Displays configuration, status, and statistics for both MKA and MAC Security (MACsec).
ports | Specifies ports to show MKA and MACsec detailed information on. |
port_list | Lists which ports to show MKA and MACsec detailed information on. |
detail | Selects showing detailed MACsec port information. |
N/A.
The following example shows detailed MACsec information for port 25:
# show macsec ports 25 detail
PAE Port Table
--------------
Port: 25
Port Capabilities : 0x30
Supplicant : No
Authenticator : No
MKA : Yes
MACsec : Yes
Announcements : No
Listener : No
Virtual Ports : No
Virtual Ports Enable : Disabled
Logon Enable : Enabled
Authenticator Enable : Enabled
Supplicant Enable : Disabled
KaY MKA : Enabled
Announcer : Disabled
Listener : Disabled
LOGON Table
-------------------------
Connect : SECURE
Port Valid : True
NID Table
-------------------------
UseEAP : Never
UnauthAllowed : Never
UnsecuredAllowed : mkaServer
UnauthenticatedAccess : noAccess
Access Capabilities : 0x08
eap : No
eapMka : No
eapMkaMacSec : No
mka : No
mkaMacSec : Yes
vendorSpecific : No
KaY MKA Table
-------------------------
MKA Active : True
MKA Authenticated : False
MKA Secured : True
MKA Failed : False
MKA Actor SCI : 00-04-96-99-39-93-00-19
MKA Actor's Priority : 0x2
MKA Life Time : 10s
MKA Key Server SCI : 00-04-96-99-39-93-00-19
MKA Key Server Priority : 0x2
MACsec Confidentiality Offset : 0
MACsec Desired : True
MACsec Protect : True
MACsec Replay Protect : True
MACsec Validate : True
MACsec Protection
Local MACsec Capability : Integrity, Confidentiality with Offset 0, 30, or 50
Peer MACsec Capability : Integrity, Confidentiality with Offset 0, 30, or 50
Negotiated Protection : Integrity, Confidentiality with Offset 0
MACsec Cipher Suite Admin : gcm-aes-256
MACsec Cipher Suite Oper : gcm-aes-256
MKA Tx Key Number : 6
MKA Tx Association Number : 1
MKA Rx Key Number : 6
MKA Rx Association Number : 1
MKA Participant Table
-------------------------
CA Name : My256bitCA
CAK Name (CKN) : Switch1toSwitch2
Cached : False
Active : True
Retain : False
ActivateControl : Default
Principal : True
Potential Peer List :
Live Peer List :
MN, SCI : 26, 00-04-96-99-17-23-00-33
SecY Config Table
-------------------------
Protect Frames: Enabled
Validate Frames: Strict
Replay Protect: Enabled
Replay Protect Window: 0 frames
SecTAG Transmit Options
Include SCI: Disabled
Use ES: Disabled
Use SCB: Disabled
SecY Receive SA AN-1 Table
---------------------------
State: inUse
Next PN: 1899969
Created Time: Fri Mar 22 10:55:16 2019
SecY Receive SC Table
-------------------------
SCI: 00-04-96-99-17-23-00-33
State: inUse
Current SA: 1
Created Time: Fri Mar 22 10:55:16 2019
SecY Transmit SA AN-1 Table
----------------------------
State: inUse
Next PN: 1375880
Created Time: Fri Mar 22 10:55:16 2019
SecY Transmit SC Table
-------------------------
SCI: 00-04-96-99-39-93-00-19
State: inUse
Encoding SA: 1
Enciphering SA: 0
Created Time: Fri Mar 22 10:38:27 2019
SecY Interface Statistics
-------------------------
SecY:
Tx Untagged Pkts : 0
Tx Too Long Pkts : 0
Rx Untagged Pkts : 0
Rx No Tag Pkts : 57046
Rx Bad Tag Pkts : 0
Rx Unknown SCI Pkts : 0
Rx No SCI Pkts : 0
Rx Overrun Pkts : 0
Transmit:
Secure Channel
Protected Pkts : 0
Encrypted Pkts : 4185922
Octets Protected : 0
Octets Encrypted : 6262129739
Secure Association : AN-1
Protected Pkts : 0
Encrypted Pkts : 4185922
Receive:
Secure Channel, SCI: 00-04-96-99-17-23-00-33
Late Pkts : 0
Not Valid Pkts : 0
Delayed Pkts : 0
Unchecked Pkts : 0
OK Pkts : 1753184
Octets Validated : 0
Octets Decrypted : 2629771596
Secure Association : AN-1
Not Valid SA Pkts : 0
OK Pkts : 1753184
This command was first available in ExtremeXOS 30.1.
Cipher information was added in ExtremeXOS 30.2.
MKA lifetime information was added in ExtremeXOS 31.5.
This command is available on the following platforms.
Note
The MACsec feature requires the installation of the MAC Security feature pack license.Platform | Ports | LRM/MACsec Adapter Required? |
---|---|---|
ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht switches | Half-duplex, 1G ports (25–48) | No |
All other SFP/SFP+ ports * | Yes | |
ExtremeSwitching X450-G2, X460-G2, X670-G2, X440-G2, X590, X620, X690, and X695 series switches | SFP/SFP+ ports * | Yes |
ExtremeSwitching X465 |
X465-24W, X465-24XE: ports 1–24 X465-48T, X465-48P, X465-48W, X465i-48W: ports 1–48 X465-24MU-24W: ports 25–48 VIM5-4XE: all 4 ports VIM5-4YE in X465-24MU, X465-24MU-24W switches: all 4 ports VIM5-4YE in X465-24W, X465-48T, X465-48P, X465-48W, X464.24S, X465-24S, X465i-48W: first 2 ports only |
No |
ExtremeSwitching 5320 | All ports of all models except stacking ports. | No |
ExtremeSwitching 5420 | All ports of all models except stacking ports. | No |
ExtremeSwitching 5520 | All ports, except 5520-VIM-4X and 24X 10G ports | No |
Note: * For ExtremeSwitching X460-G2
series switches, the VIM-2X option does not support the
LRM/MACsec Adapter.
|