MACsec (802.1AE) is the only IEEE standard that encrypts Ethernet frames at wire speed with zero performance penalty. It operates at Layer 2, encrypting everything between two directly connected devices — switch to host, switch to switch, or switch to router. Despite being the most effective encryption technology available for campus and data center networks, most network engineers have never configured it.

Key Takeaway: MACsec is the encryption layer that makes zero trust architectures real at the network level — it protects data in transit on every link, at line rate, without the CPU overhead of IPsec or the application dependency of TLS. It’s on the CCIE Security v6.1 and CCIE EI v1.1 blueprints, and understanding it separates security-aware network engineers from everyone else.

What Does MACsec Actually Do vs. IPsec and TLS?

The encryption landscape has three layers, and most engineers only think about two of them:

ProtocolOSI LayerEncryption ModelPerformance ImpactProtects Against
TLS 1.3Layer 7 (Application)End-to-end, per-sessionMinimal (application overhead)Eavesdropping on application data
IPsecLayer 3 (Network)End-to-end, tunnel/transportModerate (CPU encryption)Eavesdropping on IP packets
MACsecLayer 2 (Data Link)Hop-by-hop, per-linkZero (hardware ASIC)Eavesdropping, tampering, injection on physical links

MACsec’s hop-by-hop model means every Ethernet frame is encrypted between adjacent devices. The frame is decrypted at each hop, the switch makes forwarding decisions, and re-encrypts before sending to the next hop. This sounds less secure than end-to-end encryption, but it’s actually a feature:

  • Full visibility at each hop — the switch can inspect, classify, apply QoS, and enforce ACLs on decrypted traffic before re-encrypting
  • TrustSec SGT integration — SGT tags are protected inside the encrypted frame
  • No application changes — every protocol, every VLAN, every frame type is encrypted transparently
  • Wire-rate performance — hardware ASIC encryption means a 100G port encrypts at 100G

How Does the MKA Protocol Handle Key Exchange?

MKA (MACsec Key Agreement, defined in IEEE 802.1X-2010) is the control plane protocol that negotiates and distributes encryption keys between MACsec peers.

The Key Hierarchy

CAK (Connectivity Association Key)
 └── Derived from 802.1X EAP session OR pre-shared key
      │
      ├── KEK (Key Encrypting Key) — encrypts SAK distribution
      │
      └── ICK (Integrity Check Key) — authenticates MKA messages

SAK (Secure Association Key)
 └── Generated by the Key Server (peer with lowest SCI)
      └── Distributed to all peers encrypted with KEK
           └── Used for actual data encryption (AES-128-GCM or AES-256-GCM)

MKA Session Establishment

  1. Peer discovery — MKA peers exchange EAPoL-MKA frames on the link
  2. CAK derivation — from 802.1X EAP-TLS session keys (switch-to-host) or pre-shared key (switch-to-switch)
  3. Key Server election — the peer with the lowest Secure Channel Identifier (SCI) becomes the Key Server
  4. SAK generation — Key Server generates the SAK and distributes it encrypted with KEK
  5. Data encryption begins — both peers install the SAK and start encrypting/decrypting frames
  6. SAK rotation — the Key Server periodically generates new SAKs for forward secrecy
! Verify MKA session on Catalyst
show mka sessions
show mka sessions detail
show mka statistics

! Verify MACsec encryption
show macsec summary
show macsec interface GigabitEthernet1/0/1

What Are the Three MACsec Deployment Models?

Model 1: Switch-to-Host (802.1X + MACsec)

The most common deployment. The endpoint (Windows, macOS, Linux) authenticates via 802.1X with EAP-TLS, and the EAP session keys derive the CAK for MACsec. Every frame between the endpoint and the access switch is encrypted.

Use case: Campus zero trust — even if someone taps the cable between a user’s laptop and the wall jack, they see encrypted frames.

