Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Media Access Control Security (MACsec) over WAN

Media Access Control Security (MACsec) is a link layer solution for point-to-point encryption. MACsec can be used to encrypt Layer 2 connections over a service provider WAN to ensure data transmission integrity and confidentiality.

Carrying MACsec over Multiple Hops

To establish a MACsec session, MACsec Key Agreement (MKA) is used to exchange the required keys between the peer nodes. MKA PDUs are transmitted using Extensible Authentication Protocol over LAN (EAPoL) as a transport protocol. EAPoL is a Layer 2 protocol and would normally be locally processed by the switch or router and not propagated further.

In the case where nodes are connected through a service provider network, this presents a challenge. Figure 1 shows MACsec carried over a service provider network. MKA must exchange keys between customer devices A and B. The edge routers, or intermediate devices, should not process the EAPoL packets. Instead, they should transparently forward them to the next hop.

Figure 1: MACsec Carried over a Service Provider NetworkMACsec Carried over a Service Provider Network

The default destination MAC address for an EAPoL packet is a multicast address. In a service provider network, there might be nodes that consume these packets. Since EAPoL is used by 802.1X and other authentication methods, the nodes might assume the packets are destined for them. They might attempt to process the packets, and then drop them, depending on their configuration. To ensure that the EAPoL packet reaches the correct destination, you can change the destination MAC address so that the service provider network tunnels the packet instead of consuming it.

VLAN-level MACsec with Unencrypted VLAN Tags

You can configure MACsec on logical interfaces as well as physical interfaces. The MKA protocol packets are sent out with the VLAN tags configured on the logical interface. VLAN tags are transmitted in clear text, which allows intermediate switches that are MACsec-unaware to switch the packets based on the VLAN tags.

VLAN-level MACsec allows multiple MKA sessions on a single physical port. This feature enables service multiplexing with MACsec encryption of point-to-multipoint connections over service provider WANs.

Configuring the EAPoL Destination MAC Address for MACsec

MACsec transmits MKA PDUs using EAPoL packets to establish a secure session. By default, EAPoL uses a destination multicast MAC address of 01:80:C2:00:00:03. To prevent these packets from being consumed in a service provider network, you can change the destination MAC address.

To configure the EAPoL destination MAC address, enter one of the following commands.


The configuration must match on both peer nodes is order to establish the MACsec session.

  • To configure the port access entity multicast address:
  • To configure a provider bridge multicast address:
  • To configure the LLDP multicast address:
  • To configure a unicast destination address:

The options are mapped to MAC addresses as follows:

EAPoL Address

MAC Address








configurable unicast address