MACsec Statistics

MAC Security (MACsec) is an IEEE 802® standard that allows authorized systems in a network to transmit data confidentially and to take measures against data transmitted or modified by unauthorized devices.

The switch supports the following statistics that provide a measure of MACsec performance.

Table 1. General MACsec statistics

Statistics

Description

TxUntaggedPkts

Specifies the number of transmitted packets without the MAC security tag (SecTAG), with MACsec disabled on the interface.

TxTooLongPkts

Specifies the number of transmitted packets discarded because the packet length is greater than the Maximum Transmission Unit (MTU) of the Common Port interface.

RxUntaggedPkts

Specifies the number of received packets without the MAC security tag (SecTAG), with MACsec not operating in strict mode.

RxNoTagPkts

Specifies the number of received packets without the MAC security tag (SecTAG), with MACsec operating in strict mode.

RxBadTagPkts

Specifies the number of received packets discarded with an invalid SecTAG or with a zero value Packet Number (PN)/invalid Integrity Check Value (ICV).

RxUnknownSCIPkts

Specifies the number of packets received with an unknown Secure Channel Identifier (SCI) and with MACsec not operating in strict mode.

RxNoSCIPkts

Specifies the number of packets received with an unknown Secure Channel Identifier (SCI) and with MACsec operating in strict mode.

RxOverrunPkts

Specifies the number of packets discarded because the number of received packets exceeded the cryptographic performance capabilities.

Table 2. Secure-channel inbound MACsec statistics

Statistics

Description

UnusedSAPkts

Specifies the summation of received unencrypted packets on all SAs of this secure channel, with MACsec not in strict mode.

NoUsingSAPkts

Specifies the summation of received packets that were discarded along with either encrypted packets or packets that were received with MACsec operating in strict mode.

LatePkts

Specifies the number of packets received that have been discarded for this Secure Channel (SC) with Replay Protect enabled.

Note:

Replay Protect is supported only by MACsec configurations using MACsec Key Agreement (MKA) protocol.

NotValidPkts

Specifies the summation of packets that were discarded in all SAs of the SC because they were not valid with one of the following conditions:

  • MACsec was operating in strict mode

  • The packets received were encrypted but contained erroneous fields.

InvalidPkts

Specifies the summation of all packets received that were not valid for this SC, with MACsec operating in check mode.

DelayedPkts

Specifies the summation of packets for this SC, with the Packet Number (PN) of the packets lower than the lower bound replay protection PN.

Note:

Replay Protect is supported only by MACsec configurations using MKA protocol.

UncheckedPkts

The total number of packets for this SC that:

  • were encrypted and failed the integrity check

  • were not encrypted and failed the integrity check

  • were received when MACsec validation was not enabled

OKPkts

Specifies the total number of Integrity Check Validated (ICV) packets for all SAs of this Secure Channel. The number of octets of User Data recovered from received frames that were integrity protected but not encrypted.

OctetsValidated

Specifies the number of octets of plain text recovered from received packets that were integrity protected but not encrypted.

OctetsDecrypted

Specifies the number of octets of plain text recovered from received packets that were integrity protected and encrypted.

Table 3. Secure-channel outbound MACsec statistics

Statistics

Description

ProtectedPkts

Specifies the number of integrity protected but not encrypted packets for this transmitting SC.

EncryptedPkts

Specifies the number of integrity protected and encrypted packets for this transmitting SC.

OctetsProtected

Specifies the number of plain text octets that are integrity protected but not encrypted on the transmitting SC.

OctetsEncrypted

Specifies the number of plain text octets that are integrity protected and encrypted on the transmitting SC.

Table 4. MACsec Key Agreement statistics

Statistics

Description

MKPDUs Validated & Rx

Specifies the number of MACsec Key Agreement Protocol Data Units (MKPDU) validated and received.

Rx Distributed SAK

Specifies the number of Secure Association Keys (SAK) received.

MKPDUs Transmitted

Specifies the number of MKPDUs transmitted.

Tx Distributed SAK

Specifies the number of SAKs transmitted.