Uncontrolled Ports and Controlled Ports

When MKA is enabled, two new logical interfaces are instantiated (Uncontrolled Port and Controlled Port) and stacked on top of the physical port (Common Port). The Uncontrolled Port provides insecure (unencrypted) MAC service to the Port Access Entity (PAE), which is responsible for sending and receiving MKA protocol packets (MKPDUs). The Controlled Port provides secure (encrypted) MAC service to all MAC clients which were previously attached to the Common Port (everything except the PAE). The Secure Entity (SecY) is responsible for encrypting Controlled Port traffic.

Click to expand in new window
Network Access Control with MACsec and a Point-to-Point LAN (Courtesy of IEEE)
Graphics/MACsec_with_P-to-P_LAN.png

Controlled and Uncontrolled Ports names are derived from the Common Port name. Examples are shown below:

Common Port Name Uncontrolled Port Name Controlled Port Name
ge.1.1 geU.1.1 geC1.1
tg.3.15 tgU.3.15 tgC.3.15

You can monitor status and statistics for both the Uncontrolled and Controlled ports using the CLI (show port status) or SNMP (MIB-II ifEntry). Status of the Uncontrolled Port mirrors that of the Common Port (when physical port is up, the uncontrolled port is up too). Status of the Controlled Port is controlled by the PAE‘s Logon Process and is a product of physical port status, of MACsec configuration, and of MKA status.

Physical Link Logon Connect Logon Port Valid Common Port Uncontrolled Port Controlled Port
down pending false down layr-dwn layr-dwn
up pending false down up (clear text) down
up unauthorized false up up (clear text) up (clear text)
up authorized false up up (clear text) up (clear text)
up secure true up up (clear text) up (encrypted)

The show macsec logon command displays logon connect and port valid states: