Important upgrade consideration regarding MACsec

The switch software does not support the replay-protect option when MACsec is configured with static security keys. In some early releases, the replay-protect option is still visible and configurable, even though it is not supported. If you configured the replay-protect option in an early release and you are upgrading to switch software configured with MACsec using static security keys, follow the steps below to disable replay-protect before you upgrade the switch software to a release where the option is not available.

Beginning in Release 8.1, replay protection is available as part of the MACsec Key Agreement (MKA) feature on the VSP 8404 and VSP 8404C platforms. For platforms that do not support MKA, disable replay protection.

Note

Note

Replay-protect must be disabled on both ends of the MACsec enabled link.

About this task

If replay-protect is not disabled on the remote end of the MACsec link prior to the upgrade of the local node, traffic on the MACsec-enabled links will be dropped until replay-protect is also disabled on the remote node. As a best practice, complete the following procedure before initiating the upgrade.

Procedure

  1. To check if replay-protect has been enabled on any of the interfaces, use the show macsec status command.
  2. For each interface where MACsec replay protect is enabled, perform the following tasks:
    1. Disable MACsec replay-protect on the remote end of the MACsec enabled the link.
    2. Disable MACsec replay-protect on the local end of the MACsec enabled link.
    3. Save the configuration on both nodes.
    4. Start the software upgrade.