As shown in the following figure, a host that connects to Switch A sends an Ethernet frame to a host that connects to Switch B. Switch A encrypts the frame, excluding the Ethernet header and optionally the 802.1Q header. Switch A also appends MACsec information like SecTag and ICV to the encrypted payload and transmits the frame using normal frame transmission. This process ensures data confidentiality.
Switch B decrypts the frame once received. Switch B recalculates the ICV using a MACsec key and the SecTag present in the frame. If the ICV present in the received frame matches the recalculated ICV, the switch processes the frame. If the two ICVs do not match, the switch discards the frame. This process ensures data origin authenticity and data integrity.
The encryption and decryption algorithms follow either the AES-GCM-128 standard or the AES-GCM-256 standard depending on the configured cipher suite. The default is the AES-GCM-128 standard.
The MACsec connectivity association key (CAK) between switches A and B are statically pre-configured.
Important
MACsec will be operational between two switches across Point-to-Point Connectivity only when the switches are either directly connected or across a network cloud that provides P2P connectivity between the two switches.
For example, in the following figure you can enable MACsec between two switches across a network cloud where P2P connectivity between the switches is provided via services such as P2P, MPLS, Layer 2 VPN (ELINE), or connectivity across Dark Fiber. However, it is important to note that MACsec will not be operational between two switches across a network cloud if the intermediate routers/switches need to inspect the VLAN tag or IP header for service classification. This is because MACsec encrypts the entire data frame including the VLAN header and as such the intermediate switches/routers will not have visibility into the same to perform service classification.