! Catalyst 9300 — switch-to-host MACsec
interface GigabitEthernet1/0/10
 switchport mode access
 switchport access vlan 100
 authentication port-control auto
 dot1x pae authenticator
 mab
 macsec
 mka policy MKA_256
!
mka policy MKA_256
 key-server priority 0
 macsec-cipher-suite gcm-aes-256
 confidentiality-offset 0

ISE pushes the MACsec policy as part of the authorization profile:

Authorization Profile: Corp_MACsec
  - Access Type: ACCESS_ACCEPT
  - linksec-policy: must-secure
  - SGT: Employees (5)

The linksec-policy options:

  • must-secure — MACsec required; non-MACsec-capable clients are rejected
  • should-secure — MACsec preferred; falls back to unencrypted if client doesn’t support it
  • must-not-secure — MACsec disabled (for legacy devices)

Encrypts traffic on trunk links between access, distribution, and core switches. Uses pre-shared keys (PSK) since there’s no 802.1X session between switches.

Use case: Campus backbone encryption — protects traffic between wiring closets, across building links, and through patch panels where physical access is possible.

! Catalyst 9500 — switch-to-switch MACsec
key chain MACSEC_KEYS macsec
 key 01
  cryptographic-algorithm aes-256-cmac
  key-string 7 <encrypted-key>
  lifetime local 00:00:00 Jan 1 2026 duration 31536000
!
interface TenGigabitEthernet1/0/1
 switchport mode trunk
 macsec network-link
 mka policy UPLINK_MKA
 mka pre-shared-key key-chain MACSEC_KEYS
!
mka policy UPLINK_MKA
 key-server priority 10
 macsec-cipher-suite gcm-aes-256

The macsec network-link command is critical — it tells the switch this is an infrastructure link (not a host-facing port) and adjusts MKA behavior accordingly.

Model 3: WAN MACsec (MPLS/Dark Fiber)

Encrypts traffic on WAN links — MPLS circuits, dark fiber, or metro Ethernet — between sites. According to Cisco Live BRKRST-2309, WAN MACsec supports:

  • AES-256-GCM at 1G/10G/40G/100G rates
  • 802.1Q tags in the clear (so SP can read VLAN tags for service delivery)
  • Offset encryption (2 Q-tags visible before encrypted payload)

Use case: Encrypting traffic on carrier MPLS circuits without deploying IPsec tunnels or dedicated encryptors.

What Are the Common MACsec Gotchas?

MTU Overhead

MACsec adds 32 bytes to every frame:

  • 8 bytes SecTAG (Security Tag)
  • 16 bytes ICV (Integrity Check Value)
  • 8 bytes optional SCI (Secure Channel Identifier)

On a standard 1500-byte MTU link, your effective payload drops to 1468 bytes. For trunk links carrying VXLAN traffic (which already adds 50+ bytes), this compounds. Adjust MTU on all MACsec-enabled links:

interface TenGigabitEthernet1/0/1
 mtu 9216    ← jumbo frames recommended for MACsec + VXLAN

Hardware ASIC Requirements

Not all switches support MACsec. The ASIC must have dedicated encryption engines:

PlatformMACsec SupportNotes
Catalyst 9300✅ All portsRequires HSEC license for 256-bit
Catalyst 9500✅ All portsFull 256-bit support
Catalyst 9400✅ Supervisor + line cardsCheck specific line card model
Catalyst 9600✅ All portsFull support
Nexus 9300-FX/GX✅ All ports128-bit and 256-bit AES-GCM
Nexus 9364C✅ 16×100G portsPartial port support
Catalyst 3850No hardware MACsec
Nexus 9200⚠️ LimitedCheck specific model

According to Cisco Live BRKDCN-3939 (2025), Nexus 9300-FX line cards support “MACsec hardware encryption providing link-level hop-by-hop encryption” with both 128-bit and 256-bit AES-GCM.

SPAN/ERSPAN Interaction

MACsec encrypted frames on a SPAN destination port are still encrypted — you can’t capture decrypted traffic via SPAN. You need to:

  1. Use ERSPAN to a packet broker that terminates MACsec, or
  2. Configure SPAN on the ingress interface after decryption (before the switch re-encrypts for the next hop)
  3. Use Decrypted Traffic Mirroring on supported platforms

This catches many engineers during troubleshooting. If your packet captures show encrypted garbage on a SPAN port, check if MACsec is enabled on the source interface.

