All Products
Search

This Product

    Express Connect:MACsec

    Document Center

    Express Connect:MACsec

    Last Updated:Jun 04, 2026

    MACsec (Media Access Control Security) is an IEEE 802.1AE Layer 2 encryption protocol that provides low-latency, hardware-based data encryption on physical connections. If MACsec is enabled on a physical port, manage its keys on the MACsec tab of the port details page.

    Overview

    Concept

    Description

    CKN (Connectivity Association Key Name)

    Uniquely identifies a CAK. MKA protocol participants use the CKN to select the correct CAK for key negotiation.

    CAK (Connectivity Association Key)

    Used for MACsec control plane communication. The CAK is not used directly for data encryption but serves as the basis for deriving the SAK.

    SAK (Secure Association Key)

    Used for actual data encryption and decryption. The system automatically derives the SAK from a CKN/CAK pair and periodically regenerates it.

    MKA (MACsec Key Agreement)

    Establishes and manages the MACsec secure channel and negotiates keys.

    Supported encryption algorithms:

    • GCM-AES-128

    • GCM-AES-XPN-128

    • GCM-AES-256

    • GCM-AES-XPN-256

    Important

    For high-bandwidth links, use GCM-AES-XPN-256 to prevent packet loss from control plane overload.

    Associate keys

    Make sure you have enabled MACsec when creating the physical port.

    1. Click the target physical port ID to open its details page, then click the MACsec tab.

      This tab appears only for physical ports that support MACsec encryption. If the tab is missing, MACsec was not enabled when the port was created.

    2. Click Associate MACsec Keys, select an Encryption Algorithm, and then enter the Connectivity Association Key Name (CKN) and Connectivity Association Key (CAK). Both the CKN and CAK must be strings of hexadecimal characters (0-9, A-F):

      • For the GCM-AES-128 and GCM-AES-XPN-128 algorithms, the CKN and CAK must be 32 hexadecimal characters (128 bits) long.

      • For the GCM-AES-256 and GCM-AES-XPN-256 algorithms, the CKN and CAK must be 64 hexadecimal characters (256 bits) long.

    3. Click OK. After the key is added, the system uses the most recently added key to initiate MKA negotiation.

      • Associating: The key is being verified and negotiated.

      • Associated: The key has been verified and associated.

      • Failed: Key verification failed. Click Re-associate to retry.

      • Disassociated: The key has been disassociated.

    Key rotation

    You can store up to three CKN/CAK pairs and manually rotate keys without interrupting your connection.

    • Keys are sorted by addition time, newest first.

    • When you associate a new CKN/CAK pair, the system uses the newest key to initiate negotiation. Configure the same key pair on your CPE.

    • If negotiation with the newest key fails, the system automatically falls back to the previously active key. If only one key exists and negotiation fails, communication is interrupted.

    • After you Disassociate a key that is in the Associated or Association Failed state, the system automatically attempts negotiation with the next key in the list.

    • You can only delete keys in the Disassociated state.

    On-premises router configuration

    After you configure a MACsec key on Alibaba Cloud, configure the matching settings on your on-premises router. Consult your router vendor's documentation for the following parameters:

    Parameter

    Description

    MACsec encryption algorithm

    Must match the algorithm configured on Alibaba Cloud.

    CAK encryption algorithm

    AES_256_CMAC

    CKN/CAK

    Must match the CKN/CAK pair configured on Alibaba Cloud.

    Secure Channel Identifier (SCI)

    Must be enabled.
    Important

    To avoid traffic disruption, complete the MACsec configuration on your on-premises router before adding a key in the Alibaba Cloud console to initiate negotiation.

    Limitations

    • MACsec currently supports only must-encrypt mode. If key negotiation between Alibaba Cloud and your customer CPE fails, the connection is interrupted and all traffic is blocked.

    • MACsec can only be enabled when creating a new physical port, not on existing ports.

    • Each physical port supports a maximum of three MACsec key pairs.

    • Keys must be hexadecimal (0-9, A-F). CKN and CAK length: 32 characters for 128-bit algorithms, 64 characters for 256-bit algorithms.

    • The Secure Channel Identifier (SCI) is required and cannot be disabled.

    • Moving IEEE 802.1Q (Dot1q/VLAN) tags out of the encrypted payload is not supported.

    • MACsec is a physical port attribute. You cannot query or disable MACsec separately on a VBR.