MKA PDU generation

Table: MKA PDU generation describes the MKA PDUs generated for different traffic encapsulation matches.

Table: MKA PDU generation
Configuration Configuration example (<s-tag>.<c-tag>) MKA packet generation Traffic pattern match/behavior

All-encap

config>port>ethernet> dot1x>macsec

sub-port 10

encap-match all-encap

ca-name 10

untagged MKA packet

Matches all traffic on port, including untagged, single-tag, and double-tag.

Default behavior; only available behavior in releases before 16.0.

UN-TAG

config>port>ethernet> dot1x>macsec

sub-port 1

encap-match untagged

ca-name 2

untagged MKA packet

Matches only untagged traffic on port

802.1Q single S-TAG (specific S-TAG)

config>port>ethernet> dot1x>macsec

sub-port 2

encap-match dot1q 1

ca-name 3

MKA packet generated with S-TAG=1

Matches only single-tag traffic on port with tagID of 1

802.1Q single S-TAG (any S-TAG)

config>port>ethernet> dot1x>macsec

sub-port 3

encap-match dot1q *

ca-name 4

untagged MKA packet

Matches any dot1q single-tag traffic on port

802.1ad double tag (both tag have specific TAGs)

config>port>ethernet> dot1x>macsec

sub-port 4

encap-match qinq 1.1

ca-name 5

MKA packet generated with S-tag=1 and C-TAG=1

Matches only double-tag traffic on port with service tag of 1 and customer tag of 1

802.1ad double tag (specific S-TAG, any C-TAG)

config>port>ethernet> dot1x>macsec

sub-port 6

encap-match qinq 1.*

ca-name 7

MKA packet generated with S-TAG=1

Matches only double-tag traffic on port with service tag of 1 and customer tag of any

802.1ad double tag (any S-TAG, any C-TAG)

config>port>ethernet> dot1x>macsec

sub-port 7

encap-match qinq *.*

ca-name 8

untagged MKA packet

Matches any double-tag traffic on port