128-bit vs. 256-bit AES-GCM

Both cipher suites provide strong encryption. The difference:

  • AES-128-GCM — supported on more platforms, lower licensing requirements
  • AES-256-GCM — required for government/military compliance (Suite B, FIPS 140-2), requires HSEC license on some platforms

For most enterprise deployments, AES-128-GCM is sufficient. Government and regulated industries should use AES-256-GCM.

How Does MACsec Integrate with TrustSec and Zero Trust?

MACsec is the encryption enforcement layer for Cisco’s TrustSec architecture. As we covered in our ISE TrustSec SGT guide, TrustSec uses SGT tags for policy enforcement. MACsec ensures those tags can’t be spoofed or tampered with:

  1. Endpoint authenticates via 802.1X → ISE assigns SGT
  2. MACsec encrypts the frame including the CMD header (SGT tag)
  3. Switch decrypts, reads SGT, applies SGACL policy
  4. Re-encrypts before forwarding to the next hop

Without MACsec, an attacker could inject frames with spoofed SGT tags. With MACsec, every frame is integrity-checked — injection or modification is detected and dropped.

This is the complete zero trust stack for campus networks: identity (802.1X) → segmentation (TrustSec SGT) → encryption (MACsec). As we discussed in our zero trust CCIE Security blueprint analysis, this combination is what enterprises are deploying in 2026.

How Is MACsec Tested on the CCIE Security Lab?

The CCIE Security v6.1 blueprint lists MACsec under the Network Security domain. Based on the published objectives, expect:

  • MKA policy configuration — cipher suite selection, key server priority, confidentiality offset
  • Key chain setup — pre-shared keys for switch-to-switch, lifetime management
  • 802.1X integration — ISE authorization profiles with linksec-policy for switch-to-host MACsec
  • Verificationshow macsec summary, show mka sessions detail, show mka statistics
  • Troubleshooting — MKA session failures, key mismatch, cipher suite negotiation issues

Practice these verification commands:

show macsec summary
show macsec interface Gi1/0/1
show mka sessions
show mka sessions detail
show mka statistics interface Gi1/0/1
show mka policy

Frequently Asked Questions

What is MACsec and how is it different from IPsec?

MACsec (802.1AE) encrypts Ethernet frames at Layer 2 between directly connected devices — hop by hop. IPsec encrypts IP packets at Layer 3 end-to-end. MACsec has zero performance penalty (hardware ASIC encryption), while IPsec typically requires CPU processing.

Does MACsec affect network performance?

No. MACsec encryption is performed in the switch ASIC hardware at line rate. The only impact is 32 bytes of overhead per frame, which may require MTU adjustment on encrypted links.

Which Cisco switches support MACsec?

Catalyst 9300, 9400, 9500, and 9600 support MACsec on downlink and uplink ports. Nexus 9300-FX, 9300-GX, and 9364C support MACsec with 128-bit and 256-bit AES-GCM. An HSEC license may be required for 256-bit.

How does MACsec integrate with Cisco TrustSec?

MACsec provides the encryption layer for TrustSec-protected links. When TrustSec inline tagging is enabled, MACsec encrypts the frame including the SGT tag, ensuring both confidentiality and integrity.

Is MACsec tested on the CCIE Security lab?

Yes. The CCIE Security v6.1 blueprint includes MACsec under Network Security. Expect MKA policy configuration, key chain setup, 802.1X integration, and verification commands.

MACsec is the encryption technology most network engineers skip — and the one that makes the biggest difference for actual security posture. In a world where zero trust means “verify everything and encrypt everything,” MACsec is how you encrypt the network layer at wire speed without compromising performance or visibility.

Ready to fast-track your CCIE journey? Contact us on Telegram @phil66xx for a free assessment.