macsec
show
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
Commands in this context display MACsec information.
connectivity-association [ca-name] [detail]
show>macsec
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command displays MACsec CA information.
Displays CA name information, up to 256 characters.
Displays MACsec CA detailed information.
The following outputs are examples of CA information, and the associated tables describe the output fields:
Sample output: MACsec CA , Table: Output fields: MACsec connectivity association
Sample output: MACsec CA with CA name, Table: Output fields: MACsec CA with CA name
A:Dut-C# show macsec connectivity-association
===============================================================================
ca-name : dut_B_C_128_01
ca-name : dut_B_C_256_01
ca-name : to_Juniper_1_1_2__1
ca-name : abcdefghijklmnoprstuvxyz@!
===============================================================================
|
Label |
Description |
|---|---|
|
ca-name |
Specifies the CA name |
A:Dut-C# show macsec connectivity-association "abcdefghijklmnoprstuvxyz@!"
===============================================================================
Connectivity Association "abcdefghijklmnoprstuvxyz@!"
===============================================================================
Admin State : Up
Description : alsfjalsfjafja;lsjflasjflasjfl
Replay Protection : Disabled
Replay Window Size : 333
Macsec Encrypt : Enabled
Clear Tag Mode : dual-tag
Cipher Suite : gcm-aes-256
Encryption Offset : 30
Assigned ports : 2/1/9 2/1/10
-------------------------------------------------------------------------------
Static Cak
-------------------------------------------------------------------------------
MKA Key Server Priority : 16
Active Pre-Shared-Key Index : 1
Active Pre-Shared-Key CKN : aabbccddeeff00112233445566778899
===============================================================================
|
Label |
Description |
|---|---|
|
Admin State |
Up — The CA is administratively up |
|
Down — The CA is administratively down If port <x/y/z> ethernet>macsec is shutdown, the admin state is down. Otherwise, the admin state is up. |
|
|
Description |
Displays a user description for this CA |
|
Replay Protection |
Enabled — Replay Protection is enabled |
|
Disabled — Replay Protection is disabled If replay protection is enabled for this CA, the out of window packet is discarded. |
|
|
Replay Window Size |
Displays the size, in packets, of the replay window |
|
Macsec Encrypt |
Enabled MACsec is enabled |
|
Disabled MACsec is disabled |
|
|
Clear Tag Mode |
Displays the clear tag mode: single-tag, dual-tag |
|
Cipher Suite |
Displays the cipher suite used for encrypting the SAK: gcm-aes-128 or gcm-aes-256 |
|
Encryption Offset |
Displays the encryption offset configured on this node: 0, 30, 50 |
|
Assigned ports |
Displays all ports that contain this CA |
|
MKA Key Server Priority |
Displays the MKA key server priority: 0 to 255 (default 16) |
|
Active Pre-Shared Key Index |
Displays the active preshared key index: 1 to 2 (default 1) |
|
Active Pre-Shared Key CKN |
Displays the active PSK CAK name |
mka-session [port port-id]
mka-session [port port-id] detail
mka-session [port port-id] statistics
show>macsec
7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, and 7210 SAS-Dxp 24p
This command displays MACsec MKA session information.
Specifies the port ID, up to 17 characters.
Displays MACsec MKA session detailed information.
Displays MACsec MKA session statistical information.
