show macsec ports

show macsec ports port-list usage

Description

Displays per-port MKA and MAC Security (MACsec) data in tabular format.

Syntax Description


ports	Specifies ports to show information on.
`port_list`	Lists which ports to view MACsec information on.
usage	Specifies to display per-port MACsec usage information.

Default

N/A.

Usage Guidelines

This commands displays a table containing both control-layer (MKA) status and data-layer (MACsec) statistics:

Port—Underlying physical port‘s name. Only MACsec capable ports appear.
MKA—Shows the message number (MN) contained in the MKPDUs sent by the port (“Local MN”), as well as the MN‘s in the MKPDUs being received (“Peer MN”). During normal operation, each MN should increment by 1 once every 2 seconds (MKA Hello Time).
Peer Status—Indicates whether or not the peer is potential or live. Per IEEE802.1X-2010‘s Clause 9.4.3 Determining Liveness, a peer is considered “live” when it transmits an MKPDU that contains a local MKA participant‘s member identifier (MI). A newly detected peer should start in the “P” state, and then transition to “L” in a matter of 2 to 4 seconds. A peer remaining in “P” indicates that the remote peer is not acknowledging the local peer's existence.
Connect Status—Represents the controlled port state machine‘s “connect” variable. States are defined in IEEE802.1X-2010 clause 12.3 CP state machine interfaces:
- Pending—Prevent connectivity by clearing the controlledPortEnabled parameter. Controlled port traffic is dropped.
- Authenticated—Provide unsecured connectivity, setting controlledPortEnabled. Controlled port traffic is unencrypted.
- Secure—Provide secure connectivity, using SAKs provided by the KaY (when available) and setting controlledPortEnabled when those keys are installed and in use, as specified in detail by the CP state machine. Controlled port traffic is encrypted.
Note
ExtremeXOS never chooses ‘Unauthenticated‘ or ‘Authenticated‘ access, but these options are allowed by the IEEE802.1X-2010 standard, so these cases may arise when interoperating with MKA/MACsec devices from other vendors.
Key Server—Key server status:
- None—Key server has yet to be elected (if persisting in this state, verify MACsec peer is enabled and PSKs are identical).
- Local—This port has been elected key server.
- Peer—Remote port has been elected key server.
MACsec—Displays packet and byte statistics for both transmit and receive secure channels (SCs). Packet counters are 32-bits, while byte counters are 64-bits.
Usage—Displays per-port MACsec usage information.

Example

The following example shows MKA and MACsec information for ports 25 and 50:

Note

To accommodate the width of the page, the MACsec columns are shown below the MKA content. In the actual output from the command, these columns appear beside each other.

# show macsec ports 25,50
MAC Security
                 -----------------MKA---------------------
                    Local     Peer
         MACsec   Message  Message Peer   Connect Key    
Port     Enabled   Number   Number Status Status  Server
======== ======= ======== ======== ====== ======= ======
25       Yes            0        - N/A    PENDING None 
50       Yes       162244   162361 L      SECURE  Peer
======== ======= ======== ======== ====== ======= =======

# show macsec ports 25,50
MAC Security
---------SecY-Tx-SC----SecY-Rx-SC------
                    Local     Peer
Encrypted     Octets       OK     Octets
Packets    Encrypted  Packets  Decrypted
======== ============ ======== ==========+
       -            -        -          -
    1658        79584      2318      55827
======== ============ ========= ==========

Example

The following example shows MACsec usage on ports 1-2 and 49-56:

# show macsec ports 1-12,49-56 usage 
                     Subject                     
               Link  to BW     MACsec   Allocated
Port          Speed  Maximum?  Enabled  Bandwidth
========  =========  ========  =======  =========
1           1.0Gbps  Yes       Yes        1.0Gbps
2           1.0Gbps  Yes       Yes        1.0Gbps
3           1.0Gbps  Yes       Yes        1.0Gbps
4           1.0Gbps  Yes       Yes        1.0Gbps
5           1.0Gbps  Yes       Yes        1.0Gbps
6           1.0Gbps  Yes       Yes        1.0Gbps
7           1.0Gbps  Yes       Yes        1.0Gbps
8           1.0Gbps  Yes       Yes        1.0Gbps
9           1.0Gbps  Yes       Yes        1.0Gbps
10          1.0Gbps  Yes       Yes        1.0Gbps
11          1.0Gbps  Yes       No               -
12          1.0Gbps  Yes       No               -
49         10.0Gbps  Yes       No               -
50         10.0Gbps  Yes       No               -
51         10.0Gbps  Yes       No               -
52         10.0Gbps  Yes       No               -
53         10.0Gbps  Yes       Yes       10.0Gbps
55         10.0Gbps  Yes       No               -

History

This command was first available in ExtremeXOS 30.1.

The usage option was first available in ExtremeXOS 31.5

Platform Availability

This command is available on the following platforms.

Note

The MACsec feature requires the installation of the MAC Security feature pack license.


Platform	Ports
ExtremeSwitching 5320	All ports of all models except stacking ports.
ExtremeSwitching 5420	All ports of all models except stacking ports.
ExtremeSwitching 5520	All ports, except 5520-VIM-4X and 5520-24X 10G ports
ExtremeSwitching 5720	All ports of all models except stacking ports.