Notes - WAN MACsec Config Guide

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-16/macsec-xe-16-book/wan-macsec-mka-support-enhance.html

The dot1q tag in the clear feature allows EVPLs to work, and also allows for QoS to be applied on a per-VLAN basis using the CoS field that is now visible in the 802.1Q tag.

Both MACsec and non-MACsec subinterfaces can co-exist on the same physical interface.

Both 128 and 256 bit AES-GCM encryption is available for data packets. Both 128 and 256 bit AES-CMAC encryption is available for control packets.

MTU overhead with MACsec is 32 bytes. (16 byte SEC tag and 16 byte ICV trailer). It is recommended to explicitly configure the interface MTU to adjust for this.

You can use macsec access-control should-secure|must-secure to control whether unencrypted packets from the physical interface or subinterfaces are allowed.

• should-secure means that unencrypted packets are allowed

• must-secure means that unencrypted packets are not allowed

  • The default setting is must-secure

• The should-secure command can only be configured at the interface level

• If you will have non-MACsec subinterfaces, you need to configure should-secure on the physical interface

Replay protection is a feature of MACsec which prevents replay attacks. Each packet is given a unique sequence number, and the remote end verifies the sequence number. However, a SP network might reorder packets. In this case we can define a window which allows a given number of packets to be received out of order. The default setting is 64. We control this using macsec replay-protection window-size.

WAN MACsec can work on an E-LAN service. There is no difference - you just make sure all CEs have the same PSK.