MACsec Configuration on Enterprise SONiC Switch

Media Access Control Security (MACsec) is a link-layer encryption technology standardized by IEEE 802.1AE, designed to provide data confidentiality, integrity, and replay protection over Ethernet links. In the Data Center Interconnect (DCI) context, MACsec establishes secure channels over physical or logical links between different data centers, effectively mitigating common threats such as man-in-the-middle attacks, eavesdropping, and replay attacks, thereby ensuring the security and trustworthiness of critical business data during cross-domain transmission. Learn More→

By deploying MACsec, organizations can achieve high-performance, low-latency encryption protection on inter-data center links, meeting the stringent data security requirements of industries such as finance, government, and telecommunications.

Before accessing the MACsec and MKA commands, you must enable the MACsec feature globally.

Configure the MKA policy (Connectivity Association, CA) and key information.

Data Center Interconnect (DCI) often leverages dark fiber infrastructure to establish high-capacity, low-latency physical links between geographically separated data centers. These dark fiber links provide exclusive, dedicated optical channels, minimizing exposure to external network segments. However, even on dark fiber, the risk of unauthorized physical access, fiber tapping, or insider threats still exists, posing confidentiality challenges for sensitive data traversing between data centers.

To address these confidentiality concerns, MACsec is increasingly adopted as an effective Layer 2 encryption and authentication solution within DCI deployments over dark fiber. MACsec provides per-frame encryption directly on Ethernet links, ensuring that all data transmitted between data centers remains confidential and tamper-proof.
By encrypting data at the data link layer, MACsec prevents unauthorized parties from eavesdropping or modifying inter-data center traffic—even if physical access to the fiber is compromised. Since MACsec operates transparently at Layer 2, it requires no changes to higher-layer protocols or applications, facilitating seamless integration into existing DCI architectures.
Moreover, MACsec’s low latency and wire-speed encryption capabilities align perfectly with the stringent performance requirements of DCI links, where high throughput and minimal delay are critical for workloads such as virtual machine migration, real-time data replication, and disaster recovery.

3.1.1.1 Requirements

To secure data transmission between the two devices by MACsec, perform the following tasks on Switch A and Switch B, respectively:

• Enable MACsec replay protection and configure the replay protection window size to 100;
• Set the MACsec validation mode to strict;
• Set the Switch A as the MACsec Key Server.

3.1.1.2 Topology

In 5G front-haul networks, security is a critical concern due to the transmission of sensitive control, user, and management plane data between the centralized baseband unit (CU/DU) and remote radio units (RRUs). As 5G deployments increasingly adopt Ethernet-based transport (e.g., eCPRI), these front-haul links are exposed to potential threats such as eavesdropping, frame injection, and man-in-the-middle attacks — particularly when operating over shared or untrusted infrastructure.

C/U/M-Plane Vulnerabilities
If an attacker gains access to the Distributed Unit (DU) or Radio Unit (RU) — either via a man-in-the-middle (MITM) attack or direct physical access — they could impersonate a legitimate RU or DU and inject malicious control messages. This may disrupt the normal operation of upper-layer protocols, manipulate user data flows, or degrade service performance.
MACsec mitigates these risks by enforcing identity authentication through Connectivity Association Keys (CAKs). Only nodes that belong to the same Connectivity Association (CA) are allowed to transmit or receive Ethernet frames. Session Authentication Keys (SAKs), derived from the CAK, are used to encrypt Ethernet frames with strong cryptographic algorithms, ensuring that attackers cannot access payload data. Integrity checks further verify that received frames have not been altered, providing robust protection against injection or modification attacks. Additionally, MACsec leverages incremental Packet Numbers (PNs) within each Secure Association (SA) to track frame sequences, enabling detection of reordering, replay, or delayed transmissions.

S-Plane Vulnerabilities
The synchronization plane (S-plane) must meet stringent latency and timing accuracy requirements, with protocols such as ITU-T G.8275.1 PTP and Synchronous Ethernet. Even microsecond-level delays introduced by an attacker can severely disrupt services. Threats include impersonating grand master clocks, boundary clocks, or slave clocks, and injecting malicious or spoofed synchronization frames. Attackers can also delay, repeat, or offset sync messages, causing misalignment and network-wide timing disruption.
MACsec protects the S-plane by authenticating all participating nodes and encrypting frames to ensure integrity and confidentiality. Its low-latency encryption and replay protection prevent tampering and mitigate timing-based attacks, while implementations must carefully comply with the strict timing requirements to avoid introducing synchronization errors.

3.2.1.1 Requirements
In a 5G fronthaul deployment, MACsec is implemented to secure all data planes while maintaining minimal latency.

• C/U-Plane uses GCM-AES-XPN-128
• S-Plane uses GCM-AES-128
• M-Plane uses GCM-AES-128

The switch operates as a Transparent Clock (TC) and adopts a two-step time synchronization mechanism to ensure high-precision timing.

3.2.1.1 Topology