Displays a system-wide view of MAC Security (MACsec).
This command has no arguments or variables.
This command allows you to quickly see which ports support MACsec, which are configured, and which are secure.
- MACsec Capable without External Adapter—Ports that inherently support MACsec
- HW-Mode MACsec—Ports configured for MACsec versus for half-duplex (only applicable on half-duplex/MACsec ports).
- MACsec Capable with External Adapter—Ports that support MACsec-capable adapters.
- LRM/MACsec Adapter Present—Ports with a LRM/MACsec adapter plugged in.
- Valid MACsec License—Ports with a valid MACsec license installed.
- MACsec Capable, Present, and Licensed—Ports that support MACsec, external adapter is present (if applicable), and are licensed for MACsec.
- MACsec Configured—Ports that have been assigned to a connectivity association (CA) that in turn has been configured with a pre-shared-key (PSK).
- MKA Active—Ports that have MACsec configured and are actively participating in MKA (transmitting MKPDUs).
- Connect Status:
- Pending—no connectivity (MKA not successful; no connectivity).
- Authenticated—unsecure connectivity (peer authenticated; packets
NoteExtreme Network switches always attempt to connect securely. However, if the peer is a third-party device and the peer is elected key server and the peer chooses to connect without MACsec protection, the port's connect status becomes "authenticated" instead of "secure". In authenticated mode, MKA continues to authenticate the remote peer, but MACsec protection is not enabled and all traffic transmits in the clear.
- Secure—secure connectivity (peer authenticated, and packets encrypted).
For ports with shared media (one copper and one fiber), normally fiber is the preferred medium; however, for proper detection/operation, the fiber port must be the preferred medium. For example, if link is detected on the copper port it becomes the preferred medium. As such it is removed from the MACsec-capable port list. The copper ports of the shared media ports are not MACse-capable. Only the fiber side with an LRM/MACsec adapter installed is MACse-capable.
The following example shows system-wide view of MACsec:
# show macsec MACsec Capable Without External Adapter: 1:25-48,2:25-48 HW-Mode MACsec: 1:25-48,2:25-48 MACsec Capable with External Adapter: 1:49-54,2:49-54 LRM/MACsec Adapter Present: 2:49-50 Valid MACsec License: 1:25-54,2:25-54 MACsec Capable, Present and Licensed: 1:25-48,2:25-50 MACsec Configured: 1:37,1:48,2:25,2:29,2:32,2:49 MKA Active: 1:37,2:49 (Transmitting MKPDUs) Connect Status Pending: 1:48,2:25,2:29,2:32 (No connectivity) Secure: 1:37,2:49 (Secured connectivity: MKA with MACsec)
This command was first available in ExtremeXOS 30.1.
This command is available on the following platforms.
NoteThe MACsec feature requires the installation of the MAC Security feature pack license.
|ExtremeSwitching 5320||All ports of all models except stacking ports.|
|ExtremeSwitching 5420||All ports of all models except stacking ports.|
|ExtremeSwitching 5520||All ports, except 5520-VIM-4X and 5520-24X 10G ports|
|ExtremeSwitching 5720||All ports of all models except stacking ports.|