Skip to Content

ANS-C01: AWS Direct Connect MACsec Implementation Secure Layer 2 Encryption

By: Author Alex Lim

Posted on

Categories Amazon, Exam

Step-by-step guide to implementing MACsec encryption on AWS Direct Connect LAG for robust layer 2 security. Ensure data safety with these expert-proven methods for network encryption.

Table of Contents

Question

A company uses an AWS Direct Connect private VIF with a link aggregation group (LAG) that consists of two 10 Gbps connections. The company’s security team has implemented a new requirement for external network connections to provide layer 2 encryption. The company’s network team plans to use MACsec support for Direct Connect to meet the new requirement.

Which combination of steps should the network team take to implement this functionality? (Choose three.)

A. Create a new Direct Connect LAG with new circuits and ports that support MACsec.
B. Associate the MACsec Connectivity Association Key (CAK) and the Connection Key Name (CKN) with the new LAG.
C. Associate the Internet Key Exchange (IKE) with the existing LAG.
D. Configure the MACsec encryption mode on the existing LAG.
E. Configure the MACsec encryption mode on the new LAG.
F. Configure the MACsec encryption mode on each Direct Connect connection that makes up the existing LAG.

Answer

A. Create a new Direct Connect LAG with new circuits and ports that support MACsec.
B. Associate the MACsec Connectivity Association Key (CAK) and the Connection Key Name (CKN) with the new LAG.
E. Configure the MACsec encryption mode on the new LAG.

Explanation

To implement MACsec for layer 2 encryption over AWS Direct Connect with a link aggregation group (LAG), the network team should:

  1. Create a new Direct Connect LAG with MACsec support: Create a new LAG specifically with circuits and ports that support MACsec (Option A).
  2. Associate MACsec keys with the new LAG: Associate the MACsec Connectivity Association Key (CAK) and the Connection Key Name (CKN) with the newly created LAG to enable encryption (Option B).
  3. Configure MACsec encryption: Enable the MACsec encryption mode specifically on the new LAG created for MACsec support (Option E).

These steps allow the network team to establish a dedicated LAG with MACsec support, associating the necessary keys, and configuring the encryption mode for layer 2 security.

AWS Certified Advanced Networking – Specialty ANS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.