show macsec portsNEW!
show macsec
ports
port-list
Description
Displays per-port MKA and MAC Security (MACsec) data in tabular format.
Syntax Description
ports |
Specifies ports to show information on. |
port_list |
Lists which ports to view MACsec information on. |
Usage Guidelines
This commands displays a table containing both control-layer (MKA) status and
data-layer (MACsec) statistics:
- Port—Underlying physical port‘s name. Only MACsec capable ports
appear.
-
MKA—Shows the message number (MN) contained in the MKPDUs sent by the
port (“Local MN”), as well as the MN‘s in the MKPDUs being received (“Peer MN”).
During normal operation, each MN should increment by 1 once every 2 seconds (MKA
Hello Time).
- Peer Status—Indicates whether or not the peer is potential or live. Per
IEEE802.1X-2010‘s Clause 9.4.3 Determining Liveness, a peer is
considered “live” when it transmits an MKPDU that contains a local MKA
participant‘s member identifier (MI). A newly detected peer should start in the
“P” state, and then transition to “L” in a matter of 2 to 4 seconds. A peer
remaining in “P” indicates that the remote peer is not acknowledging the local
peer's existence.
- Connect Status—Represents the controlled port state machine‘s “connect”
variable. States are defined in IEEE802.1X-2010 clause 12.3 CP state
machine interfaces:
- Pending—Prevent connectivity by clearing the
controlledPortEnabled parameter. Controlled port traffic is
dropped.
- Authenticated—Provide unsecured connectivity, setting
controlledPortEnabled. Controlled port traffic is unencrypted.
- Secure—Provide secure connectivity, using SAKs provided by the
KaY (when available) and setting controlledPortEnabled when those keys
are installed and in use, as specified in detail by the CP state
machine. Controlled port traffic is encrypted.

Note
ExtremeXOS never chooses ‘Unauthenticated‘ or ‘Authenticated‘ access,
but these options are allowed by the IEEE802.1X-2010 standard, so these
cases may arise when interoperating with MKA/MACsec devices from other
vendors.
- Key Server—Key server
status:
- None—Key server has yet to be elected (if persisting in this
state, verify MACsec peer is enabled and PSKs are identical).
- Local—This port has been elected key server.
- Peer—Remote port has been elected key server.
- MACsec—Displays packet and byte statistics for both transmit and receive
secure channels (SCs). Packet counters are 32-bits, while byte counters are
64-bits.
Example
The following example shows MKA and MACsec information for ports 25 and 50:

Note
To accommodate the width of the
page, the MACsec columns are shown below the MKA content. In the actual output
from the command, these columns appear beside each
other.
# show macsec ports 25,50
MAC Security
-----------------MKA---------------------
Local Peer
MACsec Message Message Peer Connect Key
Port Enabled Number Number Status Status Server
======== ======= ======== ======== ====== ======= ======
25 Yes 0 - N/A PENDING None
50 Yes 162244 162361 L SECURE Peer
======== ======= ======== ======== ====== ======= =======
# show macsec ports 25,50
MAC Security
---------SecY-Tx-SC----SecY-Rx-SC------
Local Peer
Encrypted Octets OK Octets
Packets Encrypted Packets Decrypted
======== ============ ======== ==========+
- - - -
1658 79584 2318 55827
======== ============ ========= ==========
History
This command was first available in ExtremeXOS 30.1.
Platform Availability
This command is available on the following platforms.

Note
The MACsec feature requires the
installation of the MAC Security feature pack license.
Platform |
Ports |
LRM/MACsec Adapter Required? |
Summit X460-G2-24p-24hp, X460-G2-24t-24ht switches |
Half-duplex, 1G ports (25–48) |
No |
All other SFP/SFP+ ports * |
Yes |
Summit X450-G2, X460-G2, X670-G2, and ExtremeSwitching X440-G2,
X620,
and X690 series switches |
SFP/SFP+ ports * |
Yes |
Note: * For Summit X460-G2 series switches, the VIM-2X option does
not support the LRM/MACsec Adapter.
|