MACsec (IEEE 802.1AE) — Layer-2 Wire-Speed Encryption
How MACsec encrypts every Ethernet frame between two neighbors at line rate. AES-GCM, MKA key agreement, MACsec vs IPsec, and the CCNP ENCOR config on a Cat 9K.
- MACsec = IEEE 802.1AE. Point-to-point Layer-2 encryption between two neighbors. Every frame is authenticated + optionally encrypted with AES-GCM in hardware — line rate, no CPU tax.
- Keys are negotiated by **MKA (MACsec Key Agreement)**, riding on **EAPOL** frames. MKA is 802.1X-adjacent — you can bootstrap MKA keys from an 802.1X supplicant's PMK.
- Two deployment shapes: **switch↔switch** (uplink protection, typical CCNP scenario) and **host↔switch** (NDAC / TrustSec).
The one-sentence mental model
MACsec is IPsec’s Layer-2 sibling. Where IPsec encrypts IP packets between endpoints across many hops, MACsec encrypts every Ethernet frame between exactly two directly-connected neighbors — link-by-link. Because it runs in ASIC, it doesn’t cost forwarding performance.
Where MACsec fits vs alternatives
| Scope | Protects | Perf | Where you’d use it |
|---|---|---|---|
| MACsec | Layer-2 frames between two adjacent devices | Line rate (hardware) | Switch uplinks, DCI, campus core, host→switch. |
| IPsec | IP packets end-to-end across many hops | CPU or crypto-offload | Site-to-site VPNs, remote user tunnels. |
| TLS | TCP applications end-to-end | CPU | HTTPS, mail, most modern apps. |
They compose: MACsec at each hop, IPsec end-to-end, TLS above.
The two roles per session
MACsec is between exactly two peers. On each session:
- Key Server — generates the SAK (Secure Association Key), distributes it via MKA.
- Key Client — receives the SAK, encrypts/decrypts using it.
Election of key server is by lowest priority. Both sides must agree on cipher suite (gcm-aes-128, gcm-aes-256).
The MKA control channel
MACsec Key Agreement (MKA) rides on EAPOL frames (ethertype 0x888E) — the same frames 802.1X uses. Two ways to bootstrap:
- PSK-based MKA — configure the same pre-shared CAK (Connectivity Association Key) on both switches. Simple. Common for switch↔switch uplinks in a data center.
- EAP-based MKA — the switches (or the host) authenticate via 802.1X first, deriving a PMK. That PMK becomes the CAK for MKA. Ties into ISE / RADIUS naturally. Host-to-switch typical.
Cipher suites + confidentiality offset
MACsec always authenticates the frame (integrity + origin). Encryption is optional but usually on:
- Confidentiality offset 0 — encrypt the entire payload.
- Confidentiality offset 30 / 50 — leave the first 30 / 50 bytes of the payload in clear (for downstream L2/L3 devices that need to see IP/UDP headers before they hit the endpoint). Rare — only for specific carrier / QoS use cases.
Cipher choices: gcm-aes-128, gcm-aes-256, gcm-aes-xpn-128/256 (extended packet numbering for very high-rate links to avoid PN wrap).
Config sketch — switch↔switch with PSK
On both switches, the uplink interface:
key chain macsec-keychain macsec
key 01
cryptographic-algorithm aes-256-cmac
key-string 12345678901234567890123456789012
lifetime 00:00:00 Jan 1 2026 infinite
!
mka policy MKA-POLICY
key-server priority 200
macsec-cipher-suite gcm-aes-256
confidentiality-offset 0
!
interface TenGigabitEthernet1/0/1
macsec network-link
mka policy MKA-POLICY
mka pre-shared-key key-chain macsec-keychain
Both sides need matching cipher + matching key + reachable MKA.
Verifying
show mka sessions ! sessions per interface
show mka sessions detail ! CAK/SAK identifiers, timers
show mka statistics interface TenGig1/0/1
show macsec interface TenGig1/0/1 ! encrypt/decrypt counters
Look for Session status = SECURED. If it’s INITIALIZING, the far side isn’t answering; if it’s PENDING, MKA hasn’t completed election yet.
MACsec + trunks
MACsec is Layer 2 — it operates below 802.1Q tagging. On a trunk, MACsec encrypts the whole tagged frame including the VLAN tag. Nothing between the two endpoints (including a MACsec-unaware intermediate switch) can inspect or forward — so MACsec is strictly point-to-point between MACsec-capable devices.
Common exam / real-world mistakes
- Trying to run MACsec through an intermediate switch. It’s link-by-link. Every hop between must speak MACsec, or it terminates and re-originates.
- Cipher mismatch. One side gcm-aes-128, the other gcm-aes-256. Session never comes up.
show mka sessions detailshows suite mismatch. - PSK-based CAK strings different length. MKA rejects. Both sides must have a byte-identical CAK.
- Blocking EAPOL. MKA rides EAPOL. If any upstream filter drops ethertype 0x888E, MKA fails.
- Confusing MACsec with SGT / TrustSec. SGT is Cisco’s segmentation tag (embedded in a Cisco Meta Data field). MACsec can carry it, but they’re different features. CCNP tests them separately.
Cheat strip
Standard IEEE 802.1AE
Scope point-to-point, Layer 2, adjacent neighbors only
Cipher AES-GCM 128/256, optional confidentiality offset
Key MKA (EAPOL) — PSK or EAP-derived
Roles Key Server (elected by priority) + Key Client
Where switch↔switch uplinks (typical)
host↔switch (NDAC / TrustSec)
Config key chain (PSK) → mka policy → interface macsec network-link
Verify show mka sessions | show macsec interface X
Vs IPsec MACsec = link-by-link L2. IPsec = end-to-end L3.
LISP Basics — Locator/ID Separation Protocol
How LISP splits 'who you are' (EID) from 'where you are' (RLOC), enabling seamless mobility and BGP-alternative overlays. The four LISP roles CCNP ENCOR expects: ITR, ETR, MS, MR.
CoPP — Control Plane Policing
Why routers need CoPP, how it rate-limits traffic destined to the CPU (routing protocols, SNMP, SSH, ARP), and the classify/police policy shape CCNP ENCOR tests.
Want this drilled into reflex?
1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNP® exam blueprint. Free first session. No card on file until you decide.
Related topics
Cybersecurity Threats & Mitigation
The threat landscape every network engineer must recognize — phishing, ransomware, MITM, DDoS, supply-chain attacks, insider threats — and the mitigation controls that actually move the needle.
Security Fundamentals802.1X — Port-Based Network Access Control
Lock every switch port until the connected device proves identity. Covers the supplicant / authenticator / auth server roles, EAPOL on the wire, and how 802.1X plugs into RADIUS for enterprise Wi-Fi and wired auth.
Security FundamentalsEncryption Fundamentals
The cryptography networking engineers must understand — symmetric vs asymmetric, hashing, digital signatures, certificates, and where each is used in IPsec, TLS, SSH, and 802.1X.
Get the free CCNA 12-week roadmap
You're already reading up on MACsec (IEEE 802.1AE) — Layer-2 Wire-Speed Encryption. The roadmap is the order I recommend studying every CCNA topic in — with what to lab each week and where MACsec (IEEE 802.1AE) — Layer-2 Wire-Speed Encryption fits. A written personal reply, not an autoresponder. Expect it within one business day.
Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.