MACsec is an IEEE 802.1AE standards based Layer 2 hop-by-hop encryption that provides data confidentiality and integrity for
media access independent protocols.
MACsec, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key
Agreement (MKA) protocol provides the required session keys and manages the required encryption keys. Only host facing links
(links between network access devices and endpoint devices such as a PC or IP phone) can be secured using MACsec.
The 802.1AE encryption with MACsec Key Agreement (MKA) is supported on downlink ports for encryption between the routers or
switches and host devices.
MACsec encrypts the entire data except for the Source and Destination MAC addresses of an Ethernet packet.
To provide MACsec services over the LAN or Metro Ethernet, service providers offer Layer 2 transparent services such as E-Line
or E-LAN using various transport layer protocols such as Ethernet over Multiprotocol Label Switching (EoMPLS) and L2TPv3.
The EAP framework implements MKA as a newly defined EAP-over-LAN (EAPOL) packet. EAP authentication produces a master session
key (MSK) shared by both partners in the data exchange. Entering the EAP session ID generates a secure connectivity association
key name (CKN). Because the switch is the authenticator, it is also the key server, generating a random 128-bit secure association
key (SAK), which it sends it to the client partner. The client is never a key server and can only interact with a single MKA
entity, the key server. After key derivation and generation, the switch sends periodic transports to the partner at a default
interval of 2 seconds.
The packet body in an EAP-over-LAN (EAPOL) Protocol Data Unit (PDU) is referred to as a MACsec Key Agreement PDU (MKPDU).
When no MKPDU is received from a participants after 3 hearbeats (each hearbeat is of 2 seconds), peers are deleted from the
live peer list For example, if a client disconnects, the participant on the switch continues to operate MKA until 3 heartbeats
have elapsed after the last MKPDU is received from the client.
The MKA feature support provides tunneling information such as VLAN tag (802.1Q tag) in the clear so that the service provider
can provide service multiplexing such that multiple point to point or multipoint services can co-exist on a single physical
interface and differentiated based on the now visible VLAN ID.
In addition to service multiplexing, VLAN tag in the clear also enables service providers to provide quality of service (QoS)
to the encrypted Ethernet packet across the SP network based on the 802.1P (CoS) field that is now visible as part of the
802.1Q tag.
Starting with Cisco IOS XE Release 17.8.1, full HA, Power on Self Test (POST) and double
tag support are available on A900-IMA8CS1Z-M
interface module. The POST tests the
hardware to verify that all components of the device are operational and present. In the
double tagging (qinq tag) method, the VLAN tag simply adds another tag to the tagged
packets that enter the network. The purpose is to expand the VLAN space by tagging the
tagged packets, thus producing a “double-tagged” frame. The expanded VLAN space allows
the service provider to provide certain services, such as Internet access on specific
VLANs for specific customers, and yet still allows the service provider to provide other
types of services for their other customers on other VLANs. The Single Sign-On (SSO) and
IM Online Insertion and Removal (OIR) triggers preserve MKA sessions.