macsec validation mode

Use macsec validation mode to set a MACsec validation mode on a port.

Use undo macsec validation mode to restore the default.


macsec validation mode { check | strict }

undo macsec validation mode


The MACsec validation mode is check on a port.


Ethernet interface view

Predefined user roles




check: Performs validation only and does not drop illegal frames.

strict: Performs validation and drops illegal frames.

Usage guidelines

To avoid data loss, use the default validation mode check on the MACsec devices in case of MKA negotiation failure. After you use the display macsec command to verify that MKA negotiation has succeeded, change the validation mode to strict.

If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the validation mode in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except the validation mode) of the MKA policy are effective on the port.


# Set the MACsec validation mode to strict on Ten-GigabitEthernet 4/1/1.

<Sysname> system-view
[Sysname] interface ten-gigabitethernet 4/1/1
[Sysname-Ten-GigabitEthernet4/1/1] macsec validation mode strict

Related commands

display macsec

mka apply policy

validation mode