show macsec

Description

Displays a system-wide view of MAC Security (MACsec).

Syntax Description

This command has no arguments or variables.

Default

N/A.

Usage Guidelines

This command allows you to quickly see which ports support MACsec, which are configured, and which are secure.

MACsec Capable without External Adapter—Ports that inherently support MACsec
HW-Mode MACsec—Ports configured for MACsec versus for half-duplex (only applicable on half-duplex/MACsec ports).
MACsec Capable with External Adapter—Ports that support MACsec-capable adapters.
LRM/MACsec Adapter Present—Ports with a LRM/MACsec adapter plugged in.
Valid MACsec License—Ports with a valid MACsec license installed.
MACsec Capable, Present, and Licensed—Ports that support MACsec, external adapter is present (if applicable), and are licensed for MACsec.
MACsec Configured—Ports that have been assigned to a connectivity association (CA) that in turn has been configured with a pre-shared-key (PSK).
MKA Active—Ports that have MACsec configured and are actively participating in MKA (transmitting MKPDUs).
Connect Status:
- Pending—no connectivity (MKA not successful; no connectivity).
- Authenticated—unsecure connectivity (peer authenticated; packets not encrypted).
  Note
  Extreme Network switches always attempt to connect securely. However, if the peer is a third-party device and the peer is elected key server and the peer chooses to connect without MACsec protection, the port's connect status becomes "authenticated" instead of "secure". In authenticated mode, MKA continues to authenticate the remote peer, but MACsec protection is not enabled and all traffic transmits in the clear.
- Secure—secure connectivity (peer authenticated, and packets encrypted).

For ports with shared media (one copper and one fiber), normally fiber is the preferred medium; however, for proper detection/operation, the fiber port must be the preferred medium. For example, if link is detected on the copper port it becomes the preferred medium. As such it is removed from the MACsec-capable port list. The copper ports of the shared media ports are not MACse-capable. Only the fiber side with an LRM/MACsec adapter installed is MACse-capable.

Example

The following example shows system-wide view of MACsec:

# show macsec
MACsec Capable Without External Adapter:  1:25-48,2:25-48
  HW-Mode MACsec:                         1:25-48,2:25-48
MACsec Capable with External Adapter:     1:49-54,2:49-54
  LRM/MACsec Adapter Present:             2:49-50
Valid MACsec License:                     1:25-54,2:25-54
MACsec Capable, Present and Licensed:     1:25-48,2:25-50
MACsec Configured:                        1:37,1:48,2:25,2:29,2:32,2:49
MKA Active:                               1:37,2:49    (Transmitting MKPDUs)
Connect Status
  Pending:                                1:48,2:25,2:29,2:32 (No connectivity)
  Secure:                                 1:37,2:49    (Secured connectivity: MKA with MACsec)

History

This command was first available in ExtremeXOS 30.1.

Platform Availability

This command is available on the following platforms.

Note

The MACsec feature requires the installation of the MAC Security feature pack license.


Platform	Ports	LRM/MACsec Adapter Required?
ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht switches	Half-duplex, 1G ports (25–48)	No
	All other SFP/SFP+ ports *	Yes
ExtremeSwitching X450-G2, X460-G2, X440-G2, X590, X620, and X695 series switches	SFP/SFP+ ports *	Yes
ExtremeSwitching X465	X465-24W, X465-24XE: ports 1–24 X465-48T, X465-48P, X465-48W, X465i-48W: ports 1–48 X465-24MU-24W: ports 25–48 VIM5-4XE: all 4 ports VIM5-4YE in X465-24MU, X465-24MU-24W switches: all 4 ports VIM5-4YE in X465-24W, X465-48T, X465-48P, X465-48W, X464.24S, X465-24S, X465i-48W: first 2 ports only	No
Note: * For ExtremeSwitching X460-G2 series switches, the VIM-2X option does not support the LRM/MACsec Adapter.