MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

Dynamic power management for MACsec-enabled ports

Updated: February 28, 2026

Want to summarize with AI?

On this page

Overview

Hardware support matrix for dynamic power management for MACsec-enabled ports
Verify dynamic power management for MACSec-enabled ports

Overview

Explains the dynamic power management function, which validates power availability for MACsec sessions and prevents session establishment if the system cannot provide sufficient power to the configured interfaces.

Dynamic Power Management for MACsec-enabled ports is a MACsec function that

allocates total power to a router and its fabric or line cards based on various factors,
validates power availability for MACsec sessions on configured interfaces, and
prevents MACSec sessions from establishing if power is insufficient.

The dynamic power management feature distributes total available power to a router and its fabric cards or line cards based on factors such as the number and type of cards installed, their operating modes, card combinations, NPU (Network Processing Unit) power mode, and optics. When MACSec is configured on interfaces, the software checks internally if there is enough power to bring up all intended MACSec sessions. If the system cannot power all configured MACSec sessions, some sessions remain down regardless of the interface configuration.

When this situation occurs, the router console logs a message indicating the reason. Users can remove MACSec configurations from affected interfaces or add more Power Supply Units (PSUs) to meet new power requirements. If MACSec configurations remain on downed sessions, those sessions are not guaranteed to recover after a router or line card reload.

The router console displays a log message in such cases, indicating the reason for session failure. Users can choose to remove the MACSec configuration from the corresponding interfaces or re-provision the Power Supply Units (PSUs) based on the additional power requirement for new sessions. If MACSec configurations are not removed for sessions that are down, there is no guarantee that the same MACSec sessions that were brought up earlier will come up after a router or line card reload.

By default, dynamic power management is enabled. You can disable it using the following command in XR Config mode: no power-mgmt action .

If insufficient power is available for MACSec sessions, you might see a log message such as:

LC/0/4/CPU0:Dec 21 07:35:27.977 UTC: macsec_mka[131]: %L2-MKA-5-MACSEC_POWER_STATUS_ERR : (Hu0/4/0/9), Insufficient power

Hardware support matrix for dynamic power management for MACsec-enabled ports


Cisco IOS XR Software Release	Product ID
Release 25.1.1	8712-MOD-M
Release 24.4.1	88-LC1-36EH 88-LC1-12TH24FH-E 88-LC1-52Y8H-EM 8212-48FH-M 8711-32FH-M
Release 7.3.3	88-LC0-36FH-M 88-LC0-34H14FH 8800-LC-48H

Verify dynamic power management for MACSec-enabled ports

Confirm that power is correctly allocated and released for MACSec-enabled interfaces and that chassis and component power levels are appropriate.

Use this task to monitor and verify power allocation for MACSec interfaces on Cisco routers. This includes checking syslog messages, reviewing chassis and line card power usage, and confirming the MACSec power status at the interface level.

Procedure

	1.	Monitor syslog messages for power allocation and release events for MACSec interfaces. When power is allocated to a MACSec interface, expect a syslog entry similar to: `LC/slot/CPU: macsec_mka: %L2-MKA-5-MACSEC_POWER_STATUS : (interface), Power allocated` When power is released (such as when MACSec policy is removed), expect a syslog entry similar to: `LC/slot/CPU: macsec_mka: %L2-MKA-5-MACSEC_POWER_STATUS : (interface), Power released`
	2.	Use the show environment power command to review chassis-level power information. Example: Router# show environment power Thu Dec 9 11:12:54.239 UTC ================================================================================ CHASSIS LEVEL POWER INFO: 0 ================================================================================ Total output power capacity (N + 1) : 31500W + 6300W Total output power required : 11208W Total power input : 3778W Total power output : 3395W ================================================================================ Power Supply -------Input-------- -----Output--- Status Module Type Volts A/B Amps A/B Volts Amps ================================================================================ 0/PT0-PM0 PSU6.3KW-HV 246.0/244.3 1.2/1.2 55.3 9.9 OK 0/PT0-PM1 PSU6.3KW-HV 245.7/244.3 1.3/1.3 55.4 10.1 OK 0/PT0-PM2 PSU6.3KW-HV 245.7/246.3 1.5/1.2 55.4 10.3 OK 0/PT1-PM0 PSU6.3KW-HV 246.0/246.0 1.3/1.3 55.4 10.3 OK 0/PT1-PM1 PSU6.3KW-HV 244.3/244.6 1.3/1.3 55.1 10.7 OK 0/PT1-PM2 PSU6.3KW-HV 245.7/245.5 1.3/1.2 55.2 10.1 OK 0/PT2-PM0 PSU6.3KW-HV 0.0/0.0 0.0/0.0 0.0 0.0 FAILED or NO PWR 0/PT2-PM1 PSU6.3KW-HV 0.0/0.0 0.0/0.0 0.0 0.0 FAILED or NO PWR 0/PT2-PM2 PWR-6.3KW-HV 0.0/0.0 0.0/0.0 0.0 0.0 FAILED or NO PWR Total of Power Modules: 3778W/15.4A 3395W/61.4A ================================================================================ Location Card Type Power Power Status Allocated Used Watts Watts ================================================================================ 0/RP0/CPU0 8800-RP-O 95 78 ON 0/RP1/CPU0 8800-RP-O 95 - ON 0/0/CPU0 88-LC0-36FH-O 934 543 ON 0/1/CPU0 - 102 - RESERVED 0/2/CPU0 8800-LC-48H-O 778 474 ON 0/3/CPU0 - 102 - RESERVED 0/4/CPU0 - 102 - RESERVED 0/5/CPU0 - 102 - RESERVED 0/6/CPU0 8800-LC-48H 102 - OFF 0/7/CPU0 - 102 - RESERVED 0/8/CPU0 - 102 - RESERVED 0/9/CPU0 - 102 - RESERVED 0/10/CPU0 - 102 - RESERVED 0/11/CPU0 - 102 - RESERVED 0/FC0 - 26 - RESERVED 0/FC1 8812-FC 784 338 ON 0/FC2 8812-FC 784 337 ON 0/FC3 8812-FC 784 343 ON 0/FC4 8812-FC 784 338 ON 0/FC5 8812-FC 784 344 ON 0/FC6 - 26 - RESERVED 0/FC7 - 26 - RESERVED 0/FT0 SF-D-12-FAN 1072 135 ON 0/FT1 SF-D-12-FAN 1072 105 ON 0/FT2 SF-D-12-FAN 1072 123 ON 0/FT3 SF-D-12-FAN 1072 123 ON Verify total output power capacity, required power, input/output levels, and status of each power module.
	3.	Use the show environment power allocated location command to verify power allocated for each component on a line card. Example: `Router# show environment power allocated location 0/2/CPU0 Thu Dec 9 09:53:49.921 UTC ================================================================================ Location Components Power Allocated Watts ================================================================================ 0/2/CPU0 Data-path 772 MACSEC 3 OPTICS 3 ================================================================================ Total 778` Confirm that the appropriate wattage is allocated for the MACSec component on each relevant line card.
	4.	Use the show environment power allocated details location command to see interface-level power allocation. Example: `Router# show environment power allocated details location 0/2/CPU0 Thu Dec 9 09:53:49.921 UTC ================================================================================ Location Components Power Allocated Watts ================================================================================ 0/2/CPU0 Data-path 772 0/2/0/9 3 0/2/0/0 3 ================================================================================ Total 778` Verify that the correct power is allocated for MACSec on each specific interface where MACSec is enabled.
	5.	Use the show macsec mka interface detail command to verify MACSec power status at the interface level. Example: Router# show macsec mka interface hundredGigE 0/2/0/9 detail Tue Dec 21 08:10:41.571 UTC Interface Name : HundredGigE0/2/0/9 Interface Namestring : HundredGigE0/2/0/9 Interface short name : Hu0/2/0/9 Interface handle : 0x2000480 Interface number : 0x2000480 MacSecControlledIfh : 0x20005b8 MacSecUnControlledIfh : 0x20005c0 Interface MAC : 34ed.1b5b.d047 Ethertype : 888E EAPoL Destination Addr : 0180.c200.0003 MACsec Shutdown : FALSE Config Received : TRUE IM notify Complete : TRUE MACsec Power Status : Allocated Interface CAPS Add : TRUE RxSA CAPS Add : TRUE TxSA CAPS Add : TRUE MKA PSK Info Key Chain Name : psk MKA Cipher Suite : AES-128-CMAC CKN : 22 22 MKA fallback_PSK Info fallback keychain Name : - NA - Policy : p3 Confirm that the MACsec Power Status field shows Allocated for interfaces with MACSec enabled.

Power is appropriately allocated or released for MACSec-enabled ports. Syslog entries confirm power status changes, and show commands verify that power is provisioned and reported as expected at the chassis, line card, and interface levels.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Dynamic power management for MACsec-enabled ports

Overview

Hardware support matrix for dynamic power management for MACsec-enabled ports

Verify dynamic power management for MACSec-enabled ports

Procedure

Example:

Example:

Example:

Example:

Need help?