Table 1 describes the MKA PDUs generated for different traffic encapsulation matches.
| Configuration | Configuration example (<s-tag>.<c-tag>) | MKA packet generation | Traffic pattern match/behavior |
|---|---|---|---|
All-encap |
config>port>ethernet> dot1x>macsec sub-port 10 encap-match all-encap ca-name 10 |
untagged MKA packet |
Matches all traffic on port, including untagged, single-tag, and double-tag. Default behavior; only available behavior in releases before 16.0. |
UN-TAG |
config>port>ethernet> dot1x>macsec sub-port 1 encap-match untagged ca-name 2 |
untagged MKA packet |
Matches only untagged traffic on port |
802.1Q single S-TAG (specific S-TAG) |
config>port>ethernet> dot1x>macsec sub-port 2 encap-match dot1q 1 ca-name 3 |
MKA packet generated with S-TAG=1 |
Matches only single-tag traffic on port with tagID of 1 |
802.1Q single S-TAG (any S-TAG) |
config>port>ethernet> dot1x>macsec sub-port 3 encap-match dot1q * ca-name 4 |
untagged MKA packet |
Matches any dot1q single-tag traffic on port |
802.1ad double tag (both tag have specific TAGs) |
config>port>ethernet> dot1x>macsec sub-port 4 encap-match qinq 1.1 ca-name 5 |
MKA packet generated with S-tag=1 and C-TAG=1 |
Matches only double-tag traffic on port with service tag of 1 and customer tag of 1 |
802.1ad double tag (specific S-TAG, any C-TAG) |
config>port>ethernet> dot1x>macsec sub-port 6 encap-match qinq 1.* ca-name 7 |
MKA packet generated with S-TAG=1 |
Matches only double-tag traffic on port with service tag of 1 and customer tag of any |
802.1ad double tag (any S-TAG, any C-TAG) |
config>port>ethernet> dot1x>macsec sub-port 7 encap-match qinq *.* ca-name 8 |
untagged MKA packet |
Matches any double-tag traffic on port |