Hi Reza,

Thanks for your reply, I have Cisco 3850 Switch with IP services Image. But i dont have the option to enter below commands

Mka policy

Macsec

Even i tried with Cisco Trust Sec, sap pmk mode-list doesn't have any option 

sap pmk mode-list gcm-encrypt

Is there any specific license i have to order?

Regards

Jamal

Hi Jamal,

You should be to apply the following commands unless your version does not support Macsec. What is the output of "sh ver"?

Switch(config)# mka policy replay-policy
Switch(config-mka-policy)# confidentiality-offset 0
Switch(config-mka-policy)# replay-protection window-size 300
Switch(config-mka-policy)# end

Hi Reza,

Below is the show version from the switch

Switch#sh version
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.03.05SE RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 30-Oct-14 13:12 by prod_rel_team

Cisco IOS-XE software, Copyright (c) 2005-2014 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 1.18, RELEASE SOFTWARE (P)

Switch uptime is 20 hours, 6 minutes
Uptime for this control processor is 20 hours, 9 minutes
System returned to ROM by reload
System image file is "flash:packages.conf"
Last reload reason: reload

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: Ipservices
License Type: Permanent
Next reload license Level: Ipservices

cisco WS-C3850-24P (MIPS) processor with 4194304K bytes of physical memory.
Processor board ID FCW1925C0P2
2 Virtual Ethernet interfaces
28 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
250456K bytes of Crash Files at crashinfo:.
1609272K bytes of Flash at flash:.
0K bytes of Dummy USB Flash at usbflash0:.
0K bytes of at webui:.

Base Ethernet MAC Address : 84:b5:17:5a:ad:00
Motherboard Assembly Number : 73-15805-04
Motherboard Serial Number : FOC19252R2T
Model Revision Number : U0
Motherboard Revision Number : A0
Model Number : WS-C3850-24P
System Serial Number : FCW1925C0P2

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 32 WS-C3850-24P 03.03.05SE cat3k_caa-universalk9 INSTALL

Configuration register is 0x102

Switch#

Thanks 

Jamal

Hi Jamal,

Looks like you need update your software.  According to the release notes, the macsec feature is not supported in Cisco IOS XE Release 3.3.0SE.

Looks like you need at least 3.7.X or 16.X.X

source:  https://www.cisco.com/c/en/us/support/switches/catalyst-3850-series-switches/products-release-notes-list.html