Tags in clear text behavior by traffic encapsulation type

The following table describes how single or double tags in clear text configuration under a connectivity association affect different traffic flow encryptions.

By default, all tags are encrypted in a CA. An MKA can be generated without any tags (untagged), but the data being matched can be based on dot1q or QinQ.

Table 1. Behavior of tags in clear text
Configuration Traffic pattern match/behavior Subport CA configuration: no tag in clear text Subport CA configuration: single-tag in clear text Subport CA configuration: double-tag in clear text

All-encap

Matches all traffic on port, including untagged, single-tag, double-tag

MKAPDU: untagged

Untagged traffic: encrypted

Single-tag traffic: encrypted, no tag in clear

Double-tag traffic: encrypted, no tag in clear

MKAPDU: untagged

Untagged traffic: in clear

Single-tag traffic: encrypted, single-tag in clear

Double-tag traffic: encrypted, single-tag in clear

MKAPDU: untagged

Untagged traffic: in clear

Single-tag traffic: in clear

Double-tag traffic: encrypted, double-tag in clear

Untagged

Matches only untagged traffic on port

MKAPDU: untagged

Untagged traffic: encrypted

Single-tag traffic: not matched by this MACsec policy

Double-tag traffic: not matched by this MACsec policy

N/A

N/A

802.1Q single tag (specific tag)

Matches only single-tag traffic on port with the configured tag value

MKAPDU: untagged

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: tag is encrypted

Double-tag traffic: not matched by this MACsec policy

MKAPDU: same tag as the one configured under encap-match

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: tag is in clear

Double-tag traffic: not matched by this MACsec policy

N/A

802.1Q single tag (any tag)

Matches all single-tag traffic on port

MKAPDU: untagged

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: encrypted

Double-tag traffic: not matched by this MACsec policy

MKAPDU: untagged

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: encrypted with single tag in clear

Double-tag traffic: not matched by this MACsec policy

N/A

802.1ad double tag (both tags have specific values)

Matches only double-tag traffic on port with both configured tag values

MKAPDU: untagged

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: not matched by this MACsec policy

Double-tag traffic matching both configured tags: encrypted, no tag in clear

MKAPDU: single tag, equal to S-TAG

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: not matched by this MACsec policy

Double-tag traffic matching both configured tags: single S-TAG in clear

MKAPDU: double tag, equal to the values configured under encap-match

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: not matched by this MACsec policy

Double-tag traffic matching both configured tags: encrypted, both tags in clear

802.1ad double tag (specific S-TAG, any C-TAG)

Matches only double-tag traffic on port with the configured S-TAG

MKAPDU: untagged

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: not matched by this MACsec policy

Double-tag traffic matching the configured S-TAG: encrypted, no tag in clear

MKAPDU: single tag, equal to S-TAG

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: not matched by this MACsec policy

Double-tag traffic matching the configured S-TAG: S-TAG tag in clear

MKAPDU: single tag, equal to S-TAG

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: not matched by this MACsec policy

Double-tag traffic matching the configured S-TAG: both tags in clear

802.1ad double tag (any S-TAG, any C-TAG

Matches all double-tag traffic on port

MKAPDU: untagged

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: not matched by this MACsec policy

Double-tag traffic: encrypted, no tag in clear

MKAPDU: untagged

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: not matched by this MACsec policy

Double-tag traffic: S-TAG tag in clear

MKAPDU: untagged

Untagged traffic: not matched by this MACsec policy

Single-tag traffic: not matched by this MACsec policy

Double-tag traffic: both tags in clear