MACsec (Media Access Control Security)

What is MACsec?

The basic answer of what is MACsec question is this, MACsec (Media Access Control Security) is a standard based layer 2 security protocol which provides point-to-point security on Ethernet links. The IEEE standard name of this protocol is standard 802.1AE. It provides Authentication, MAC-layer encryption and data integrity check between two Media Access Control Security capable devices. With this mechanism, Media Access Control Security detects many network attacks like Denial of Service (DoS), Man in the Middle (MiTM) attacks and it secures ethernet towards these malicious threats. We can use Media Access Control Security with different network security protocols like IPSec and SSL.


In Media Access Control Security mechanism, the traffic between nodes is encrypted. But in the nodes, the traffic is not encrypted. This provides flexibility for the services like QoS on the device.


Cisco Catalyst switches support 802.1AE encryption with MKA (MACsec Key Agreement) on the ports towards host devices (Downlink ports). These ports are the switch ports which are connected to end devices like PCs and IP Phones. The settings can be configured manually or dynamically. For dynamic configuraion, Cisco ISE is used.


Media Access Control Security is also supported on the ports towards other switches (Uplink ports). Here,  instead of MKA, uplink MACsec uses  TrustSec NDAC (Network Device Admission Control) and SAP (Security Association Protocol) Cisco proprietary solution.


Uplink MACsec can be done manually or dynamically. If we use dynamic one, switch must use 802.1x Authentiaction. 


  • User facing downlink ports -> MKA MACsec encryption
  • Other switches facing ports -> Cisco TrustSec NDAC MACsec



How MACsec Works?

Basically, Media Access Control Security secures the ethernet link between two nodes.  For this security, Media Access Control Security uses a combination of data encapsulation and data integrity check.


For encapsulation step, MACsec encrypts the data on the link which resides between the nodes. To do this, security keys are used on both ends of the link. At both end interface, security keys must match. The keys that will be used for this encryption can be configured manually or it can be done dynamically. It is up to the selected mechanism.


Media Access Control Security does not only encrypts the data between nodes, but also it provides data integrity. MACsec uses a header and a tailor for this purpose. This header and tailer are checked towards any data integrity problem at the other end.


Media Access Control Security encapsulates IP packets with an 16 byte MACsec Security Tag and 16 byte Integrity Check Value (ICV).



MACsec Frame

Media Access Control Security is used in Ethernet frame. But with Media Access Control Security, two fields are added to the ethernet frame. These are MACsec Security Tag and Integrity Check Value (ICV). Below, you can find the fields of MACsec and ICV field.


MACsec Security Tag fields are given below:

  • MACsec EtherType
  • TCI/AN
  • SL
  • Packet Number
  • SCI


Now, let’s learn that why we use these fileds in MACsec Security Tag.


MACsec EtherType: EtherType field is 16 bits long. The value of EtherType is 0x88e5 for Media Access Control Security.


TCI/AN: TCI/AN field is 8 bits long. The full name of this field is Tag Control Information/Association Number. The role of this field is designating the version number if confidentiality or integrity is used


SL: Short Length field is 8 bits long and shows the length of the encrypted data.


Packet Number: Packet Number is 32 bits long. It is the number for replay protection and building of the initialization vector.


SCI: Secure Channel Identifier is 64 bits long. It is used to classify the connection to the virtual port



MACsec Keying Mechanisms

With Media Access Control Security, we can use two different Media Access Control Security keying mechanism. These are given below:

  • SAP (Security Association Protocol)
  • MKA (MACsec Key Agreement Protocol)


SAP (Security Association Protocol) is a Cisco proprietary keying protocol.  It is used only on cisco devices.


MKA (MACsec Key Agreement Protocol) is a standard protocol which provides required session keys and manages encryption keys.

Back to: CCNP Enterprise 350-401 ENCOR

Leave a Reply

Your email address will not be published. Required fields are marked *

IPCisco is the Winner of 2019 “Best Certification Study Journey” Category! We are also Finalist of 2020 & 2021 in Cisco IT Blog Awards!


CCNP Enterprise 350-401 ENCOR

IPCisco on Social Media!