MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

MACsec encryption on Layer 3 subinterfaces

Updated: February 28, 2026

Want to summarize with AI?

Log in

Overview

Describes how MACsec encryption on Layer 3 subinterfaces allows for independent encryption control and policy application per VLAN, while retaining unencrypted VLAN tags for proper traffic switching.

MACsec encryption on Layer 3 subinterfaces is a security mechanism that

  • allows encryption and authentication of network data on VLAN-based Layer 3 subinterfaces,

  • enables the application of multiple MACsec policies across different L3 subinterfaces under a single physical interface by retaining VLAN tags in clear text, and

  • provides an additional security layer for communication between separate VLANs or subnets on the same physical link by making each L3 subinterface a distinct MACsec endpoint.

MACsec on Layer 3 subinterfaces uses VLAN encapsulations—802.1Q (single-tag) or 802.1ad (double-tag)—and requires specific VLAN identifiers. Keeping VLAN tags visible enables MACsec endpoints to identify subinterface traffic without encrypting the VLAN metadata. This setup allows traffic segregation at the MACsec level because each VLAN-associated subinterface has independent encryption control.

This flexibility allows for the application of different MACsec policies to Layer 3 subinterfaces under the same physical interface. By retaining unencrypted VLAN tags, Layer 3 subinterfaces can act as MACsec endpoints. Applying MACsec policies to these subinterfaces enhances network security by adding an extra layer of protection for communications between distinct subnets.

MACsec on Layer 3 subinterfaces operates similarly to that on a physical interface. For a MACsec Key Agreement (MKA) session to succeed on any Layer 3 subinterface, an appropriate tagging protocol encapsulation and a specified VLAN identifier are necessary. Although all Layer 3 subinterfaces default to 802.1Q VLAN encapsulation, the VLAN identifier must be explicitly set.

Hardware support matrix for MACsec on Layer 3 subinterfaces

Cisco IOS XR Software Release

Product ID

Release 25.3.1

8711-32FH-M

Release 25.1.1

8712-MOD-M

Release 24.4.1

8608

88-LC1-36EH

88-LC1-12TH24FH-E

88-LC1-52Y8H-EM

8212-48FH-M

8711-32FH-M

Release 24.3.1

88-LC1-52Y8H-EM

Release 7.11.1

8202-32FH-M

88-LC0-36FH-M

Guidelines for MACsec encryption on Layer 3 subinterface

Use specific encapsulation combinations

Ensure that L3 subinterfaces belonging to a physical interface utilize either 802.1Q tag (single tag) or 802.1ad outer and 802.1Q inner tags (double tags).

Consistent VLAN tagging

Configure the same type of VLAN tag on all subinterfaces associated with a physical interface.

Adhere to VLAN identifier range

MACsec encryption on a layer 3 subinterface supports a VLAN identifier range of 1–4094.

Match encapsulation and MACsec policy

The encapsulation on the L3 subinterface and the number of VLAN tags in-clear in the MACsec policy must match. If the encapsulation is 802.1Q with a single tag, the MACsec policy must reflect 1 VLAN tag in-clear. If the encapsulation is 802.1ad outer and 802.1Q inner tags, the MACsec policy must indicate 2 VLAN tags in-clear.

Configure VLAN tags in-clear

Use the vlan-tags-in-clear command to configure VLAN tags in-clear.

Configure encapsulation on the L3 subinterface

Use the encapsulation dot1q command for 802.1Q with a single tag or encapsulation dot1ad command for 802.1ad outer and 802.1Q inner tags.

Uniform MACsec policy parameters

All subinterfaces within a physical interface must have identical MACsec policy parameters, such as allow-lacp-in-clear, allow-pause-frames-in-clear, vlan-tags-in-clear, or security policy.

Limit MACsec sessions for optimal performance

We recommend keeping the MACsec session limit at 192 on any line card or fixed port router, including all port-level and subinterface-level MACsec sessions, to optimize simultaneous hitless SAK rekey performance.

Restrictions for MACsec encryption on Layer 3 subinterface

MACsec mutual exclusivity on physical and subinterfaces

MACsec support on physical interfaces and subinterfaces is mutually exclusive. The routers don’t support simultaneously enabling MACsec on a physical interface and its subinterfaces and reject such configuration attempts. To configure MACsec on subinterfaces, clear the MACsec configurations on the corresponding physical interface and conversely.

MACsec subinterface limitation: no data delay protection

MACsec on subinterfaces does not support data delay protection.

MACsec on VLAN subinterfaces support restrictions on line cards

The Cisco 8800-LC-48H and 88-LC0-34H14FH line cards do not support MACsec on VLAN subinterfaces.

