MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

MACsec policy exceptions for LACP packets

Updated: February 28, 2026

Want to summarize with AI?

Overview

Explains the use of MACsec policy exceptions for LACP packets, which allow link aggregation control traffic to be sent in clear text to ensure bundle formation and troubleshooting across intermediate nodes.

A MACsec policy exception for LACP packets is a network security configuration that

permits LACP packets to bypass MACsec encryption and be sent in clear text,
is used in scenarios where LACP bundles terminate at intermediate network nodes while MACsec is only enforced at end nodes, and
supports interoperability where remote nodes expect LACP packets in clear text.

Table 1. Feature History Table
Feature Name	Release Information	Feature Description
MACsec Policy Exception forLink Aggregation Control Protocol Packets	Release 26.1.1	Introduced in this release on: Fixed Systems (8700 [ASIC: K100], 8010 [ASIC: A100])(select variants only); This feature is supported on: 8712-MOD-M router. 8011-4G24Y4H-I 8011-32Y8L2H2FH 8011-12G12X4Y-D/A
MACsec Policy Exception for Link Aggregation Control Protocol Packets	Release 7.0.12	We have introduced an option in MACsec policy exceptions to accommodate Link Aggregation Control Protocol (LACP) packets in an unencrypted format. LACP packets sent in clear text enable seamless bundle formation and troubleshooting of link aggregation issues on MACsec-enabled ports. By default, MACsec operates in must-secure mode, permitting encrypted traffic flow and LACP packets only after securing the MACsec Key Agreement (MKA) session. The LACP-in-clear feature allows LACP packets to bypass MACsec encryption, ensuring compatibility with intermediate nodes and supporting interoperability scenarios where the remote device expects LACP packets in clear text. CLI: The lacp-in-clear keyword is introduced in the allow command.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.