MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

MACsec policy exception

Updated: February 28, 2026

Want to summarize with AI?

Log in

Overview

Defines MACsec policy exceptions as a mechanism to bypass encryption for designated packet types, allowing clear-text transmission to support interoperability and specific network topology requirements.

A MACsec policy exception is a mechanism within a MACsec security policy that

  • bypasses MACsec encryption or decryption for specific data packets,

  • allows these packets to be sent in clear-text format, and

  • supports interoperability scenarios and certain network topologies.

By default, a MACsec security policy uses the must-secure option, which mandates data encryption for all traffic. Specific commands can optionally bypass MACsec encryption or decryption, enabling certain packet types to be transmitted in clear text.

Within the macsec-policy configuration mode, the allow option is available to permit clear-text transmission for designated packet types.

Table 1. MACsec Policy Options: Must-Secure vs. Allow

Feature / Behavior

must-secure

allow
Encryption enforcement Required for all traffic Mandatory except for packets explicitly allowed
Use case Provides maximum security Allows interoperability in mixed environments
Packet exceptions Not permitted Specific packet types can bypass encryption
Example commands N/A 
allow lacp-in-clear
allow pause-frames-in-clear
Security level Highest (no clear-text transmission) Slightly reduced (clear text allowed for selected frames)

MACsec policy exceptions

  • Using the allow lacp-in-clear command to bypass MACsec for Link Aggregation Control Protocol (LACP) packets. This is beneficial in scenarios where bundles are terminated at an intermediate node and MACsec is enforced only at end nodes or when the remote node expects clear text.

  • Using the allow pause-frames-in-clear command to transmit Ethernet PAUSE frame packets in clear text.

Create a MACsec policy exception

Allow specific MACsec policy exceptions to enable or permit particular packet types in clear-text format.

Procedure

1.

Use the macsec-policy command to access the desired MACsec policy configuration by specifying the policy name.

Example:

Router# configure
Router(config)# macsec-policy mp1
2.

Use the allow lacp-in-clear command to permit LACP packets in clear-text format.

Example:

Router(config-macsec-policy)# allow lacp-in-clear
3.

Use the allow pause-frames-in-clear command to permit pause frames in clear-text.

Example:

Router(config-macsec-policy)# allow pause-frames-in-clear
Router(config-macsec-policy)# commit
4.

Use the show running config command to confirm the policy exception.

Example:

Router# show running-config macsec-policy mp1
macsec-policy mp1
…
allow lacp-in-clear
allow pause-frames-in-clear
!
5.

Use the show macsec policy detail command to verify detailed MACsec policy status.

Example:

Router# show macsec policy detail
Total Number of Policies = 1
--------------------------------------------------------
Policy Name : mp1
Cipher Suite : GCM-AES-XPN-256
Key-Server Priority : 10
Window Size : 64
Conf Offset : 50
Replay Protection : TRUE
Delay Protection : FALSE
Security Policy : Must Secure
Vlan Tags In Clear : 1
LACP In Clear : TRUE
LLDP In Clear : FALSE
Pause Frame In Clear : TRUE
Sak Rekey Interval : 60 seconds

The MACsec policy is updated to allow the specified packet exceptions in clear text, using the recommended allow commands for new configurations.