Configure MACsec encryption on VLAN subinterfaces

Enable MACsec encryption on VLAN subinterfaces using a pre-shared key chain and MACsec policies for both single-tag (802.1Q) and double-tag (802.1ad outer and 802.1Q inner) encapsulations.

Procedure

1.

Use Configure a MACsec keychain to create a MACsec key chain.

Example:

Router# configure
Router(config)# key chain kc
Router(config-kc)# macsec
Router(config-kc-macsec)# key 1234
Router(config-kc-macsec-1234)# key-string 1234567812345678123456781234567812345678123456781234567812345678 cryptographic-algorithm aes-256-cmac
Router(config-kc-macsec-1234)# lifetime 05:00:00 1 January 2023 infinite
Router(config-kc-macsec-1234)# commit
2.

Use Create a user-defined MACsec policy to create a MACsec policy.

Example:

802.1Q with a single tag 
Router# configure
Router(config)# macsec-policy mp-SF1
Router(config-macsec-policy)# cipher-suite GCM-AES-XPN-256
Router(config-macsec-policy)# security-policy should-secure
Router(config-macsec-policy)# allow-lldp-in-clear
Router(config-macsec-policy)# key-server-priority 10
Router(config-macsec-policy)# window-size 64
Router(config-macsec-policy)# vlan-tags-in-clear 1
/* The VLAN tagging in the MACsec policy must match the encapsulation on the interface */
Router(config-macsec-policy)# commit
 
802.1ad outer and 802.1q inner with double tags
Router# configure
Router(config)# macsec-policy mp-SF2
Router(config-macsec-policy)# cipher-suite GCM-AES-XPN-256
Router(config-macsec-policy)# security-policy should-secure
Router(config-macsec-policy)# allow-lldp-in-clear
Router(config-macsec-policy)# key-server-priority 20
Router(config-macsec-policy)# window-size 64
Router(config-macsec-policy)# vlan-tags-in-clear 2
/* The VLAN tagging in the MACsec policy must match the encapsulation on the interface */
Router(config-macsec-policy)# commit

The VLAN tagging in the MACsec policy must match the encapsulation on the interface.
3.

Use Configure MACsec encryption on an interface in combination with encapsulation dot1q or encapsulation dot1ad to apply MACsec on a subinterface.

Example:

802.1Q with a single tag
Router# configure
Router(config)# interface HundredGigE 0/5/0/16.100
Router(config-subif)# encapsulation dot1q 100
Router(config-subif)# ipv4 address 192.168.16.1 255.255.255.0
Router(config-subif)# macsec psk-keychain kc policy mp-SF1
Router(config-subif)# commit

802.1ad outer and 802.1q inner with double tags
Router# configure
Router(config)# interface HundredGigE 0/5/0/30.200
Router(config-subif)# encapsulation dot1ad 200 dot1q 300
Router(config-subif)# ipv4 address 192.168.30.1 255.255.255.0
Router(config-subif)# macsec psk-keychain kc policy mp-SF2
Router(config-subif)# commit
4.

Use the show running config command to view the configurations.

MACsec key chain configurations

Router# show running-config psk-keychain kc
key chain kc
 macsec
  key 1234
   key-string password 11584B5643475D5B5C7B79777C6663754B56445055030F0F0B055C504C430F0F0F020006005E0D515F0905574753520C53575D72181B5F4E5D46405858517C7C7C cryptographic-algorithm aes-256-cmac
   lifetime 05:00:00 january 01 2023 infinite
  !
 !
!

MACsec policy configurations

802.1Q with a single tag
Router# show running-config macsec-policy mp-SF1
macsec-policy mp-SF1
 security-policy should-secure
 allow-lldp-in-clear
 window-size 64
 cipher-suite GCM-AES-XPN-256
 vlan-tags-in-clear 1
 key-server-priority 10
!
802.1ad outer and 802.1q inner with double tags
Router# show running-config macsec-policy mp-SF2
macsec-policy mp-SF2
 security-policy should-secure
 allow-lldp-in-clear
 window-size 64
 cipher-suite GCM-AES-XPN-256
 vlan-tags-in-clear 2
 key-server-priority 20
!

Subinterface configurations

802.1Q with a single tag
Router# show running-config interface HundredGigE 0/5/0/16.100
interface HundredGigE0/5/0/16.100
 ipv4 address 192.168.16.1 255.255.255.0
 macsec psk-keychain kc policy mp-SF1
 encapsulation dot1q 100
!

