macsec validation mode
Use macsec validation mode to set a MACsec validation mode on a port.
Use undo macsec validation mode to restore the default.
Syntax
macsec validation mode { check | strict }
undo macsec validation mode
Default
The MACsec validation mode is check on a port.
Views
Ethernet interface view
Predefined user roles
network-admin
mdc-admin
Parameters
check: Performs validation only and does not drop illegal frames.
strict: Performs validation and drops illegal frames.
Usage guidelines
To avoid data loss, use the default validation mode check on the MACsec devices in case of MKA negotiation failure. After you use the display macsec command to verify that MKA negotiation has succeeded, change the validation mode to strict.
If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the validation mode in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except the validation mode) of the MKA policy are effective on the port.
Examples
# Set the MACsec validation mode to strict on Ten-GigabitEthernet 4/1/1.
<Sysname> system-view [Sysname] interface ten-gigabitethernet 4/1/1 [Sysname-Ten-GigabitEthernet4/1/1] macsec validation mode strict
Related commands
display macsec
mka apply policy
validation mode