configure macsec replay-protect

configure macsec replay-protect [window_size_in_packets | disable] ports port_list

Description

Configures MAC Security (MACsec) replay-protect window size for port(s).

Syntax Description

replay-protect Configures dropping out-of-order packets received on a port.
window_size_in_packets Sets replay-protect window size value. Out-of-order packets up to selected value are accepted. Range is 0–4,294,967,295. Default is 0 (out-of-order packets are dropped).
disable Disables replay protection. Out-of-order packets are allowed.
ports Specifies configuring ports.
port_list Lists which ports to configure the replay-protect window on.

Default

Default value for replay-protect window is 0 packets, which drops all out-of-order packets.

Usage Guidelines

The replay protection feature provides for the dropping of out-of-order packets received on a port. The window size is set to 0 by default, meaning any packet received out-of-order is dropped. Setting the window size to non-zero sets the range of sequence numbers that are tolerated, to allow receipt of packets that have been misordered by the network. If replay protection is disabled, packet sequence numbers are not checked and out-of-order packets are not dropped.

Important

Important

After enabling MACsec, if you change the replay protect window size, you must run the configure macsec initialize ports port_list command afterward. Otherwise, the change is not applied.

Example

The following example disables replay protection on port 13:
# configure macsec replay-protect disable port 13
# configure macsec intialize port 13
The following example sets replay-protect window size to 50 packets on port 14. If the last data packet received has a packet number (PN) of N, then the next received packet is accepted if its PN is greater than or equal to N-50. If the PN is less than N-50, the packet is dropped and the "Late Pkts" counter is incremented:
# configure macsec replay-protect 50 port 14
# configure macsec intialize port 14

History

This command was first available in ExtremeXOS 30.1.

Platform Availability

This command is available on the following platforms.

Note

Note

The MACsec feature requires the installation of the MAC Security feature pack license.
Platform Ports LRM/MACsec Adapter Required?
ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht switches Half-duplex, 1G ports (25–48) No
All other SFP/SFP+ ports * Yes
ExtremeSwitching X450-G2, X460-G2, X440-G2, X590, X620, and X695 series switches SFP/SFP+ ports * Yes
ExtremeSwitching X465

X465-24W, X465-24XE: ports 1–24

X465-48T, X465-48P, X465-48W, X465i-48W: ports 1–48

X465-24MU-24W: ports 25–48

VIM5-4XE: all 4 ports

VIM5-4YE in X465-24MU, X465-24MU-24W switches: all 4 ports

VIM5-4YE in X465-24W, X465-48T, X465-48P, X465-48W, X464.24S, X465-24S, X465i-48W: first 2 ports only

No
Note: * For ExtremeSwitching X460-G2 series switches, the VIM-2X option does not support the LRM/MACsec Adapter.