The switch software does not support the replay-protect option when MACsec is configured with static security keys. In some early releases, the replay-protect option is still visible and configurable, even though it is not supported. If you configured the replay-protect option in an early release and you are upgrading to switch software configured with MACsec using static security keys, follow the steps below to disable replay-protect before you upgrade the switch software to a release where the option is not available.
Beginning in Release 8.1, replay protection is available as part of the MACsec Key Agreement (MKA) feature on the VSP 8404 and VSP 8404C platforms. For platforms that do not support MKA, disable replay protection.
Note
Replay-protect must be disabled on both ends of the MACsec enabled link.
If replay-protect is not disabled on the remote end of the MACsec link prior to the upgrade of the local node, traffic on the MACsec-enabled links will be dropped until replay-protect is also disabled on the remote node. As a best practice, complete the following procedure before initiating the upgrade.