Add MACSec Interface

  • Published on Jul 31, 2025
  • 3 minute(s) read
Prev Next

This connection type implements the Media Access Control Security (MACSec) protocol, IEEE 802.1AE-2006, along with MACSec Key Agreement (MKA) protocol, IEEE 802.1X-2010, to provide secure communications on Ethernet links (layer 2). Together with MKA, it is possible to configure CKN/CAK fallback keys, such that the connection switches to a secondary key in case of mismatch of the primary. This allows for key rotation on both sides of the connection with limited connectivity interruption and automatic restablishment.

Key rotation
If fallback keys are used, consult the "Recommended key rotation procedure" section below.
Limitations

  • MACSec is not supported on NSR-Lite backplane0 if peer is connected on a switch expansion card NSR-16ETH-EXPN, NSR-16SFP-EXPN or NSR-8ETH-POE-EXPN

  • MACSec is only supported on NSR-Lite backplane0 if switch expansion cards are NSR-8SFP-EXPN

  • MACSec is not supported on NSR / NSR-Lite backplane0/backplane1 if MACSec peer is connected on a switch interface which is already running IEEE 802.1x

  • When fallback keys are configured and the key fallback happens, a link outage between 2.5 and 6 seconds is expected

  1. Go to Network :: Connections.
  2. Click Add (displays dialog).
  3. Enter Name.
  4. On Type drop-down, select MACSec (dialog changes).
  5. Enter Description (optional).
  6. If the Connect Automatically checkbox is selected, the connection is automatically established at system startup.
  7. Set as Primary Connection checkbox (defines interface as the primary connection. Only one interface can be the primary.)
  8. If the Block Unsolicited Incoming Packets checkbox is selected, firewall rules will be created to automatically block all inbound connections on the interface.
  9. In the MACsecmenu, select:
    1. Parent Interface: the existing OS interface that the new MACSec interface will be bound to
    2. Interface: the name of the new interface to be created for the MASec connection. If empty, the name will be macsecN, where N is a number starting at 0 and automatically incremented.
    3. MKA CKN: the MACsec Key Agreement Connectivity Association Key Name. Up to 64 hexadecimal characters that must be the same for all the MACSec participants
    4. MKA CAK: the MACsec Key Agreement Connectivity Association Key. Up to 32 hexadecimal characters that must be the same for all the MACSec participants
    5. Port: the port number to be used in the SCI (Secure Channel Identifier). 
    6. Encrypt traffic: when selected, layer 2 traffic through this interface will be encrypted using the configured keys
    7. Fallback MKA CKN (optional): When set, the connection will switch to this MKA CKN in case of a mismatch in the primary MKA key between the participants of the MACSec connection. (see "Recommended key rotation procedure" section below).
    8. Fallback MKA CAK (optional): When set, the connection will switch to this MKA CAK in case of a mismatch in the primary MKA key between the participants of the MACSec connection. (see "Recommended key rotation procedure" section below).
  10. In IPv4 Mode menu, enter details:
    1. No IPv4 Address radio button
    2. DHCP radio button
    3. Static radio button (if selected, expands dialog). Enter IP Address, BitMask. and (optional) Gateway IP
    4. (optional) IPv4 DNS Server
    5. IPv4 DNS Search (defines a domain name for DNS lookups)
    6. IPv4 Default Route Metric
    7. Ignore obtained IPv4 Default Gateway checkbox
    8. Ignore obtained DNS server checkbox
  11. In IPv6 Mode menu, enter details:
    1. No IPv6 Address radio button
    2. Link local Only radio button.
    3. Address Auto Configuration radio button
    4. Stateful DHCPv6 radio button
    5. If Static radio button is selected (displays menu). Enter IP AddressPrefix Length, and (optional) Gateway IP. 
  12. (optional) Enter IPv6 DNS Server.
    1. IPv6 DNS Search (defines domain name for DNS lookups)
    2. IPv6 Default Route Metric
    3. Ignore obtained IPv6 Default Gateway checkbox
    4. Ignore obtained DNS server checkbox
  13. Click Save.


Recommended key rotation procedure

When fallback keys are configured, the following procedure is recommended to rotate the encryption keys on the MACSec participants without losing connectivity.

  1. Repeat the following procedure (1.a. through 1.d.) on each MACSec participant:

    1. Copy MKA CKN to fallback MKA CKN

    2. Copy MKA CAK to fallback MKA CAK

    3. Commit

    4. Main and fallback MKA are equal now

  2. Create a new MKA (CKN and CAK)

  3. Repeat the following procedure (3.a. through 3.b.) on each MACSec participant:

    1. Set the new MKA CKN/CAK

    2. Commit

  4. Create a new fallback MKA (CKN and CAK)

  5. Repeat the following procedure (5.a. through 5.b.) on each MACSec participant:

    1. Set new fallback MKA CKN/CAK

    2. Commit

  6. All MACSec participants will be using the new main MKA now