802.1ad outer and 802.1q inner with double tags
Router# show running-config interface HundredGigE 0/5/0/30.200
interface HundredGigE0/5/0/30.200
 ipv4 address 192.168.30.1 255.255.255.0
 macsec psk-keychain kc policy mp-SF2
 encapsulation dot1ad 200 dot1q 300
!
5.

Use show macsec mka summary , show macsec policy and show macsec mka interface detail commands to verify MACsec encryption on VLAN subinterfaces.

Example:

Router# show macsec mka summary 
NODE: node0_5_CPU0
========================================================================================
   Interface-Name     Status     Cipher-Suite       KeyChain       PSK/EAP      CKN     
========================================================================================
   Hu0/5/0/16.100     Secured  GCM-AES-XPN-256         kc          PRIMARY     1234     
   Hu0/5/0/30.200     Secured  GCM-AES-XPN-256         kc          PRIMARY     1234
802.1Q with a single tag
Router# show macsec policy mp-SF1 detail
Policy Name                 : mp-SF1
      Cipher Suite          : GCM-AES-XPN-256
      Key-Server Priority   : 10
      Window Size           : 64
      Conf Offset           : 0
      Replay Protection     : TRUE
      Delay Protection      : FALSE
      Security Policy       : Should Secure
      Vlan Tags In Clear    : 1
      LACP In Clear         : FALSE
      LLDP In Clear         : TRUE
      Pause Frame In Clear  : FALSE
      Sak Rekey Interval    : OFF
      Include ICV Indicator : FALSE
      Use Eapol PAE in ICV  : FALSE
      Disable Suspend On Request    : FALSE
      Disable Suspend For           : FALSE
      Enable legacy fallback        : FALSE
      SKS Profile                   : N/A
      Max AN                        : 3
      Impose Overhead on Bundle     : FALSE
802.1ad outer and 802.1q inner with double tags
Router# show macsec policy mp-SF2 detail                         
Policy Name                 : mp-SF2
      Cipher Suite          : GCM-AES-XPN-256
      Key-Server Priority   : 20
      Window Size           : 64
      Conf Offset           : 0
      Replay Protection     : TRUE
      Delay Protection      : FALSE
      Security Policy       : Should Secure
      Vlan Tags In Clear    : 2
      LACP In Clear         : FALSE
      LLDP In Clear         : TRUE
      Pause Frame In Clear  : FALSE
      Sak Rekey Interval    : OFF
      Include ICV Indicator : FALSE
      Use Eapol PAE in ICV  : FALSE
      Disable Suspend On Request    : FALSE
      Disable Suspend For           : FALSE
      Enable legacy fallback        : FALSE
      SKS Profile                   : N/A
      Max AN                        : 3
      Impose Overhead on Bundle     : FALSE

Router# show macsec mka interface detail
Interface Name : HundredGigE0/5/0/16.100
    Interface Namestring     : HundredGigE0/5/0/16.100
    Interface short name     : Hu0/5/0/16.100
    Interface handle         : 0x2800b00
    Interface number         : 0x2800b00
    MacSecControlledIfh      : 0x2800b08
    MacSecUnControlledIfh    : 0x2800b10
    Interface MAC            : e069.bafd.e3a0
    Ethertype                : 888E
    EAPoL Destination Addr   : 0180.c200.0003
    MACsec Shutdown          : FALSE
    Config Received          : TRUE
    IM notify Complete       : TRUE
    MACsec Power Status      : Allocated
    Interface CAPS Add       : TRUE
    RxSA CAPS Add            : TRUE
    TxSA CAPS Add            : TRUE
    IM notify with VLAN Info : TRUE
    Supported VLAN encaps    : TRUE
    SecTAG Offset validation : TRUE
    VLAN                     : Outer tag (etype=0x8100, id=100, priority=0, cfi=0)
    Principal Actor          : Primary
    MKA PSK Info               
      Key Chain Name         : kc
      MKA Cipher Suite       : AES-256-CMAC
      CKN                    : 12 34 
    MKA fallback_PSK Info
      fallback keychain Name : - NA -
    Policy                   : mp-SF1
    SKS Profile              : N/A
    Traffic Status           : Protected
    Rx SC 1
      Rx SCI                 : e069bafde3a80064
      Rx SSCI                : 1
      Peer MAC               : e0:69:ba:fd:e3:a8
      Is XPN                 : YES
      SC State               : Provisioned
      SAK State[0]           : Provisioned
      Rx SA Program Req[0]   : 2023 Oct 27 05:41:51.701
      Rx SA Program Rsp[0]   : 2023 Oct 27 05:41:51.705
      SAK Data
        SAK[0]               : ***
        SAK Len              : 32
        SAK Version          : 1
        HashKey[0]           : ***
        HashKey Len          : 16
        Conf offset          : 0
        Cipher Suite         : GCM-AES-XPN-256
        CtxSalt[0]           : c2 b0 88 9d d6 c0 9d 3f 0a b7 99 37 
        CtxSalt Len          : 12
        ssci                 : 1