The following outputs are examples of MACsec MKA session information, and the associated tables describe the output fields:
Sample output: MACsec MKA-session port, Table: Output fields: MACsec MKA-session port
Sample output: MACsec MKA-session port (detail), Table: Output fields: MACsec MKA-session port (detail and statistics)
Sample output: MACsec MKA-session (statistics), Table: Output fields: MACsec MKA-session port (detail and statistics)
A:Dut-C# show macsec mka-session port 2/1/11
===============================================================================
MKA Session for port 2/1/11
===============================================================================
Port : 2/1/11
Security Zone : 3
===============================================================================
===============================================================================
Live Peer List
===============================================================================
Member Identifier Mesg Num Rx-SCI KS priority
-------------------------------------------------------------------------------
bf4102704294fa1057022bdf 28322 a47b2ce112ef0000 16
===============================================================================
===============================================================================
Potential Peer List
===============================================================================
Member Identifier Mesg Num Rx-SCI KS priority
-------------------------------------------------------------------------------
===============================================================================
|
Label |
Description |
|---|---|
|
MKA Session for port |
Displays the MKA session for the current port |
|
Port |
Displays the MKA session current port |
|
Security Zone |
Displays security zone this port belongs to |
|
Live Peer List |
Displays peers (participants) that have provided their MI and MN via KMA. The peer entry is in the Live Peer List. |
|
Member Identifier |
Displays the MI of the peer entry |
|
Mesg Num |
Displays the latest Member Number of the peer entry |
|
Rx-SCI |
Displays the Peer Rx-SCI |
|
KS-priority |
Displays the Peer Key server priority |
|
Potential Peer List |
Peers (participants) that have Potential Peers List includes all the other peers that have transmitted an MKPDU that has been directly received by the participant or that were included in the Live Peers List of a MKPDU transmitted by a peer that has proved liveness, an MKA PDU. The peer entry is in the Potential Peers List. |
A:Dut-C# show macsec mka-session port 2/1/11 detail
===============================================================================
MKA Session for port 2/1/11
===============================================================================
Port : 2/1/11
Security Zone : 3
MKA Oper State : unknown value
Oper Cipher Suite : unknown value
Oper Encrypt Offset: 0
CAK Name : 11223344556677889900aabbccddeeff11223344556677889900aabbc*
MKA Member ID : f134218784b114eb61dbe834
Transmit Interval : 2000
Outbound SCI : a4:7b:2c:e1:12:8f
Message Number : 28298
Key Number : 878
Key Server : yes
Key Server Priority: 16
Latest SAK AN : 3
Latest SAK KI : f134218784b114eb61dbe8340000036d
Previous SAK AN : 2
Previous SAK KI : f134218784b114eb61dbe83400000000
===============================================================================
* indicates that the corresponding row element may have been truncated.
===============================================================================
Live Peer List
===============================================================================
Member Identifier Mesg Num Rx-SCI KS priority
-------------------------------------------------------------------------------
bf4102704294fa1057022bdf 28323 a47b2ce112ef0000 16
===============================================================================
===============================================================================
Potential Peer List
===============================================================================
Member Identifier Mesg Num Rx-SCI KS priority
-------------------------------------------------------------------------------
===============================================================================
===============================================================================
MKA Session Statistics for port 2/1/11
===============================================================================
Peer Removed Due to Timeout : 0
CKN Not Found : 0
New Live peer : 0
SAK Generated by Server : 0
SAK Installed for TX : 0
SAK Installed for RX : 0
PDU Too Small : 0
PDU Too Big : 0
PDU Not Quad Size : 0
PDU Message Number Invalid : 0
PDU Param Set Size Invalid : 0
PDU Liveness Check Fail : 0
Param Set Not Quad Size : 0
Unsupported Agility : 0
Invalid CAK Name Length : 0
ICV Check Failed : 0
Peer Using Same MID : 0
SAK From Non-Live Peer : 0
SAK From Non-Key Server : 0
SAK Decrypt Fail : 0
SAK Encrypt Fail : 0
Key Number Invalid : 0
SAK Installation Failed : 0
CAK Info Missing : 0
Max Peers Set as Zero : 0
===============================================================================
A:Dut-C# show macsec mka-session statistics
===============================================================================
MKA Session Statistics for port 2/1/11
===============================================================================
Peer Removed Due to Timeout : 0
CKN Not Found : 0
New Live peer : 0
SAK Generated by Server : 0
SAK Installed for TX : 0
SAK Installed for RX : 0
PDU Too Small : 0
PDU Too Big : 0
PDU Not Quad Size : 0
PDU Message Number Invalid : 0
PDU Param Set Size Invalid : 0
