MKA

Each MACsec peer operates the MACsec key agreement (MKA). Each node can operate multiple MKAs based on the number of CAs the node belongs to. Each MKA instance is protected by a distinct secure CAK, which allows each port authentication entity (PAE) to ensure that information for an MKA instance is only accepted from other peers that also possess that CAK, identifying the peers as members or potential members of the same CA. See MACsec static CAK for information about the CAK identification process performed via the CKN.

Note: For an MKA session to establish, the MTU configured in the network must be as large or larger than the size of the MACsec control plane signaling messages. The size of these signaling messages depends on a number of factors, such as the number of peers and the cipher suite selected.