MACsec services

MACsec enables a port to encrypt outbound frames and decrypt MACsec-encrypted inbound frames. The keys for encryption and decryption are negotiated by MKA.

MACsec performs integrity check when the device receives a MACsec-encrypted frame. The integrity check uses the following process:

• Uses a key negotiated by MKA to calculate an integrity check value (ICV) for the frame.

• Compares the calculated ICV with the ICV in the frame trailer.

  • If the ICVs are the same, the device verifies the frame as legal.

  • If the ICVs are different, the device determines whether to drop the frame based on the validation mode. The device supports the following validation modes:

    • check—Performs validation only, and does not drop illegal frames.

    • strict—Performs validation, and drops illegal frames.

When MACsec frames are transmitted over the network, frame disorder might occur. MACsec replay protection allows the device to accept the out-of-order packets within the replay protection window size and drop other out-of-order packets.