MACsec 2AN and 4AN mode

MACsec 2AN mode implementations use two security associations (SA) for each secure channel (SC) and symmetric keys on both MACsec endpoints. The keys are symmetric because they are both derived from the same connectivity association key (CAK).

MACsec 4AN mode generates four Secure Associations Keys (SAK) per secure channel. It uses enhanced hashing algorithm to derive eight SAKs, and uses asymmetric keys on both ends. You can use the macsec connectivity-association command to configure different (asymmetric) transmit keys for each endpoint by using the key-parity keyword. If you do not specify a value for key-parity, the connectivity association is created in 2AN mode. For more information about configuring MACsec transmit keys, see Configuring a connectivity association.