MACsec 802.1AE: The Wire-Speed Encryption Most Engineers Have Never Configured

MACsec (802.1AE) is the only IEEE standard that encrypts Ethernet frames at wire speed with zero performance penalty. It operates at Layer 2, encrypting everything between two directly connected devices — switch to host, switch to switch, or switch to router.

Despite being the most effective encryption technology available for campus and data center networks, most network engineers have never configured it. Let's fix that.

Why MACsec Matters

MACsec is the encryption layer that makes zero trust architectures real at the network level — it protects data in transit on every link, at line rate, without the CPU overhead of IPsec or the application dependency of TLS.

MACsec vs. IPsec vs. TLS

Protocol	OSI Layer	Encryption Model	Performance Impact	Protects Against
TLS 1.3	Layer 7 (Application)	End-to-end, per-session	Minimal (app overhead)	Eavesdropping on app data
IPsec	Layer 3 (Network)	End-to-end, tunnel/transport	Moderate (CPU encryption)	Eavesdropping on IP packets
MACsec	Layer 2 (Data Link)	Hop-by-hop, per-link	Zero (hardware ASIC)	Eavesdropping, tampering, injection on physical links

MACsec's hop-by-hop model means every Ethernet frame is encrypted between adjacent devices. The frame is decrypted at each hop, the switch makes forwarding decisions, and re-encrypts before sending to the next hop.

This sounds less secure than end-to-end encryption, but it's actually a feature:

• Full visibility at each hop — the switch can inspect, classify, apply QoS, and enforce ACLs on decrypted traffic before re-encrypting
• TrustSec SGT integration — SGT tags are protected inside the encrypted frame
• No application changes — every protocol, every VLAN, every frame type is encrypted transparently
• Wire-rate performance — hardware ASIC encryption means a 100G port encrypts at 100G

MKA Key Exchange: The Control Plane

MKA (MACsec Key Agreement, IEEE 802.1X-2010) handles key negotiation and distribution.

The Key Hierarchy

CAK (Connectivity Association Key)
 └── Derived from 802.1X EAP session OR pre-shared key
 │
 ├── KEK (Key Encrypting Key) — encrypts SAK distribution
 │
 └── ICK (Integrity Check Key) — authenticates MKA messages

SAK (Secure Association Key)
 └── Generated by the Key Server (peer with lowest SCI)
 └── Distributed to all peers encrypted with KEK
 └── Used for actual data encryption (AES-128-GCM or AES-256-GCM)

MKA Session Flow

1. Peer discovery — MKA peers exchange EAPoL-MKA frames on the link
2. CAK derivation — from 802.1X EAP-TLS session keys (switch-to-host) or pre-shared key (switch-to-switch)
3. Key Server election — the peer with the lowest Secure Channel Identifier (SCI) becomes the Key Server
4. SAK generation — Key Server generates the SAK and distributes it encrypted with KEK
5. Data encryption begins — both peers install the SAK and start encrypting/decrypting frames
6. SAK rotation — the Key Server periodically generates new SAKs for forward secrecy

Three Deployment Models

Model 1: Switch-to-Host (802.1X + MACsec)

The endpoint authenticates via 802.1X with EAP-TLS, and the EAP session keys derive the CAK for MACsec. Every frame between the endpoint and the access switch is encrypted.

Use case: Campus zero trust — even if someone taps the cable between a laptop and the wall jack, they see encrypted frames.

! Catalyst 9300 — switch-to-host MACsec
interface GigabitEthernet1/0/10
 switchport mode access
 switchport access vlan 100
 authentication port-control auto
 dot1x pae authenticator
 mab
 macsec
 mka policy MKA_256
!
mka policy MKA_256
 key-server priority 0
 macsec-cipher-suite gcm-aes-256
 confidentiality-offset 0

ISE pushes the MACsec policy as part of the authorization profile with linksec-policy options:

• must-secure — MACsec required; non-MACsec-capable clients are rejected
• should-secure — MACsec preferred; falls back to unencrypted if client doesn't support it
• must-not-secure — MACsec disabled (for legacy devices)

Model 2: Switch-to-Switch (Uplink Encryption)

Encrypts traffic on trunk links between access, distribution, and core switches. Uses pre-shared keys since there's no 802.1X session between switches.

