MACsec uses the following main modes of encryption:
VLAN in cleartext (WAN Mode)
VLAN encrypted
The 802.1AE standard requires that the 802.1Q VLAN is encrypted. Some vendors provide the option of configuring MACsec on a port with VLAN in cleartext form. The 7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p support both modes on both 1GE and 10GE ports.
The following figure shows VLAN in encrypted and cleartext form.