Displays a system-wide view of MAC Security (MACsec).
This command has no arguments or variables.
- MACsec Capable without External Adapter—Ports that inherently support MACsec
- HW-Mode MACsec—Ports configured for MACsec versus for half-duplex (only applicable on half-duplex/MACsec ports).
- MACsec Capable with External Adapter—Ports that support MACsec-capable adapters.
- LRM/MACsec Adapter Present—Ports with a LRM/MACsec adapter plugged in.
- Valid MACsec License—Ports with a valid MACsec license installed.
- MACsec Capable, Present, and Licensed—Ports that support MACsec, external adapter is present (if applicable), and are licensed for MACsec.
- MACsec Configured—Ports that have been assigned to a connectivity association (CA) that in turn has been configured with a pre-shared-key (PSK).
- MKA Active—Ports that have MACsec configured and are actively participating in MKA (transmitting MKPDUs).
- Connect Status:
- Pending—no connectivity (MKA not successful; no connectivity).
- Authenticated—unsecure connectivity (peer authenticated; packets
NoteExtreme Network switches always attempt to connect securely. However, if the peer is a third-party device and the peer is elected key server and the peer chooses to connect without MACsec protection, the port's connect status becomes "authenticated" instead of "secure". In authenticated mode, MKA continues to authenticate the remote peer, but MACsec protection is not enabled and all traffic transmits in the clear.
- Secure—secure connectivity (peer authenticated, and packets encrypted).
For ports with shared media (one copper and one fiber), normally fiber is the preferred medium; however, for proper detection/operation, the fiber port must be the preferred medium. For example, if link is detected on the copper port it becomes the preferred medium. As such it is removed from the MACsec-capable port list. The copper ports of the shared media ports are not MACse-capable. Only the fiber side with an LRM/MACsec adapter installed is MACse-capable.
# show macsec MACsec Capable Without External Adapter: 1:25-48,2:25-48 HW-Mode MACsec: 1:25-48,2:25-48 MACsec Capable with External Adapter: 1:49-54,2:49-54 LRM/MACsec Adapter Present: 2:49-50 Valid MACsec License: 1:25-54,2:25-54 MACsec Capable, Present and Licensed: 1:25-48,2:25-50 MACsec Configured: 1:37,1:48,2:25,2:29,2:32,2:49 MKA Active: 1:37,2:49 (Transmitting MKPDUs) Connect Status Pending: 1:48,2:25,2:29,2:32 (No connectivity) Secure: 1:37,2:49 (Secured connectivity: MKA with MACsec)
This command was first available in ExtremeXOS 30.1.
This command is available on the following platforms.
NoteThe MACsec feature requires the installation of the MAC Security feature pack license.
|Platform||Ports||LRM/MACsec Adapter Required?|
|ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht switches||Half-duplex, 1G ports (25–48)||No|
|All other SFP/SFP+ ports *||Yes|
|ExtremeSwitching X450-G2, X460-G2, X440-G2, X590, X620, and X695 series switches||SFP/SFP+ ports *||Yes|
X465-24W, X465-24XE: ports 1–24
X465-48T, X465-48P, X465-48W, X465i-48W: ports 1–48
X465-24MU-24W: ports 25–48
VIM5-4XE: all 4 ports
VIM5-4YE in X465-24MU, X465-24MU-24W switches: all 4 ports
VIM5-4YE in X465-24W, X465-48T, X465-48P, X465-48W, X464.24S, X465-24S, X465i-48W: first 2 ports only
Note: * For ExtremeSwitching X460-G2 series switches, the VIM-2X option does not support the LRM/MACsec Adapter.