination addresses to prevent intermediate Layer 2 devices from consuming EAPoL packets, improving reliability in service provider WAN deployments.

EAPoL Ether-types and destination addresses are WAN MACsec configuration parameters that

  • identify the protocol type and destination MAC used by EAPoL frames during MACsec key agreement,

  • allow alternate values to prevent Layer 2 intermediate devices from consuming EAPoL packets, and

  • support per-interface and per-subinterface configuration with inheritance from the parent interface to improve reliability and flexibility.

  • EAPoL: Extensible Authentication Protocol over LAN; the protocol that transports MACsec Key Agreement (MKA) control traffic at Layer 2.

  • Ether-type: A 16-bit field in an Ethernet frame that indicates the upper-layer protocol carried (for EAPoL, the standard value is 0x888E).

  • Destination MAC address: The Layer 2 address used to deliver EAPoL frames (for EAPoL, the standard multicast address is 01:80:C2:00:00:03).

In WAN MACsec deployments, utilizing the standard EAPoL Ether-Type (0x888E) and destination MAC address (01:80:C2:00:00:03) can result in intermediate Layer 2 devices intercepting and consuming EAPoL packets across a service provider network. To prevent such interference and enhance MACsec session establishment between peers, configuration of an alternate EAPoL Ether-Type, an alternate destination MAC address, or both, on a MACsec-enabled interface, is recommended.

  • Alternate EAPoL Ether-type: The supported alternate Ether-type is 0x876F. This can be configured to avoid packet interception.

  • Alternate destination MAC address: Options include using the broadcast address FF:FF:FF:FF:FF or the nearest bridge group address. This configuration helps in reducing interference.

  • Subinterface configuration: Specific EAPoL parameters can be explicitly set for each subinterface. If not set, subinterfaces will inherit the EAPoL configuration from the parent physical interface.

This structured approach ensures a reliable and interference-free MACsec deployment across WAN environments.

Table 1. Hardware Support Matrix for alternate EAPoL Ether-type and Destination address

Cisco IOS XR Software Release

Product ID

Release 25.4.1

8711-32FH-M

Release 25.3.1

88-LC1-52Y8H-EM

8212-48FH-M

Release 7.10.1

8608

Release 7.5.2

8202-32FH-M

Release 7.3.3

8-LC0-34H14FH

Release 7.3.15

88-LC0-36FH-M

Release 7.0.12

88-LC-48H

Configure EAPoL Ether-type 0x876F

Configure the EAPoL Ether-type 0x876F on a router interface to enable enhanced authentication protocols.

This task involves setting up the EAPoL Ether-type and applying MACsec on an interface to ensure secure communication.

Procedure

1.

Use Configure a MACsec keychain to create a MACsec key chain.
2.

(Optional) Use Create a user-defined MACsec policy to create a MACsec policy.
3.

Use eapol eth-type 876F to configure the EAPoL ether-type.

Example:

Router(config)# interface HundredGigE0/1/0/2
Router(config-if)# eapol eth-type 876F
Router(config-if)# commit
4.

Use Configure MACsec encryption on an interface command to apply MACsec on a interface.

Example:

Router(config)# interface HundredGigE0/1/0/2
Router(config-if)# macsec psk-keychain kc fallback-psk-keychain fb
Router(config-if)# commit
5.

Use the show running config command to view the configurations.

Example:

Router# show running-config interface HundredGigE0/1/0/2
interface HundredGigE0/1/0/2
  eapol eth-type 876F
  macsec psk-keychain kc fallback-psk-keychain fb
!
6.

Use show macsec mka summary and show macsec mka session commands to verify EAPoL Ether-type 0x876F on an interface.

Example:

Router# show macsec mka interface  HundredGigE0/1/0/2 detail | i Ethertype    
Ethertype                : 876F  

Router# show macsec mka session interface HundredGigE0/1/0/2.1
===============================================================================================
   Interface-Name        Local-TxSCI       #Peers   Status   Key-Server   PSK/EAP      CKN     
===============================================================================================
     Hu0/1/0/2        0201.9ab0.77cd/0001     1      Secured      YES      PRIMARY     1234     
     Hu0/1/0/2        0201.9ab0.77cd/0001     1      Active       YES     FALLBACK     9999

The EAPoL Ether-type 0x876F is configured and MACsec is applied to the specified interface.

