Cisco MacSec over Juniper\Cisco MPLS

I would like to share a case I had involving MacSec over a layer 3 link.

The equipment was: 2 Cisco Switches (3750X), Cisco 2821 Router, Juniper J4350 Router.

Objective: establish MacSec between the Switches.

First of all MacSec will not work on layer 3, to make it work we need to emulate layer 1 between the switches, I did this VIA MPLS (Ethernet over MPLS).

OSPF configuration :
Router-1 (Juniper)
# Set interfaces ge-0/0/1 unit 0 family inet address
# Set interfaces lo0 unit 0 family inet address
# Set protocols ospf area interface ge-0/0/1
# Set protocols ospf area interface lo0
Router-2 (Cisco)
interface FastEthernet0/0
  ip address
interface Loopback1
  ip address
router ospf 10
  network area 0
  network area 0
At this point we should see the OSPF neighboring is up and the loopbacks are known to both routers

MPLS configuration :

# set interfaces ge-0/0/1 unit 0 family mpls
# set interfaces ge-0/0/2 encapsulation ethernet-ccc;
# set interfaces ge-0/0/2 unit 0 family ccc;
# set protocols mpls interface all
# set protocols ldp interface ge-0/0/1
# set protocols ldp interface lo0
# set protocols l2circuit neighbor interface ge-0/0/2.0 virtual-circuit-id 10
mpls ldp router-id Loopback1 force
interface FastEthernet0/0
  mpls ip
interface FastEthernet0/1
  xconnect 10 encapsulation mpls
Now we should see the MPLS is also up, both the LDP and the virtual circuit
In case the VC is not up try to change the circuit number..

Finally the MacSec itself..

From Both Switches
interface GigabitEthernet2/0/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
    cts manual
         no propagate sgt
         sap pmk [MacSec Key] mode-list gcm-encrypt null no-encap
Let's test..!
Switch-1#show macsec summary
Interface                Transmit SC              Receive SC
GigabitEthernet2/0/1      1                              1

For more info:
Switch-2#show macsec interface gigabitEthernet 1/0/1
MACsec is enabled
Replay protect : enabled
Replay window : 0
Include SCI : yes
Cipher : GCM-AES-128
Confidentiality Offset : 0
Max. Rx SA : 16
Max. Tx SA : 16
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128
Transmit Secure Channels
SCI : 503DE58713810000
Elapsed time : 03:58:49
Current AN: 1 Previous AN: -
SC Statistics
Auth-only (0 / 0)
Encrypt (30755 / 0)
Receive Secure Channels
SCI : C89C1D66EF010000
Elapsed time : 03:58:49
Current AN: 1 Previous AN: -
SC Statistics
Notvalid pkts 0 Invalid pkts 0
Valid pkts 3044 Late pkts 0
Uncheck pkts 0 Delay pkts 0
Port Statistics
Ingress untag pkts 0 Ingress notag pkts 1852
Ingress badtag pkts 0 Ingress unknownSCI pkts 0
Ingress noSCI pkts 0 Unused pkts 0
Notusing pkts 0 Decrypt bytes 6953955
Ingress miss pkts 1852

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR


  1. Did you need a scpecial module on the switches?

    1. Nope. Regular switches with no special module / IOS / License ... :)

  2. Hello, and when is that you need a special module? meybe for fiber?
    You didnt need one because was a 1G copper uplink, right?
    Thank you

    1. Thank you for asking, Cisco switch needs to support the MacSec most switches support it as is but some do need a module.
      for instance C3750-X needs a network module, For this switch I used the C3KX-10G-NM this module provides 10G SFP ports to the switch and enables the use of MacSec.

  3. Valentine, i'm trying to set this up and not working for us. we have 3750x with c3kx-sm-10g.

    our config is simple and going through a layer2 private link.

    this is what i have on my G1/1/2
    ts manual
    no propagate sgt
    sap pmk [mykey....] mode-list gcm-encrypt null no-encap