Home · Documentation · Technology · MACsec

MACsec — Layer-2 Encryption for Transport Networks

IEEE 802.1AE MACsec gives you wire-speed encryption for every Ethernet frame between two routers — no IPsec tunnel overhead, no MTU games, no software bottleneck. OcNOS implements MACsec with 256-bit AES-GCM, EAPoL-MKA key management, and hitless rekey on validated 100G and 400G platforms.

Encrypted Hop Between Two OcNOS Routers

A point-to-point MACsec link between two PE routers. Each frame is wrapped with a SecTAG, an ICV, and a packet number; the AES-GCM 256 cipher runs in the ASIC at line rate, with EAPoL-MKA negotiating SAKs in the control plane.

MACsec AES-GCM 256 encrypted point-to-point link between OcNOS routers Two OcNOS routers connected by a single point-to-point link. The link is wrapped in a MACsec encrypted tunnel using AES-GCM 256, with EAPoL-MKA negotiating Secure Association Keys (SAKs) and key icons indicating per-direction Secure Channels. AES-GCM 256 · 802.1AE — ENCRYPTED FRAMES — PE-A · OcNOS EAPoL-MKA CAK · CKN PE-B · OcNOS EAPoL-MKA CAK · CKN SAK SAK Customer-A Customer-B 802.1AE · AES-GCM 256 · MKA · HITLESS REKEY · LINE RATE

Why MACsec for transport networks

Operators carrying multi-tenant traffic over leased fibre, dark wave, or shared metro infrastructure increasingly need encryption at every hop — not just at the IP layer. MACsec wraps every Ethernet frame in a SecTAG and an integrity check value (ICV), with the cipher running on the ASIC at line rate. There is no MTU penalty beyond the ~32 bytes of MACsec overhead, no software bottleneck, and no per-flow tunnel state — just an encrypted hop.

The OcNOS MACsec implementation

Cipher Suites

AES-GCM 128 / 256

Both GCM-AES-128 and GCM-AES-256 cipher suites are supported, with extended packet numbering (XPN) for high-bandwidth links to avoid premature SA rollover.

Key Management

EAPoL-MKA + PSK

Pre-shared CAK with EAPoL-MKA negotiation of SAKs. CKN/CAK pairs roll on a configurable schedule with no operator intervention required.

Hitless Rekey

Zero-loss rotation

SAK rotation happens in-band without packet loss using overlapping receive associations. Rekey on time, packet-count, or operator-trigger.

Validated Platforms

100G / 400G line rate

Validated MACsec on UfiSpace, Edgecore, and Wedge platforms with per-port encryption at full link rate — no aggregate cap, no port-group limits.

Per-Port Mode

Selective enablement

Enable MACsec per physical port or per channel; mix encrypted and clear-text ports on the same chassis to fit hybrid deployments.

Telemetry

Counters + state

gNMI sensors for SecY counters, MKA participant state, packet number high-watermarks, and ICV failures — enough to alert before a key expires.

Operational guarantees with OcNOS MACsec

  • Standards-aligned. Full IEEE 802.1AE-2018 plus 802.1X-2020 MKA — interoperable with major vendor implementations on the wire.
  • No license unlock games. MACsec ships in the base OcNOS-SP image on supported platforms; no per-port encryption license tax.
  • Hitless software upgrades. ISSU on supported chassis preserves MACsec sessions across NOS upgrades — encryption stays up.
  • Mature operations. CLI, NETCONF, and gNMI configuration paths; ZTP-friendly for Day-0 provisioning of CKN/CAK pairs.
SR-MPLS underlay EVPN-VXLAN BGP OcNOS-SP product page

Designing an encrypted transport network? Talk to a network architect.

Request a Technical Demo →