Use this command to gain write‐access to IEEE8021‐SECY‐MIB objects for replay protection.
replay-protect | Security feature that drops out of order packets when enabled. |
enable | Enables the replay protection feature. |
disable | Disables the replay protection feature. |
window | A replay protection feature that allows for the setting of the number of allowed out-of-order packets before packets are dropped. |
window-size | Specifies the number of out-of-order packets allowed before packets are dropped if the replay protection feature is enabled. |
port-string | (Optional) Specifies the port affected by the replay protection configuration change. |
The replay‐protect parameter is enabled by default.
The window-size defaults to 0. This specifies that all out-of-order packets are dropped.
If a port or ports are not specified, the command applies to all MACsec-capable ports.
All command modes.
The replay protection feature provides for the dropping of out-of-order packets received on a port. If replay protection is enabled, the MIB object secyRxSCStatsDelayPkts is incremented and the packet is dropped. If replay protection is disabled, the MIB object secyRxSCStatsDelayPkts is incremented and the packet is forwarded. A window is configurable for the number of allowed out-of-order packets before packets are dropped. This window defaults to 0 (all out-of-order packets are dropped).
Replay protect and the associated window feature are detailed in IEEE 802.1X-2010.
This example shows how to set the replay protection window to 3 packets for ports "ge.1.1" through "ge.1.10":
System(rw)->set macsec secy window 3 ge.1.1-10
This example shows how to disable replay protection on ports "ge.1.11" through "ge.1.24":
System(rw)->set macsec secy replay-protect disable ge.1.11-24