show macsec ports
Description
Displays per-port MKA and MAC Security (MACsec) data in tabular format.
Syntax Description
| ports | Specifies ports to show information on. |
| port_list | Lists which ports to view MACsec information on. |
| usage | Specifies to display per-port MACsec usage information. |
Default
N/A.
Usage Guidelines
This commands displays a table containing both control-layer (MKA) status and data-layer (MACsec) statistics:
- Port—Underlying physical port‘s name. Only MACsec capable ports appear.
- MKA—Shows the message number (MN) contained in the MKPDUs sent by the port (“Local MN”), as well as the MN‘s in the MKPDUs being received (“Peer MN”). During normal operation, each MN should increment by 1 once every 2 seconds (MKA Hello Time).
- Peer Status—Indicates whether or not the peer is potential or live. Per IEEE802.1X-2010‘s Clause 9.4.3 Determining Liveness, a peer is considered “live” when it transmits an MKPDU that contains a local MKA participant‘s member identifier (MI). A newly detected peer should start in the “P” state, and then transition to “L” in a matter of 2 to 4 seconds. A peer remaining in “P” indicates that the remote peer is not acknowledging the local peer's existence.
- Connect Status—Represents
the controlled port state machine‘s “connect” variable. States are defined in
IEEE802.1X-2010 clause
12.3 CP state machine interfaces:
- Pending—Prevent connectivity by clearing the controlledPortEnabled parameter. Controlled port traffic is dropped.
- Authenticated—Provide unsecured connectivity, setting controlledPortEnabled. Controlled port traffic is unencrypted.
- Secure—Provide secure connectivity, using SAKs provided by the KaY (when available) and setting controlledPortEnabled when those keys are installed and in use, as specified in detail by the CP state machine. Controlled port traffic is encrypted.
Note
ExtremeXOS never chooses ‘Unauthenticated‘ or ‘Authenticated‘ access, but these options are allowed by the IEEE802.1X-2010 standard, so these cases may arise when interoperating with MKA/MACsec devices from other vendors. - Key Server—Key server
status:
- None—Key server has yet to be elected (if persisting in this state, verify MACsec peer is enabled and PSKs are identical).
- Local—This port has been elected key server.
- Peer—Remote port has been elected key server.
- MACsec—Displays packet and byte statistics for both transmit and receive secure channels (SCs). Packet counters are 32-bits, while byte counters are 64-bits.
- Usage—Displays per-port MACsec usage information.
Example
The following example shows MKA and MACsec information for ports 25 and 50:
Note
To accommodate the width of the page, the MACsec columns are shown below the MKA content. In the actual output from the command, these columns appear beside each other.# show macsec ports 25,50
MAC Security
-----------------MKA---------------------
Local Peer
MACsec Message Message Peer Connect Key
Port Enabled Number Number Status Status Server
======== ======= ======== ======== ====== ======= ======
25 Yes 0 - N/A PENDING None
50 Yes 162244 162361 L SECURE Peer
======== ======= ======== ======== ====== ======= =======
# show macsec ports 25,50
MAC Security
---------SecY-Tx-SC----SecY-Rx-SC------
Local Peer
Encrypted Octets OK Octets
Packets Encrypted Packets Decrypted
======== ============ ======== ==========+
- - - -
1658 79584 2318 55827
======== ============ ========= ==========
Example
The following example shows MACsec usage on ports 1-2 and 49-56:
# show macsec ports 1-12,49-56 usage
Subject
Link to BW MACsec Allocated
Port Speed Maximum? Enabled Bandwidth
======== ========= ======== ======= =========
1 1.0Gbps Yes Yes 1.0Gbps
2 1.0Gbps Yes Yes 1.0Gbps
3 1.0Gbps Yes Yes 1.0Gbps
4 1.0Gbps Yes Yes 1.0Gbps
5 1.0Gbps Yes Yes 1.0Gbps
6 1.0Gbps Yes Yes 1.0Gbps
7 1.0Gbps Yes Yes 1.0Gbps
8 1.0Gbps Yes Yes 1.0Gbps
9 1.0Gbps Yes Yes 1.0Gbps
10 1.0Gbps Yes Yes 1.0Gbps
11 1.0Gbps Yes No -
12 1.0Gbps Yes No -
49 10.0Gbps Yes No -
50 10.0Gbps Yes No -
51 10.0Gbps Yes No -
52 10.0Gbps Yes No -
53 10.0Gbps Yes Yes 10.0Gbps
55 10.0Gbps Yes No -
History
This command was first available in ExtremeXOS 30.1.
The usage option was first available in ExtremeXOS 31.5
Platform Availability
This command is available on the following platforms.
Note
The MACsec feature requires the installation of the MAC Security feature pack license.| Platform | Ports |
|---|---|
| ExtremeSwitching 5320 | All ports of all models except stacking ports. |
| ExtremeSwitching 5420 | All ports of all models except stacking ports. |
| ExtremeSwitching 5520 | All ports, except 5520-VIM-4X and 5520-24X 10G ports |
| ExtremeSwitching 5720 | All ports of all models except stacking ports. |