MKAPDU generation
The following table describes the MKAPDUs generated for different traffic encapsulation matches.
| Configuration | Configuration example (<s-tag>.<c-tag>) | MKA packet generation | Traffic pattern match/behavior |
|---|---|---|---|
|
All-encap |
config>port>ethernet>dot1x.macsec>sub-port 10>encap-match all-encap ca-name 10 |
Untagged MKA packet |
Matches all traffic on port, including untagged, single-tag, and double-tag (default behavior) |
|
Untagged |
config>port>ethernet>dot1x.macsec>sub-port 10>encap-match untagged ca-name 2 |
Untagged MKA packet |
Matches only untagged traffic on port |
|
802.1Q single S‑TAG (specific S‑TAG) |
config>port>ethernet>dot1x.macsec>sub-port 10>encap-match single-tag 1 ca-name 3 |
MKA packet generated with S-TAG=1 |
Matches only single-tag traffic on port with tag ID of 1 |
|
802.1Q single S‑TAG (any S‑TAG) |
config>port>ethernet>dot1x.macsec>sub-port 10>encap-match single-tag * ca-name 4 |
Untagged MKA packet |
Matches any dot1q single-tag traffic on port |
|
802.1ad double tag (both tags have specific TAGs) |
config>port>ethernet>dot1x.macsec>sub-port 10>encap-match double-tag 1.1 ca-name 4 |
MKA packet generated with S-TAG=1 and C-TAG=1 |
Matches only double-tag traffic on port with service tag of 1 and customer tag of 1 |
|
802.1ad double tag (specific S‑TAG, any C‑TAG) |
config>port>ethernet>dot1x.macsec>sub-port 10>encap-match double-tag 1.* ca-name 7 |
MKA packet generated with S-TAG=1 |
Matches only double-tag traffic on port with service tag of 1 and customer tag of any |
|
802.1ad double tag (any S‑TAG, any C‑TAG) |
config>port>ethernet>dot1x.macsec>sub-port 10>encap-match double-tag *.* ca-name 8 |
Untagged MKA packet |
Matches any double-tag traffic on port |