show macsec ports detail

show macsec ports port-list detail

Description

Displays configuration, status, and statistics for both MKA and MAC Security (MACsec).

Syntax Description

ports Specifies ports to show MKA and MACsec detailed information on.
port_list Lists which ports to show MKA and MACsec detailed information on.
detail Selects showing detailed MACsec port information.

Default

N/A.

Example

The following example shows detailed MACsec information for port 25:

# show macsec ports 25 detail 
PAE Port Table
--------------
Port: 25
Port Capabilities           : 0x30
  Supplicant    : No
  Authenticator : No
  MKA           : Yes
  MACsec        : Yes
  Announcements : No
  Listener      : No
  Virtual Ports : No
Virtual Ports Enable        : Disabled
Logon Enable                : Enabled
Authenticator Enable        : Enabled
Supplicant Enable           : Disabled
KaY MKA                     : Enabled
Announcer                   : Disabled
Listener                    : Disabled

LOGON Table
-------------------------
Connect                 : SECURE
Port Valid              : True

NID Table
-------------------------
UseEAP                  : Never
UnauthAllowed           : Never
UnsecuredAllowed        : mkaServer
UnauthenticatedAccess   : noAccess
Access Capabilities     : 0x08
  eap                 : No
  eapMka              : No
  eapMkaMacSec        : No
  mka                 : No
  mkaMacSec           : Yes
  vendorSpecific      : No

KaY MKA Table
-------------------------
MKA Active                    : True
MKA Authenticated             : False
MKA Secured                   : True
MKA Failed                    : False
MKA Actor SCI                 : 00-04-96-99-39-93-00-19
MKA Actor's Priority          : 0x2
MKA Life Time                 : 10s
MKA Key Server SCI            : 00-04-96-99-39-93-00-19
MKA Key Server Priority       : 0x2
MACsec Confidentiality Offset : 0
MACsec Desired                : True
MACsec Protect                : True
MACsec Replay Protect         : True
MACsec Validate               : True
MACsec Protection
  Local MACsec Capability     : Integrity, Confidentiality with Offset 0, 30, or 50
  Peer MACsec Capability      : Integrity, Confidentiality with Offset 0, 30, or 50
  Negotiated Protection       : Integrity, Confidentiality with Offset 0
MACsec Cipher Suite Admin     : gcm-aes-256
MACsec Cipher Suite Oper      : gcm-aes-256
MKA Tx Key Number             : 6
MKA Tx Association Number     : 1
MKA Rx Key Number             : 6
MKA Rx Association Number     : 1

MKA Participant Table
-------------------------
CA Name             : My256bitCA
CAK Name (CKN)      : Switch1toSwitch2
Cached              : False
Active              : True
Retain              : False
ActivateControl     : Default
Principal           : True

Potential Peer List :  
Live Peer List      :  
  MN, SCI : 26, 00-04-96-99-17-23-00-33
SecY Config Table
-------------------------
Protect Frames:        Enabled
Validate Frames:       Strict
Replay Protect:        Enabled
Replay Protect Window: 0 frames
SecTAG Transmit Options
  Include SCI:         Disabled
  Use ES:              Disabled
  Use SCB:             Disabled

SecY Receive SA AN-1 Table
---------------------------
State:           inUse
Next PN:         1899969
Created Time:    Fri Mar 22 10:55:16 2019

SecY Receive SC Table
-------------------------
SCI:             00-04-96-99-17-23-00-33
State:           inUse
Current SA:      1
Created Time:    Fri Mar 22 10:55:16 2019

SecY Transmit SA AN-1 Table
----------------------------
State:           inUse
Next PN:         1375880
Created Time:    Fri Mar 22 10:55:16 2019

SecY Transmit SC Table
-------------------------
SCI:             00-04-96-99-39-93-00-19
State:           inUse
Encoding SA:     1
Enciphering SA:  0
Created Time:    Fri Mar 22 10:38:27 2019

SecY Interface Statistics
-------------------------
SecY:  
  Tx Untagged Pkts       : 0
  Tx Too Long Pkts       : 0
  Rx Untagged Pkts       : 0
  Rx No Tag Pkts         : 57046
  Rx Bad Tag Pkts        : 0
  Rx Unknown SCI Pkts    : 0
  Rx No SCI Pkts         : 0
  Rx Overrun Pkts        : 0

Transmit:  
  Secure Channel
    Protected Pkts       : 0
    Encrypted Pkts       : 4185922
    Octets Protected     : 0
    Octets Encrypted     : 6262129739

  Secure Association     : AN-1
    Protected Pkts       : 0
    Encrypted Pkts       : 4185922

Receive:
  Secure Channel, SCI:  00-04-96-99-17-23-00-33
    Late Pkts            : 0
    Not Valid Pkts       : 0
    Delayed Pkts         : 0
    Unchecked Pkts       : 0
    OK Pkts              : 1753184
    Octets Validated     : 0
    Octets Decrypted     : 2629771596

  Secure Association     : AN-1
    Not Valid SA Pkts    : 0
    OK Pkts              : 1753184

History

This command was first available in ExtremeXOS 30.1.

Cipher information was added in ExtremeXOS 30.2.

MKA lifetime information was added in ExtremeXOS 31.5.

Platform Availability

This command is available on the following platforms.

Note

Note

The MACsec feature requires the installation of the MAC Security feature pack license.
Platform Ports LRM/MACsec Adapter Required?
ExtremeSwitching X460-G2-24p-24hp, X460-G2-24t-24ht switches Half-duplex, 1G ports (25–48) No
All other SFP/SFP+ ports * Yes
ExtremeSwitching X450-G2, X460-G2, X440-G2, X590, X620, and X695 series switches SFP/SFP+ ports * Yes
ExtremeSwitching X465

X465-24W, X465-24XE: ports 1–24

X465-48T, X465-48P, X465-48W, X465i-48W: ports 1–48

X465-24MU-24W: ports 25–48

VIM5-4XE: all 4 ports

VIM5-4YE in X465-24MU, X465-24MU-24W switches: all 4 ports

VIM5-4YE in X465-24W, X465-48T, X465-48P, X465-48W, X464.24S, X465-24S, X465i-48W: first 2 ports only

No
Note: * For ExtremeSwitching X460-G2 series switches, the VIM-2X option does not support the LRM/MACsec Adapter.