Skip to main content
PacketMentor logo
Open menu
Home
Training
Learn
CCNA Library (74)
Browse all CCNA topics →
Network (13)
Device Operations (5)
Network Access (12)
Wireless (6)
IP Connectivity (10)
IP Services (11)
Security (10)
Automation (7)
Network+ Library (77)
Browse all Network+ topics →
1.0Networking Concepts (22)
2.0Network Implementation (17)
3.0Network Operations (16)
4.0Network Security (15)
5.0Network Troubleshooting (7)
NSE 4 Library (45)
CCNP Library (33)
Practice
All practice →
Troubleshooting Labs
Packet Tracer Labs
Interactive Simulators
Mock ExamPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
CCNP Security Fundamentals Advanced

MACsec (IEEE 802.1AE) — Layer-2 Wire-Speed Encryption

How MACsec encrypts every Ethernet frame between two neighbors at line rate. AES-GCM, MKA key agreement, MACsec vs IPsec, and the CCNP ENCOR config on a Cat 9K.

Quick summary
  • MACsec = IEEE 802.1AE. Point-to-point Layer-2 encryption between two neighbors. Every frame is authenticated + optionally encrypted with AES-GCM in hardware — line rate, no CPU tax.
  • Keys are negotiated by **MKA (MACsec Key Agreement)**, riding on **EAPOL** frames. MKA is 802.1X-adjacent — you can bootstrap MKA keys from an 802.1X supplicant's PMK.
  • Two deployment shapes: **switch↔switch** (uplink protection, typical CCNP scenario) and **host↔switch** (NDAC / TrustSec).

The one-sentence mental model

MACsec is IPsec’s Layer-2 sibling. Where IPsec encrypts IP packets between endpoints across many hops, MACsec encrypts every Ethernet frame between exactly two directly-connected neighbors — link-by-link. Because it runs in ASIC, it doesn’t cost forwarding performance.

Where MACsec fits vs alternatives

ScopeProtectsPerfWhere you’d use it
MACsecLayer-2 frames between two adjacent devicesLine rate (hardware)Switch uplinks, DCI, campus core, host→switch.
IPsecIP packets end-to-end across many hopsCPU or crypto-offloadSite-to-site VPNs, remote user tunnels.
TLSTCP applications end-to-endCPUHTTPS, mail, most modern apps.

They compose: MACsec at each hop, IPsec end-to-end, TLS above.

The two roles per session

MACsec is between exactly two peers. On each session:

  • Key Server — generates the SAK (Secure Association Key), distributes it via MKA.
  • Key Client — receives the SAK, encrypts/decrypts using it.

Election of key server is by lowest priority. Both sides must agree on cipher suite (gcm-aes-128, gcm-aes-256).

The MKA control channel

MACsec Key Agreement (MKA) rides on EAPOL frames (ethertype 0x888E) — the same frames 802.1X uses. Two ways to bootstrap:

  • PSK-based MKA — configure the same pre-shared CAK (Connectivity Association Key) on both switches. Simple. Common for switch↔switch uplinks in a data center.
  • EAP-based MKA — the switches (or the host) authenticate via 802.1X first, deriving a PMK. That PMK becomes the CAK for MKA. Ties into ISE / RADIUS naturally. Host-to-switch typical.

Cipher suites + confidentiality offset

MACsec always authenticates the frame (integrity + origin). Encryption is optional but usually on:

  • Confidentiality offset 0 — encrypt the entire payload.
  • Confidentiality offset 30 / 50 — leave the first 30 / 50 bytes of the payload in clear (for downstream L2/L3 devices that need to see IP/UDP headers before they hit the endpoint). Rare — only for specific carrier / QoS use cases.

Cipher choices: gcm-aes-128, gcm-aes-256, gcm-aes-xpn-128/256 (extended packet numbering for very high-rate links to avoid PN wrap).

Config sketch — switch↔switch with PSK

On both switches, the uplink interface:

key chain macsec-keychain macsec
  key 01
    cryptographic-algorithm aes-256-cmac
    key-string 12345678901234567890123456789012
    lifetime 00:00:00 Jan 1 2026 infinite
!
mka policy MKA-POLICY
  key-server priority 200
  macsec-cipher-suite gcm-aes-256
  confidentiality-offset 0
!
interface TenGigabitEthernet1/0/1
  macsec network-link
  mka policy MKA-POLICY
  mka pre-shared-key key-chain macsec-keychain

Both sides need matching cipher + matching key + reachable MKA.

Verifying

show mka sessions                              ! sessions per interface
show mka sessions detail                       ! CAK/SAK identifiers, timers
show mka statistics interface TenGig1/0/1
show macsec interface TenGig1/0/1              ! encrypt/decrypt counters

Look for Session status = SECURED. If it’s INITIALIZING, the far side isn’t answering; if it’s PENDING, MKA hasn’t completed election yet.

MACsec + trunks

MACsec is Layer 2 — it operates below 802.1Q tagging. On a trunk, MACsec encrypts the whole tagged frame including the VLAN tag. Nothing between the two endpoints (including a MACsec-unaware intermediate switch) can inspect or forward — so MACsec is strictly point-to-point between MACsec-capable devices.

Common exam / real-world mistakes

  1. Trying to run MACsec through an intermediate switch. It’s link-by-link. Every hop between must speak MACsec, or it terminates and re-originates.
  2. Cipher mismatch. One side gcm-aes-128, the other gcm-aes-256. Session never comes up. show mka sessions detail shows suite mismatch.
  3. PSK-based CAK strings different length. MKA rejects. Both sides must have a byte-identical CAK.
  4. Blocking EAPOL. MKA rides EAPOL. If any upstream filter drops ethertype 0x888E, MKA fails.
  5. Confusing MACsec with SGT / TrustSec. SGT is Cisco’s segmentation tag (embedded in a Cisco Meta Data field). MACsec can carry it, but they’re different features. CCNP tests them separately.

Cheat strip

Standard    IEEE 802.1AE
Scope       point-to-point, Layer 2, adjacent neighbors only
Cipher      AES-GCM 128/256, optional confidentiality offset
Key         MKA (EAPOL) — PSK or EAP-derived
Roles       Key Server (elected by priority) + Key Client

Where       switch↔switch uplinks (typical)
            host↔switch (NDAC / TrustSec)

Config      key chain (PSK) → mka policy → interface macsec network-link
Verify      show mka sessions  |  show macsec interface X

Vs IPsec    MACsec = link-by-link L2. IPsec = end-to-end L3.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNP® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Get the free CCNA 12-week roadmap

You're already reading up on MACsec (IEEE 802.1AE) — Layer-2 Wire-Speed Encryption. The roadmap is the order I recommend studying every CCNA topic in — with what to lab each week and where MACsec (IEEE 802.1AE) — Layer-2 Wire-Speed Encryption fits. A written personal reply, not an autoresponder. Expect it within one business day.

Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.