apply macsec policy

Syntax

apply macsec policy <MACSEC-POLICY-NAME>

no apply macsec policy

Description

Within the selected interface context, applies the specified MACsec policy to the selected port. When a MACsec policy is applied to a port, MACsec is enabled on the port and all data traffic is blocked on the port until a secure channel is successfully established.

A MACsec policy can be applied to a physical interface port that is not part of any LAG ports or to a lag port. It can also be applied to an interface that is configured as an MCLAG, VSX keep-alive, or VSX inter-switch-link.

If a MACsec policy is already applied to the selected port, this command replaces the existing policy application.

For MACsec to work, an MKA policy must also be configured and applied to the same ports.

The no form of this command dissociates the specified policy from the port.

Command context

config-if

Parameters

<MACSEC-POLICY-NAME>

Specifies the MACsec policy name. Range: 1 to 32 alphanumeric characters including only the three special characters "." (period), "-" (hyphen), and "_" (underscore).

Authority

Administrators or local user group members with execution rights for this command.

Usage

  • When any MACsec or MKA policy parameter is updated, any active MACsec session on all interfaces running the MACsec or MKA policy is terminated and restarted. This is indicated with the following prompt that provides an opportunity to not execute the apply command.
  • This policy is currently in use by one or more interfaces. Updating the policy will cause existing MACsec sessions using the policy to restart. Continue (y/n)?
  • For non-LAG ports, a range of ports can be specified in the interface command used to enter the interface context. For example, entering the interface context for ports 1/1/1 through 1/1/2:
  • switch(config)# interface 1/1/1-1/1/2 switch(config-if-<1/1/1-1/1/2>)# apply macsec policy MS_Policy1
  • Not all interfaces on a switch may support the MACsec capability. An error will be generated when a policy is applied to a physical interface that is not capable of MACsec. For LAG ports, any non-MACsec capable interfaces that are part of the LAG will be blocked.
  • The 32-port 8360 Switch Series (model JL717A) does not support both MACsec and priority-based flow-control (PFC) on same interface. Applying a MACsec policy to an interface associated with an existing PFC configuration will disable the interface. PFC must be unconfigured on the interface before MACsec can be used.

Examples

Applying a MACsec policy to a range of two ports:

switch(config)# interface 1/1/1-1/1/2 switch(config-if-<1/1/1-1/1/2>)# apply macsec policy MS_Policy1

Attempting to apply a MACsec policy to a port that already has PFC enabled:

switch(config)# interface 1/1/3 switch(config-if)# apply macsec policy MS_Policy1 MACsec and priority-based flow control (PFC) cannot be configured at the same time on this interface. Applying a MACsec policy will disable the interface until PFC is removed. Continue (y/n)?

Attempting to apply a MACsec policy to a port that is not MACsec capable:

switch(config)# interface 1/1/5 switch(config-if)# apply macsec policy MS_Policy1 MACsec is not supported on the interface. switch(config-if)#

Removing MACsec policy association from a port:

switch(config)# interface 1/1/1 switch(config-if)# no apply macsec policy

Applying a MACsec policy to a LAG port:

switch(config)# interface lag 1 switch(config-if)# apply macsec policy MS_Policy1