MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

MACsec policy exceptions for LLDP packets

Updated: February 28, 2026

Want to summarize with AI?

Log in

Overview

Describes how to allow LLDP packets to be transmitted in clear text, facilitating neighbor discovery and troubleshooting on MACsec-enabled ports while maintaining encryption for all other data traffic.

A MACsec policy exception for LLDP packets is a MACsec configuration mechanism that

  • allows the transmission of LLDP (Link Layer Discovery Protocol) packets in clear text even when MACsec encryption is enabled,

  • enables network administrators to facilitate neighbor discovery and troubleshooting by making LLDP packets visible on the network, and

  • maintains MACsec encryption for all other traffic, ensuring the overall security of the data link layer.

Table 1. Feature History Table

Feature Name

Release Information

Feature Description

MACsec Policy Exception for Link Layer Discovery Protocol Packets

Release 26.1.1

Introduced in this release on: Fixed Systems (8700 [ASIC: K100], 8010 [ASIC: A100])(select variants only*);

*This feature is supported on:

  • 8712-MOD-M router.

  • 8011-4G24Y4H-I

  • 8011-32Y8L2H2FH

  • 8011-12G12X4Y-D/A

MACsec Policy Exception for Link Layer Discovery Protocol Packets

Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

*This feature is supported on:

  • 88-LC1-36EH

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 8212-48FH-M

  • 8711-32FH-M

MACsec Policy Exception for Link Layer Discovery Protocol Packets

Release 7.11.1

We have introduced an option in MACsec policy exceptions to accommodate Link Layer Discovery Protocol (LLDP) packets in an unencrypted format. LLDP packets in clear text format help you troubleshoot LLDP neighbor discovery network issues on MAcsec-enabled ports. By default, MACsec always operates in must-secure mode, allowing encrypted traffic flow including LLDP packets only after securing the MACsec Key Agreement (MKA) session.

The feature introduces these changes:

CLI:

YANG Data Models:

  • Cisco-IOS-XR-crypto-macsec-mka-cfg.yang

  • Cisco-IOS-XR-crypto-macsec-mka-oper.yang

  • Cisco-IOS-XR-um-macsec-cfg.yang

(See GitHub, YANG Data Models Navigator)

By default, when MACsec is enabled, it encrypts all network traffic at the data link layer, including LLDP packets. This ensures that communications between peers remain secure. The router stores information learned from LLDP exchanges in the Management Information Base (MIB).

However, starting from Cisco IOS XR Software Release 7.11.1, routers provide an option to transmit LLDP packets in clear text even when MACsec is enabled. Administrators can enable this exception using the allow lldp-in-clear command in the MACsec policy. This functionality is useful for troubleshooting LLDP neighbor discovery issues, as it allows network administrators to view LLDP packets unencrypted for diagnostic purposes.

By default, MACsec operates in must-secure mode, permitting encrypted traffic flow—including LLDP packets—only after the MACsec Key Agreement (MKA) session is secured.

Note

We strongly advise against enabling the MACsec exception to retain LLDP packets unencrypted unless necessary for network maintenance. You must ensure to configure LLDP packets in clear text at both ends of the MACsec link.

Table 2. LLDP packet handling in MACsec: default encryption versus clear-text exception

Feature

Default MACsec behavior

With LLDP exception enabled
LLDP packet encryption Encrypted Clear text (unencrypted)
Troubleshooting support Limited (due to encryption) Enhanced (LLDP packets visible in plain text)
Security posture Highest (all packets encrypted) Slightly reduced for LLDP, others encrypted

LLDP packet handling in MACsec: default encryption and clear-text exception

  • An administrator enables the allow lldp-in-clear command to transmit LLDP packets in clear text on a MACsec-enabled port for troubleshooting neighbor discovery issues.

  • By default, a router encrypts LLDP packets with MACsec, ensuring all data link layer communications are secured.

MACsec LLDP clear-text: troubleshooting challenges and security risks

  • Without enabling the LLDP exception, LLDP packets remain encrypted under MACsec, making it difficult to diagnose neighbor discovery problems using packet captures.

  • Transmitting all protocol packets, including LLDP, in clear text on a MACsec-enabled port would compromise the security provided by MACsec, which is not the default or recommended configuration.

Configure MACsec policy exception for LLDP packets

Configure a MACsec policy to allow LLDP packets to be transmitted in clear-text format without encryption.

By default, MACsec encrypts all traffic on a link. This task enables an exception for Link Layer Discovery Protocol (LLDP) packets, allowing them to pass through unencrypted while maintaining encryption for other traffic types.

Procedure

1.

Use the macsec-policy command to access the desired MACsec policy configuration by specifying the policy name.

Example:

Router# configure
Router(config)# macsec-policy test-macsec
2.

Use the allow lldp-in-clear command to enable the LLDP clear-text exception.

Example:

Router(config-macsec-policy)# allow lldp-in-clear
3.

Use the show running config command to confirm the policy exception.

Example:

Router# show running-config macsec-policy test-macsec
macsec-policy mp1
…
allow lldp-in-clear
!
4.

Use the show macsec policy detail and show macsec mka interface detail commands to verify the policy details reflect the LLDP clear-text setting.

Example:

Router# show macsec policy detail
Total Number of Policies = 1
--------------------------------------------------------
Policy Name : mp1
Cipher Suite : GCM-AES-XPN-256
Key-Server Priority : 10
Window Size : 64
Conf Offset : 50
Replay Protection : TRUE
Delay Protection : FALSE
Security Policy : Must Secure
Vlan Tags In Clear : 1
LACP In Clear : FALSE
LLDP In Clear : TRUE
Pause Frame In Clear : FALSE
Sak Rekey Interval : 60 seconds

Router# show macsec mka interface detail
Number of interfaces on node node0_3_CPU0 : 1
----------------------------------------------------
Interface Name : HundredGigE0/3/0/5
Interface Namestring : HundredGigE0/3/0/5
Interface short name : Hu0/3/0/5
Interface handle : 0x1800238
Interface number : 0x1800238
MacSecControlledIfh : 0x18005e0
MacSecUnControlledIfh : 0x18005e8
Interface MAC : 5cb1.2ede.7648
Ethertype : 888E
EAPoL Destination Addr : 0180.c200.0003
MACsec Shutdown : FALSE
Config Received : TRUE
IM notify Complete : TRUE
MACsec Power Status : Allocated
Interface CAPS Add : TRUE
RxSA CAPS Add : TRUE
TxSA CAPS Add : TRUE
lldp-in-clear : TRUE

The MACsec policy is updated to allow LLDP packets in clear-text, confirmed by showing running configuration and interface details.