When MKA is enabled, two new logical interfaces are instantiated (Uncontrolled Port and Controlled Port) and stacked on top of the physical port (Common Port). The Uncontrolled Port provides insecure (unencrypted) MAC service to the Port Access Entity (PAE), which is responsible for sending and receiving MKA protocol packets (MKPDUs). The Controlled Port provides secure (encrypted) MAC service to all MAC clients which were previously attached to the Common Port (everything except the PAE). The Secure Entity (SecY) is responsible for encrypting Controlled Port traffic.
Controlled and Uncontrolled Ports names are derived from the Common Port name. Examples are shown below:
Common Port Name | Uncontrolled Port Name | Controlled Port Name |
ge.1.1 | geU.1.1 | geC1.1 |
tg.3.15 | tgU.3.15 | tgC.3.15 |
You can monitor status and statistics for both the Uncontrolled and Controlled ports using the CLI (show port status) or SNMP (MIB-II ifEntry). Status of the Uncontrolled Port mirrors that of the Common Port (when physical port is up, the uncontrolled port is up too). Status of the Controlled Port is controlled by the PAE‘s Logon Process and is a product of physical port status, of MACsec configuration, and of MKA status.
Physical Link | Logon Connect | Logon Port Valid | Common Port | Uncontrolled Port | Controlled Port |
down | pending | false | down | layr-dwn | layr-dwn |
up | pending | false | down | up (clear text) | down |
up | unauthorized | false | up | up (clear text) | up (clear text) |
up | authorized | false | up | up (clear text) | up (clear text) |
up | secure | true | up | up (clear text) | up (encrypted) |
The show macsec logon command displays logon connect and port valid states: