Configuring MACsec Encryption

This article describes the simplest way to enable MACSec using preconfigured static key-string. The example was tried on Catalyst 3850 and should work on other switches too.

There is another article that I wrote years ago which describes a more complex implementation with dot1x etc.


Media Access Control Security is the way to secure point-to-point Ethernet links by implementing data integrity check and encryption of Ethernet frame.

When you configure MACsec on a switch interface (and of course, on the other switch connected to that interface), all traffic going through the link is secured using data integrity checks and encryption.

Data integrity is done by appending 8-byte header and a 16-byte trailer to the Ethernet packet which is generated before a data is sent and checked upon receiving on the other switch to prove that the data inside the frame was not modified on the way. If the check fails, the packet gets dropped.

MACsec encryption is the other part of the MACSec capability and it’s optional but most likely always enabled.

It means that there are two options with MACSec, just to verify that nobody modified the packet on the point-to-point link and the second option to totally encrypt the packet so nobody can catch it and see what’s inside.


SW1 config which should be same on SW2 if they are connected with Te 1/0/1 port

key chain keychain1 macsec
 key 20000
 cryptographic-algorithm aes-256-cmac
 key-string cdb238e5eb9496063719e760be179fea5998145a90d59cf0fcdd409233b357a1

mka policy mkapolicy1
 macsec-cipher-suite gcm-aes-256

int Te 1/0/1
 macsec network-link
 mka policy mkapolicy1
 mka pre-shared-key key-chain keychain1


Be sure not to use special characters as key-string value in key chain config. If you use some strange %&^ signs in that string this will end up with ports up but in notconnected state. MACSec will not bring up secure session and the links will not work. Use only hex digits and be sure to use 1 to 32 digits of length for 128bit encryption method and 64 digits hex for 256bit encryption as from my example. You can easily generate a hex with generators like this one:

When configuring MACSec on a switch for the first time, at least on 3850 to which this configuration was applied, it seems that a reboot is needed for thing to start working correctly.

There is a chance that you will need to have clocks in sync in order for MACSec to work fine, but that was not tried yet. Just put some NTP config on the switch too.


  1. Hasbath January 8, 2020
  2. Joseph April 8, 2020

Leave a Reply