macsec replay-protection window-size

Use macsec replay-protection window-size to set the MACsec replay protection window size on a port.

Use undo macsec replay-protection window-size to restore the default.


macsec replay-protection window-size size-value

undo macsec replay-protection window-size


The MACsec replay protection window size is 0 on a port. The device accepts only frames that arrive in the correct order. Out-of-order or duplicated frames will be dropped.


Ethernet interface view

Predefined user roles




size-value: Specifies the replay protection window size, in the range of 0 to 4294967295 frames.

Usage guidelines

To allow a MACsec port to accept a number of out-of-order frames, enable replay protection and specify a replay protection window size on the port.

Suppose the replay protection window size is a on a port. After the port receives a packet with packet number (PN) x, it can accept only packets whose PN is greater than or equal to x-a.

The replay protection window size takes effect only when the replay protection feature is enabled on the port.

Set a replay protection window size based on the forwarding path of frames. If the frames might be forwarded multiple times, set a large replay protection window size.

If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the replay protection window size in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except the replay protection window size) of the MKA policy are effective on the port.


# Set the MACsec replay protection window size to 100 on Ten-GigabitEthernet 4/1/1.

<Sysname> system-view
[Sysname] interface ten-gigabitethernet 4/1/1
[Sysname-Ten-GigabitEthernet4/1/1] macsec replay-protection window-size 100

Related commands

display macsec

macsec replay-protection enable

mka apply policy

replay-protection window-size