MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

About This Document

Updated: February 28, 2026

Overview

Provides comprehensive instructions for configuring and managing MACsec encryption on Cisco routers, covering fundamental concepts, WAN deployments, policy exceptions, certificate-based authentication, quantum-safe key management, and security compliance, while detailing tools for performance monitoring and diagnostic statistics.

Getting Started

This cumulative guide provides a single, continuously updated version that includes all the latest IOS XR features and release updates. It simplifies your experience by letting you bookmark one link and access the complete guide, instead of navigating through multiple release-specific versions.

Specific changes or updates tied to individual releases are clearly called out within the relevant sections. For a list of features introduced in a specific release, refer to the Release Notes or the IOS XR Feature Finder.

The table lists the release numbers for which this document has been updated since its initial publication.

Table 1. Changes to this document
Date	Summary
November 2025	First published for Release 25.3.1

Getting Started

Outlines the release history and update summary for the MACsec Configuration Guide. It enables users to access the latest IOS XR features and release information through a centralized, continuously updated resource.

YANG data models for MACsec encryption features

Provides information about YANG data models for MACsec encryption features.

Fundamentals of MACsec encryption

Provides a comprehensive overview of MACsec encryption fundamentals, covering key concepts like MKA, PSK, and deployment models, while detailing hardware compatibility, configuration guidelines, and verification procedures for secure Layer 2 communication.

WAN MACsec encryption

Provides guidance on deploying and configuring MACsec encryption across WAN environments, covering physical and Layer 3 subinterface applications, VLAN-based policies, and EAPoL configuration for secure, interoperable network topologies.

MACsec policy exceptions

Explains how to configure MACsec policy exceptions to permit specific packet types, such as LACP, pause frames, and LLDP, to bypass encryption and be transmitted in clear text for troubleshooting and interoperability.

MACsec encryption using EAP-TLS authentication

Provides guidance on configuring MACsec encryption using EAP-TLS authentication, covering the roles of supplicants and authenticators, the certificate-based mutual authentication process, and verification procedures for secure Ethernet traffic.

MACsec encryption using SKIP

Provides guidance on configuring point-to-point MACsec encryption using the Secure Key Integration Protocol (SKIP) and Quantum Key Distribution (QKD) devices to achieve quantum-safe key management on routers.

Secure MACsec encryption

Provides detailed guidance on securing MACsec-enabled routers, including configuring Power-on Self-Test (KAT) for FIPS compliance, managing dynamic power allocation, and implementing secure Type 6 password encryption for pre-shared keys.

MACsec encryption performance and statistics

Provides comprehensive guidance on monitoring and troubleshooting MACsec performance using SecY statistics, SNMP MIBs, and CLI commands to ensure secure network management and diagnostics.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.