Cisco Certified Internetwork Expert (CCIE) Practice Test

Which two statements about the MACsec security protocol are true? (Choose two)

• A. MACsec is not supported in MDA mode
• B. Stations broadcast an MKA heartbeat that contains the key server priority
• C. When switch-to-switch link security is configured in manual mode, the SAP operation mode must be set to GCM
• D. The SAK is secured by 128-bit AES-GCM by default

The correct answer is: Stations broadcast an MKA heartbeat that contains the key server priority

The selected statement about the MACsec security protocol highlights the functionality of the Media Access Control Security (MACsec) in relation to its operation within a network environment. When considering how stations utilize the Media Key Agreement (MKA) protocol, they indeed broadcast an MKA heartbeat. This heartbeat is crucial for maintaining the integrity and security of communications because it includes the key server priority, which helps to manage and establish key exchange among devices. This ensures that devices on the network are synchronized and have an efficient way of determining which device is responsible for key management duties. In contrast, other statements address aspects of MACsec's operational requirements and capabilities. The claim about MACsec not being supported in MDA mode deals with deployment specifics; it implies potential limitations in hardware configurations. The statement concerning switch-to-switch link security in manual mode and the necessity for GCM mode outlines operational parameters that need to be met for effective functionality. Lastly, the assertion regarding the Secure Association Key (SAK) being secured by 128-bit AES-GCM refers to the cryptographic standards utilized, which while relevant, does not directly pertain to the operational aspects discussed in the chosen statement. Thus, the emphasis on the MKA heartbeat and key server priority is significant in understanding how MAC