show macsec portsNEW!

show macsec ports port-list

Description

Displays per-port MKA and MAC Security (MACsec) data in tabular format.

Syntax Description

ports	Specifies ports to show information on.
port_list	Lists which ports to view MACsec information on.

Default

N/A.

Usage Guidelines

This commands displays a table containing both control-layer (MKA) status and data-layer (MACsec) statistics:

Port—Underlying physical port‘s name. Only MACsec capable ports appear.
MKA—Shows the message number (MN) contained in the MKPDUs sent by the port (“Local MN”), as well as the MN‘s in the MKPDUs being received (“Peer MN”). During normal operation, each MN should increment by 1 once every 2 seconds (MKA Hello Time).
Peer Status—Indicates whether or not the peer is potential or live. Per IEEE802.1X-2010‘s Clause 9.4.3 Determining Liveness, a peer is considered “live” when it transmits an MKPDU that contains a local MKA participant‘s member identifier (MI). A newly detected peer should start in the “P” state, and then transition to “L” in a matter of 2 to 4 seconds. A peer remaining in “P” indicates that the remote peer is not acknowledging the local peer's existence.
Connect Status—Represents the controlled port state machine‘s “connect” variable. States are defined in IEEE802.1X-2010 clause 12.3 CP state machine interfaces:
- Pending—Prevent connectivity by clearing the controlledPortEnabled parameter. Controlled port traffic is dropped.
- Authenticated—Provide unsecured connectivity, setting controlledPortEnabled. Controlled port traffic is unencrypted.
- Secure—Provide secure connectivity, using SAKs provided by the KaY (when available) and setting controlledPortEnabled when those keys are installed and in use, as specified in detail by the CP state machine. Controlled port traffic is encrypted.
Note
ExtremeXOS never chooses ‘Unauthenticated‘ or ‘Authenticated‘ access, but these options are allowed by the IEEE802.1X-2010 standard, so these cases may arise when interoperating with MKA/MACsec devices from other vendors.
Key Server—Key server status:
- None—Key server has yet to be elected (if persisting in this state, verify MACsec peer is enabled and PSKs are identical).
- Local—This port has been elected key server.
- Peer—Remote port has been elected key server.
MACsec—Displays packet and byte statistics for both transmit and receive secure channels (SCs). Packet counters are 32-bits, while byte counters are 64-bits.

Example

The following example shows MKA and MACsec information for ports 25 and 50:

Note

To accommodate the width of the page, the MACsec columns are shown below the MKA content. In the actual output from the command, these columns appear beside each other.

# show macsec ports 25,50
MAC Security
                 -----------------MKA---------------------
                    Local     Peer
         MACsec   Message  Message Peer   Connect Key    
Port     Enabled   Number   Number Status Status  Server
======== ======= ======== ======== ====== ======= ======
25       Yes            0        - N/A    PENDING None 
50       Yes       162244   162361 L      SECURE  Peer
======== ======= ======== ======== ====== ======= =======

# show macsec ports 25,50
MAC Security
---------SecY-Tx-SC----SecY-Rx-SC------
                    Local     Peer
Encrypted     Octets       OK     Octets
Packets    Encrypted  Packets  Decrypted
======== ============ ======== ==========+
       -            -        -          -
    1658        79584      2318      55827
======== ============ ========= ==========

History

This command was first available in ExtremeXOS 30.1.

Platform Availability

This command is available on the following platforms.

Note

The MACsec feature requires the installation of the MAC Security feature pack license.

Platform	Ports	LRM/MACsec Adapter Required?
Summit X460-G2-24p-24hp, X460-G2-24t-24ht switches	Half-duplex, 1G ports (25–48)	No
Summit X460-G2-24p-24hp, X460-G2-24t-24ht switches	All other SFP/SFP+ ports *	Yes
Summit X450-G2, X460-G2, X670-G2, and ExtremeSwitching X440-G2, X620, and X690 series switches	SFP/SFP+ ports *	Yes
Note: * For Summit X460-G2 series switches, the VIM-2X option does not support the LRM/MACsec Adapter.

Published January 2019prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback