apply macsec policy
Syntax
apply macsec policy <MACSEC-POLICY-NAME>
no apply macsec policy
Description
Within the selected interface context, applies the specified MACsec policy to the selected port. When a MACsec policy is applied to a port, MACsec is enabled on the port and all data traffic is blocked on the port until a secure channel is successfully established.
A MACsec policy can be applied to a physical interface port that is not part of any LAG ports or to a lag port. It can also be applied to an interface that is configured as an MCLAG, VSX keep-alive, or VSX inter-switch-link.
If a MACsec policy is already applied to the selected port, this command replaces the existing policy application.
For MACsec to work, an MKA policy must also be configured and applied to the same ports.
The no form of this command dissociates the specified policy from the port.
Command context
config-if
Parameters
<MACSEC-POLICY-NAME>
Specifies the MACsec policy name. Range: 1 to 32 alphanumeric characters including only the three special characters "." (period), "-" (hyphen), and "_" (underscore).
Authority
Administrators or local user group members with execution rights for this command.
Usage
- When any MACsec or MKA policy parameter is updated, any active MACsec session on all interfaces running the MACsec or MKA policy is terminated and restarted. This is indicated with the following prompt that provides an opportunity to not execute the apply command.
- For non-LAG ports, a range of ports can be specified in the interface command used to enter the interface context. For example, entering the interface context for ports 1/1/1 through 1/1/2:
- Not all interfaces on a switch may support the MACsec capability. An error will be generated when a policy is applied to a physical interface that is not capable of MACsec. For LAG ports, any non-MACsec capable interfaces that are part of the LAG will be blocked.
- The 32-port 8360 Switch Series (model JL717A) does not support both MACsec and priority-based flow-control (PFC) on same interface. Applying a MACsec policy to an interface associated with an existing PFC configuration will disable the interface. PFC must be unconfigured on the interface before MACsec can be used.
Examples
Applying a MACsec policy to a range of two ports:
Attempting to apply a MACsec policy to a port that already has PFC enabled:
Attempting to apply a MACsec policy to a port that is not MACsec capable:
Removing MACsec policy association from a port:
Applying a MACsec policy to a LAG port: