/system/macsec_policies

post

https://switch-ip/rest/v10.16/system/macsec_policies

Body Params

bypass

object

The features to bypass MACsec processing on the channel.

cipher_suites

object

The MACsec cipher-suites to use to protect the MACsec frames. When more than one cipher-suite is enabled, the MKA instance will use the most secure cipher-suite in the list to generate the SAK when it is the key-server. If no specific cipher-suite is enabled, the switch will use the cipher-suites supported on the interface for MACsec.

clear_tag_mode

string

enum

Ethernet data in a MACsec PDU that must precede the MACsec SecTAG in clear text. none: The SecTAG directly follows the destination and source MAC address in a MACsec PDU. dot1q: Send the 802.1q tag in clear in a MACsec PDU. When configured, untagged traffic is not allowed on the MACsec channel.

Allowed:

confidentiality_disable

boolean

Disable encryption on the MACsec interface.

confidentiality_offset

string

enum

Number of octets in an Ethernet frame that are unencrypted. This is only applicable when confidentiality is enabled for this policy. byte_0: the entire Ethernet frame is sent encrypted. byte_30: the data following the first 30 bytes of the Ethernet frame is sent encrypted. byte_50: the data following the first 50 bytes of the Ethernet frame is sent encrypted.

Allowed:

data_delay_protection_enable

boolean

Enable data delay protection. Data delay protection allows MKA participants to ensure that the data frames protected by MACsec delayed by more than 2 seconds are dropped.

include_sci_disable

boolean

Disable inclusion of Secure Channel Identifier (SCI) in MACsec frames.

name

string

required

length between 1 and 128

Reference Resource: MACsec_Policy
Name of the MACsec policy.

origin

string

enum

Origin of the MACsec policy, i.e., how the policy is provisioned: static: policy is provisioned by the administrator via CLI or REST. dynamic: policy is provisioned based on attributes provided by the RADIUS server.

Allowed:

replay_protect_disable

boolean

Disable replay protection on the MACsec interface.

replay_window

int64

0 to 4294967295

Replay protection window associated with this policy. When a packet is received, it is processed only if the Packet Number (PN) associated with this packet is within the replay window. This is only applicable if the replay protection is enabled for this policy.

secure_mode

string

enum

Forwarding behavior of the interface when the MKA session is not established. should-secure: Open the interface on the data-plane with no MACsec protection. must-secure: Block the interface on the data-plane.

Allowed:

Responses

201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

415

Unsupported Media Type

500

Internal Server Error

501

Not Implemented

503

Service Unavailable

Language

Response

Click Try It! to start a request and see the response here!