Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Layer 2 WAN and MACSec

Hi All,

Will MACSec between two 3560X switches work across a Layer 2 WAN?


Fahad Wasi

According to what I understand or know, it is a Mac based security feature or standard. Data Link Layer of the OSI Model has 2 sub layers :

1) Logical Link Control(LLC).

2) Mac(media access control).

As it is a Mac based standard, it can support Layer 2 WAN.

Mac layer acts as an interface between Logical layer and the physical layer of the OSI model.

Thanks Fahad. From my understanding, MACSec operates on a hop-by-hop basis, so encryption is supposed to take place between hops and not over it, according to this document:

I've come across something that indicates it works over EoMPLS:

But I wanted to know if anyone has actually done it. Also if it works with providers who use Q-in-Q.


you are correct sganpat, it works on L3 interfaces.

Hello Sachin,

I'd like to ask whether the MACSec worked for you over the MPLS I guess you have used p2p PW right?

Thank you very much



Hi Adam.

We didn't bother with it. We ended up going with 15Mb WAN links and using firewalls w/VPN at the edge instead. It came out cheaper and it works so far.

I'm sorry that I couldn't be of more help to you.


I've seen MACSEC work over SDH and other carrier links. Oddly am seeing some issues with a Cisco only provider who is using qinq and they cannot get it to pass. The ethertypes 0x888e eapol and 0x88e5 MACSEC are critical in the negotiation. 

I am also planning MACsec encryption for the DCI links. Since MACsec encryption on a hop-by-hop basis, DCI link should not expect to have ethernet encapsulation happening in the telco side (there could be exception with EoMPLS or some pseudowire tunnels).

The link I am planning is Unprotected wave (transparent layer1 service with optical encapsulation in carrier network).


Please let me know if any body have successfully implemented MACsec over long distance carrier network?



Have it implemented it across many WAN's. Had an issue with Cogent on a 7600 and they replaced a line-card and its online. Have deployed over carriers with SDH, DWDM and long-haul L2 circuits. At times you have to battle with carrier to ensure they support ethertypes 0x888e eapol and 0x88e5 macsec, would recommend you provide a minimum requirements list in contract so you can hold them to support it. 



Did you use Cisco swithes or routers for MACSec over DWDM? Did you see that MACSec works between two Cisco swithes over DWDM or EoMPLS?