Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Media Access Control Security (MACsec) over WAN

Media Access Control Security (MACsec) is a link layer solution for point-to-point encryption. MACsec can be used to encrypt Layer 2 connections over a service provider WAN to ensure data transmission integrity and confidentiality.

Carrying MACsec over Multiple Hops

To establish a MACsec session, MACsec Key Agreement (MKA) is used to exchange the required keys between the peer nodes. MKA PDUs are transmitted using Extensible Authentication Protocol over LAN (EAPoL) as a transport protocol. EAPoL is a Layer 2 protocol and would normally be locally processed by the switch or router and not propagated further.

In the case where nodes are connected through a service provider network, this presents a challenge. Figure 1 shows MACsec carried over a service provider network. MKA must exchange keys between customer devices A and B. The edge routers, or intermediate devices, should not process the EAPoL packets. Instead, they should transparently forward them to the next hop.

Figure 1: MACsec Carried over a Service Provider NetworkMACsec Carried over a Service Provider Network

The default destination MAC address for an EAPoL packet is a multicast address. In a service provider network, there might be devices that consume these packets, assuming the packets are meant for them. EAPoL is used by 802.1X and other authentication methods, which might cause the devices to drop the packets, depending on their configuration. This would cause the MKA session to fail. To ensure that the EAPoL packet reaches the correct destination, you can change the destination MAC address so that the service provider network tunnels the packet instead of consuming it.

Configuring VLAN-level MACsec on Logical Interfaces

VLAN-level MACsec allows multiple MKA sessions on a single physical port. This enables service multiplexing with MACsec encryption of point-to-multipoint connections over service provider WANs.

To support VLAN-level MACsec, the MKA protocol packets are sent out with the VLAN tags configured on the logical interface. VLAN tags are transmitted in clear text, which allows intermediate switches that are MACsec-unaware to switch the packets based on the VLAN tags.

When you configure MACsec, you must bind the connectivity association to an interface. To enable VLAN-level MACsec, bind the connectivity association to a logical interface using the following command:

For complete configuration details, see Configuring MACsec in Static CAK Mode.

Configuring the EAPoL Destination MAC Address for MACsec

MACsec transmits MKA PDUs using EAPoL packets to establish a secure session. By default, EAPoL uses a destination multicast MAC address of 01:80:C2:00:00:03. To prevent these packets from being consumed in a service provider network, you can change the destination MAC address.

To configure the EAPoL destination MAC address, enter one of the following commands.


The configuration must match on both peer nodes is order to establish the MACsec session.

  • To configure the port access entity multicast address:
  • To configure a provider bridge multicast address:
  • To configure the LLDP multicast address:
  • To configure a unicast destination address:

The options are mapped to MAC addresses as follows:

EAPoL Address

MAC Address








configurable unicast address