PDU Liveness Check Fail : 0
Param Set Not Quad Size : 0
Unsupported Agility : 0
Invalid CAK Name Length : 0
ICV Check Failed : 0
Peer Using Same MID : 0
SAK From Non-Live Peer : 0
SAK From Non-Key Server : 0
SAK Decrypt Fail : 0
SAK Encrypt Fail : 0
Key Number Invalid : 0
SAK Installation Failed : 0
CAK Info Missing : 0
Max Peers Set as Zero : 0
===============================================================================
|
Label |
Description |
|---|---|
|
MKA Oper State |
Displays the operational state of the MKA participant on this port. The operational MKA state will be up if MKA hellos are received on this port and have a valid session. |
|
Oper Cipher Suite |
Displays the operational encryption algorithm used for datapath PDUs when all parties in the CA have the (SAK). This value is specified by the key server: gcm-aes-128 or gcm-aes-256 |
|
Oper Encrypt Offset |
Displays the operational encryption offset used for the datapath PDUs when all parties in the CA have the SAK. This value is specified by the key server: 0, 30, 50. |
|
CAK Name |
Displays the name of the CAK in use by this MKA which is used to find the correct CAK |
|
MKA Member ID |
Displays the Member Identifier (MI) for the MKA instance |
|
Transmit Interval |
Displays the time interval (in ms) at which the MKA broadcasts its liveliness to its peers and is non-configurable |
|
Outbound SCI |
Displays the Secure Channel Identifier (SCI) information for transmitting MACsec frames and consists of the outgoing port MAC Address and a port identifier |
|
Message Number |
Displays the current count of MKA messages that is attached to MKA PDUs |
|
Key Number |
Displays the number of the currently assigned CAK. When a new CAK is generated, this number is incremented. A SAK is identified by 128-bit Key Identifier (KI) and 32-bit Key-Number (KN). |
|
Key Server |
Displays whether this server is the highest priority server in the peer group: no, yes |
|
Key Server Priority |
Displays the priority of the active key server: 0-255 (default 16) |
|
Latest SAK AN |
Displays the Association Number (AN) of the latest SAK. This number is concatenated with an SCI to identify a Secure Association (SA). In SR OS, only two SAKs are supported. |
|
Latest SAK KI |
Displays the Key Identifier (KI) of the latest SAK. This number is derived from the MI of the key server and the key number. |
|
Previous SAK AN |
Displays the AN of the previous SAK. This number is concatenated with an SCI to identify an SA. |
|
Previous SAK KI |
Displays the KI of the previous SAK. This number is derived from the MI of the key server and the key number. |
|
Peer Removed Due to Timeout |
Displays the number of peers removed from the live/potential peer list caused by not receiving an MKPDU within the MKA Live Time (6.0 seconds) and is not configurable |
|
CKN Not Found |
Displays the number of MKPDUs received with a CKN that does not match the CA configured for the port |
|
New Live Peer |
Displays the number of validated peers that have been added to the live peer list |
|
SAK Generated by Server |
Displays the number of SAKs generated by this MKA instance |
|
SAK Installed for TX |
Displays the number of SAKs installed for transmitting |
|
SAK Installed for RX |
Displays the number of SAKs installed for receiving |
|
PDU Too small |
Indicates that the number of MKPDUs received that are less than 32 octets |
|
PDU Too big |
Indicates the number of MKPDUs received where the EAPOL header indicates a size larger than the received packet. |
|
PDU Not Quad Size |
Indicates the number of MKPDUs received with a size that is not a multiple of 4 octets long |
|
PDU Message Number Invalid |
Indicates the number of MKPDUs received out of order as indicated by the Message Number |
|
PDU Param Set Size Invalid |
Indicates the number of MKPDUs received which contain a parameter set body length that exceeds the remaining length of the MKPDU |
|
PDU Liveness Check Fail |
Indicates the number of MKPDUs received which contain an MN that is not acceptably recent |
|
Param Set Not Quad Size |
Indicates the number of MKPDUs received which contain a parameter set that is not a multiple of 4 octets long |
|
Unsupported Agility |
Indicates the number of MKPDUs received which contain an unsupported Algorithm Agility value |
|
Invalid CAK Name Length |
Indicates the number of MKPDUs received which contain a CAK name that exceeds the maximum CAK name length |
|
ICV Check Failed |
Indicates the number of MKPDUs received which contain an ICV value that does not authenticate |
|
Peer Using Same MID |
Indicates the number of MKPDUs received which contain a peer list with an MI entry which conflicts with the local MI |
|
SAK From Non-Live Peer |
Indicates the number of SAKs received from peer that is not a member of the Live Peers List |
|
SAK From Non-Key Server |
Indicates the number of SAKs received from an MKA participant that has not been designated as the Key Server. Only the key server should distribute SAK. |
|
SAK Decrypt Fail |
Indicates the number of AES Key Wrap SAK decryption failures that have occurred |
|
SAK Encrypt Fail |
Indicates the number of AES Key Wrap SAK encryption failures that have occurred |
|
Key Number Invalid |
Indicates the number of SAKs received with an invalid Key Number |
|
SAK Installation Failed |
Indicates the number of Secy SAK installation failures that have occurred |
|
CAK Info Missing |
Indicates the number of times internal CAK data is not available for the generation of the SAK |
|
Max Peers Set as Zero |
Indicates the number of Secy SAK installations that have failed because the max peer entry being set to 0 |