Use case: Campus backbone encryption — protects traffic between wiring closets, across building links, and through patch panels.

! Catalyst 9500 — switch-to-switch MACsec
key chain MACSEC_KEYS macsec
 key 01
 cryptographic-algorithm aes-256-cmac
 key-string 7 <encrypted-key>
 lifetime local 00:00:00 Jan 1 2026 duration 31536000
!
interface TenGigabitEthernet1/0/1
 switchport mode trunk
 macsec network-link
 mka policy UPLINK_MKA
 mka pre-shared-key key-chain MACSEC_KEYS
!
mka policy UPLINK_MKA
 key-server priority 10
 macsec-cipher-suite gcm-aes-256

The macsec network-link command is critical — it tells the switch this is an infrastructure link (not a host-facing port) and adjusts MKA behavior accordingly.

Model 3: WAN MACsec (MPLS/Dark Fiber)

Encrypts traffic on WAN links — MPLS circuits, dark fiber, or metro Ethernet — between sites. Supports:

• AES-256-GCM at 1G/10G/40G/100G rates
• 802.1Q tags in the clear (so SP can read VLAN tags for service delivery)
• Offset encryption (Q-tags visible before encrypted payload)

Use case: Encrypting traffic on carrier MPLS circuits without deploying IPsec tunnels or dedicated encryptors.

Common Gotchas That Will Bite You

MTU Overhead

MACsec adds 32 bytes to every frame:

• 8 bytes SecTAG
• 16 bytes ICV (Integrity Check Value)
• 8 bytes optional SCI

On a 1500-byte MTU link, your effective payload drops to 1468 bytes. For trunk links carrying VXLAN traffic (which already adds 50+ bytes), this compounds:

interface TenGigabitEthernet1/0/1
 mtu 9216  ! jumbo frames recommended for MACsec + VXLAN

Hardware ASIC Requirements

Not all switches support MACsec. The ASIC needs dedicated encryption engines:

Platform	MACsec Support	Notes
Catalyst 9300	✅ All ports	Requires HSEC license for 256-bit
Catalyst 9500	✅ All ports	Full 256-bit support
Catalyst 9400	✅ Supervisor + line cards	Check specific line card model
Catalyst 9600	✅ All ports	Full support
Nexus 9300-FX/GX	✅ All ports	128-bit and 256-bit AES-GCM
Nexus 9364C	✅ 16×100G ports	Partial port support
Catalyst 3850	❌	No hardware MACsec

SPAN/ERSPAN Trap

MACsec encrypted frames on a SPAN destination port are still encrypted — you can't capture decrypted traffic via SPAN. Options:

• Use ERSPAN to a packet broker that terminates MACsec
• Configure SPAN on the ingress interface after decryption
• Use Decrypted Traffic Mirroring on supported platforms

If your packet captures show encrypted garbage on a SPAN port, check if MACsec is enabled on the source interface.

128-bit vs. 256-bit AES-GCM

• AES-128-GCM — supported on more platforms, lower licensing requirements. Sufficient for most enterprise deployments.
• AES-256-GCM — required for government/military compliance (Suite B, FIPS 140-2), requires HSEC license on some platforms.

MACsec + TrustSec = Real Zero Trust

MACsec is the encryption enforcement layer for Cisco's TrustSec architecture:

1. Endpoint authenticates via 802.1X → ISE assigns SGT
2. MACsec encrypts the frame including the CMD header (SGT tag)
3. Switch decrypts, reads SGT, applies SGACL policy
4. Re-encrypts before forwarding to the next hop

Without MACsec, an attacker could inject frames with spoofed SGT tags. With MACsec, every frame is integrity-checked — injection or modification is detected and dropped.

This is the complete zero trust stack for campus networks: identity (802.1X) → segmentation (TrustSec SGT) → encryption (MACsec).

Verification Commands Cheat Sheet

show macsec summary
show macsec interface Gi1/0/1
show mka sessions
show mka sessions detail
show mka statistics interface Gi1/0/1
show mka policy

---

MACsec is the encryption technology most network engineers skip — and the one that makes the biggest difference for actual security posture. In a world where zero trust means "verify everything and encrypt everything," MACsec is how you encrypt the network layer at wire speed.

Originally published at FirstPassLab.

---

Disclosure: This article was adapted from the original with AI assistance. Technical content has been reviewed for accuracy.