    Tx SC 
      Tx SCI                 : e069bafde3a00064
      Tx SSCI                : 2
      Active AN              : 0
      Old AN                 : 255
      Is XPN                 : YES
      Next PN                : 1, 0, 0, 0
      SC State               : Provisioned
      SAK State[0]           : Provisioned
      Tx SA Program Req[0]   : 2023 Oct 27 05:41:51.713
      Tx SA Program Rsp[0]   : 2023 Oct 27 05:41:51.715
      SAK Data
        SAK[0]               : ***
        SAK Len              : 32
        SAK Version          : 1
        HashKey[0]           : ***
        HashKey Len          : 16
        Conf offset          : 0
        Cipher Suite         : GCM-AES-XPN-256
        CtxSalt[0]           : c2 b0 88 9e d6 c0 9d 3f 0a b7 99 37 
        CtxSalt Len          : 12
        ssci                 : 2


Interface Name : HundredGigE0/5/0/30.200
    Interface Namestring     : HundredGigE0/5/0/30.200
    Interface short name     : Hu0/5/0/30.200
    Interface handle         : 0x2800b30
    Interface number         : 0x2800b30
    MacSecControlledIfh      : 0x2800b38
    MacSecUnControlledIfh    : 0x2800b40
    Interface MAC            : e069.bafd.e410
    Ethertype                : 888E
    EAPoL Destination Addr   : 0180.c200.0003
    MACsec Shutdown          : FALSE
    Config Received          : TRUE
    IM notify Complete       : TRUE
    MACsec Power Status      : Allocated
    Interface CAPS Add       : TRUE
    RxSA CAPS Add            : TRUE
    TxSA CAPS Add            : TRUE
    IM notify with VLAN Info : TRUE
    Supported VLAN encaps    : TRUE
    SecTAG Offset validation : TRUE
    VLAN                     : Outer tag (etype=0x88a8, id=200, priority=0, cfi=0)
                             : Inner tag (etype=0x8100, id=300, priority=0, cfi=0)
    Principal Actor          : Primary
    MKA PSK Info               
      Key Chain Name         : kc
      MKA Cipher Suite       : AES-256-CMAC
      CKN                    : 12 34 
    MKA fallback_PSK Info
      fallback keychain Name : - NA -
    Policy                   : mp-SF2
    SKS Profile              : N/A
    Traffic Status           : Protected
    Rx SC 1
      Rx SCI                 : e069bafde41800c8
      Rx SSCI                : 1
      Peer MAC               : e0:69:ba:fd:e4:18
      Is XPN                 : YES
      SC State               : Provisioned
      SAK State[0]           : Provisioned
      Rx SA Program Req[0]   : 2023 Oct 27 05:44:01.270
      Rx SA Program Rsp[0]   : 2023 Oct 27 05:44:01.274
      SAK Data
        SAK[0]               : ***
        SAK Len              : 32
        SAK Version          : 1
        HashKey[0]           : ***
        HashKey Len          : 16
        Conf offset          : 0
        Cipher Suite         : GCM-AES-XPN-256
        CtxSalt[0]           : 02 52 27 e4 ba 7f 16 62 52 d8 a6 e8 
        CtxSalt Len          : 12
        ssci                 : 1

    Tx SC 
      Tx SCI                 : e069bafde41000c8
      Tx SSCI                : 2
      Active AN              : 0
      Old AN                 : 255
      Is XPN                 : YES
      Next PN                : 1, 0, 0, 0
      SC State               : Provisioned
      SAK State[0]           : Provisioned
      Tx SA Program Req[0]   : 2023 Oct 27 05:44:01.282
      Tx SA Program Rsp[0]   : 2023 Oct 27 05:44:01.284
      SAK Data
        SAK[0]               : ***
        SAK Len              : 32
        SAK Version          : 1
        HashKey[0]           : ***
        HashKey Len          : 16
        Conf offset          : 0
        Cipher Suite         : GCM-AES-XPN-256
        CtxSalt[0]           : 02 52 27 e7 ba 7f 16 62 52 d8 a6 e8 
        CtxSalt Len          : 12
        ssci                 : 2

MACsec is enabled and secured on the specified VLAN subinterfaces. The running configuration reflects the key chain, policies, and subinterface settings, and verification outputs show the interfaces in Secured/Protected state with GCM-AES-XPN-256 and the expected policy attributes.