cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
274
Views
0
Helpful
1
Replies
Petr Nyvlt
Beginner

"mka policy" command not available on Cat9500

I have a stackwise pair of  C9500-48Y4C switches. 

They are correctly registered to CSSM.

The sofware is 16.12.4, network-advantage license appear to by active, but for unknown reason I cannot configure MKA policy in global config mode.

 

SWITCH(config)#mka ?
% Unrecognized command

 

I have more hw identical pairs where this command is available.I cannot find the reason, I already tried to reboot the pair

 

Any idea what to check before opening TAC case?

 

 

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
Status: REGISTERED

 

License Usage
==============

C9500 Network Advantage (C9500 Network Advantage):
Description: C9500 Network Advantage
Count: 2
Version: 1.0
Status: AUTHORIZED
Export status: NOT RESTRICTED

1 REPLY 1
Tim Glen
Cisco Employee

I'd open a TAC case.

 

The link below shows MACsec restrictions in 16.9
Prior to 16.12 MACsec Key Agreement (MKA) is not supported with high availability.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-9/configuration_guide/sec/b_169_sec_9500_cg/macsec_encryption.html#concept_b5v_csg_l2b

 

However in 16.12...

Starting with Cisco IOS XE 16.12.1 release, support for MKA with high availability has been introduced for Cisco Catalyst 9500 High Performance Series Switches. The high availability feature enables a pair of route processors to act as backup for each other. With high availability support for MKA if there is an active RP failure, the stand-by RP takes over existing MKA sessions in a minimally-disruptive switchover.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-12/configuration_guide/sec/b_1612_sec_9500_cg/macsec_encryption.html