Configure EAPoL destination broadcast address

Configure the EAPoL destination address to use the broadcast address FF:FF:FF:FF:FF to ensure EAPoL packets are flooded to all receivers in the underlying L2 network

This task involves setting the EAPoL destination address to broadcast and applying MACsec on an interface for secure communication.

Procedure

1.

Use Configure a MACsec keychain to create a MACsec key chain.
2.

(Optional) Use Create a user-defined MACsec policy to create a MACsec policy.
3.

Use eapol destination-address broadcast-address command to configure the EAPoL destination address to broadcast.

Example:

Router(config)# interface HundredGigE0/1/0/2
Router(config-if)# eapol destination-address broadcast-address
Router(config-if)# commit
4.

Use Configure MACsec encryption on an interface to apply MACsec on a interface.

Example:

Router(config)# interface HundredGigE0/1/0/2
Router(config-if)# macsec psk-keychain kc fallback-psk-keychain fb
Router(config-if)# commit
5.

Use the show running config command to view the EAPoL destination address to broadcast configurations.

Example:

Router# show running-config interface HundredGigE0/1/0/2
interface HundredGigE0/1/0/2
   eapol destination-address ffff.ffff.ffff
 macsec psk-keychain kc fallback-psk-keychain fb
!
6.

Use show macsec mka summary and show macsec mka session commands to verify EAPoL destination address to broadcast on an interface.

Example:

Router# show macsec mka interface  HundredGigE0/1/0/2 detail  | i EAPoL
    EAPoL Destination Addr   : ffff.ffff.ffff
Router# show macsec mka session interface HundredGigE0/1/0/2
===============================================================================================
   Interface-Name        Local-TxSCI       #Peers   Status   Key-Server   PSK/EAP      CKN     
===============================================================================================
     Hu0/1/0/2       02df.3638.d568/0001     1      Secured      YES      PRIMARY     1234     
     Hu0/1/0/2       02df.3638.d568/0001     1      Active       YES     FALLBACK     9999

The EAPoL destination address is configured to broadcast, and MACsec is applied to the specified interface.

Configure EAPoL destination bridge group address

Set the EAPoL destination address to the nearest bridge group address (e.g., 01:80:C2:00:00:00) on a physical interface, with the configuration inherited by the MACsec-enabled subinterface.

This task involves configuring the EAPoL destination address on a physical interface and applying MACsec to a subinterface for enhanced security.

Procedure

1.

Use Configure a MACsec keychain to create a MACsec key chain.
2.

(Optional) Use Create a user-defined MACsec policy to create a MACsec policy.
3.

Use eapol destination-address bridge-group-address command to configure the EAPoL destination bridge group address on a MACsec-enabled physical interface.

Example:

Router(config)# interface HundredGigE0/1/0/1
Router(config-if)# eapol destination-address bridge-group-address
Router(config-if)# commit
4.

Use Configure MACsec encryption on an interface to apply MACsec on a interface.

Example:

Router(config)# interface HundredGigE0/1/0/1.1
Router(config-subif)# encapsulation dot1q 1
Router(config-subif)# macsec psk-keychain kc fallback-psk-keychain fb
outer(config-subif)# commit
5.

Use the show running config command to view the configurations.

Example:

This example shows the running configuration for the EAPoL destination bridge group address on the MACsec-enabled physical interface.

Router# show running-config interface Hu0/1/0/1
interface HundredGigE0/1/0/1
eapol destination-address 0180.c200.0000

This example shows the running configuration for the EAPoL destination bridge group address on the MACsec-enabled subinterface.

Router# show running-config interface HundredGigE0/1/0/1.1
interface HundredGigE0/1/0/0.1
  macsec psk-keychain kc fallback-psk-keychain fb
  encapsulation dot1q 1
!
6.

Use show macsec mka summary and show macsec mka session commands to verify APoL destination bridge group address on the MACsec-enabled subinterface.

Example:

Router# show macsec mka interface  HundredGigE0/1/0/1.1 detail  | i EAPoL
    EAPoL Destination Addr   : 0180.c200.0000
Router# show macsec mka session interface HundredGigE0/1/0/1.1
===============================================================================================
   Interface-Name        Local-TxSCI       #Peers   Status   Key-Server   PSK/EAP      CKN     
===============================================================================================
     Hu0/1/0/1.1       0201.9ab0.85af/0001     1      Secured      YES      PRIMARY     1234     
     Hu0/1/0/1.1       0201.9ab0.85af/0001     1      Active       YES     FALLBACK     9999

The EAPoL destination bridge group address is configured, and MACsec is applied to the specified subinterface.