MACSec Keying Methods: True Statements | CCIE Security Exam | Cisco

Keying Methods Used by MACSec

Prev Question Next Question


Which three statements about the keying methods used by MACSec are true? (Choose three.)



Click on the arrows to vote for the correct answer

A. B. C. D. E. F.


Sure, let me explain each statement one by one:

A. Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MK. This statement is true. MACSec uses two types of keys: Connectivity Association Key (CAK) and Key Encryption Key (KEK). The CAK is used to secure the data frames and is shared between the endpoints of a MACSec session. The MK (Message Key) is used to distribute the CAK and is responsible for key management for host-to-switch and switch-to-switch MACSec sessions.

B. A valid mode for SAP is NULL. This statement is also true. SAP (Secure Association Protocol) is used by MACSec to establish and maintain the secure connection between two endpoints. SAP is responsible for creating, updating, and deleting the secure associations. The NULL mode is a valid mode for SAP and it means that no encryption or authentication is used.

C. MKA is implemented as an EAPoL packet exchange. This statement is true. MKA (MACSec Key Agreement) is the protocol used by MACSec to negotiate and manage the keys between the endpoints. MKA uses EAPoL (Extensible Authentication Protocol over LAN) packet exchange to negotiate the keys.

D. SAP is enabled by default for Cisco TrustSec in manual configuration mode. This statement is false. Cisco TrustSec is a network security solution that uses MACSec and other security technologies to provide secure access to the network. In manual configuration mode, SAP is not enabled by default. The administrator needs to enable it manually.

E. SAP is not supported on switch SVIs. This statement is true. SAP is not supported on switch SVIs (Switched Virtual Interfaces) because SAP requires a physical port to establish the secure association.

F. SAP is supported on SPAN destination ports. This statement is false. SAP is not supported on SPAN (Switched Port Analyzer) destination ports because SPAN is used for monitoring purposes only and not for data transmission.