MKA PDU generation

The following table describes the MKA PDUs generated for different traffic encapsulation matches.

Table: MKA PDU generation

Configuration

Configuration example (<s-tag>.<c-tag>)

MKA packet generation

Traffic pattern match/behavior

Supported on 7210 SAS

All-encap

config>port>ethernet>dot1x>macsec
      ca-name 10

untagged MKA packet

Matches all traffic on port, including untagged, single-tag, and double-tag.

Default behavior.

Yes

UN-TAG

config>port>ethernet>dot1x>macsec
      sub-port 1
      encap-match untagged
      ca-name 2

untagged MKA packet

Matches only untagged traffic on port

No

802.1Q single S-TAG (specific S-TAG)

config>port>ethernet>dot1x>macsec
      sub-port 2 
      encap-match dot1q 1
      ca-name 3

MKA packet generated with S-TAG=1

Matches only single-tag traffic on port with tagID of 1

No

802.1Q single S-TAG (any S-TAG)

config>port>ethernet>dot1x>macsec
      sub-port 3
      encap-match dot1q *
      ca-name 4

untagged MKA packet

Matches any dot1q single-tag traffic on port

No

802.1ad double tag (both tag have specific TAGs)

config>port>ethernet>dot1x>macsec
      sub-port 4
      encap-match qinq 1.1
      ca-name 5

MKA packet generated with S-tag=1 and C-TAG=1

Matches only double-tag traffic on port with service tag of 1 and customer tag of 1

No

802.1ad double tag (specific S-TAG, any C-TAG)

Config>port>ethernet>dot1x>macsec
      sub-port 6
      encap-match qinq 1.* 
      ca-name 7

MKA packet generated with S-TAG=1

Matches only double-tag traffic on port with service tag of 1 and customer tag of any

No

802.1ad double tag (any S-TAG, any C-TAG)

config>port>ethernet>dot1x>macsec
      sub-port 7
      encap-match qinq *.* 
      ca-name 8

untagged MKA packet

Matches any double-tag traffic on port

No