Configuring MACsec
This document describes how to configure MACsec on Cisco NX-OS devices.
About MACsec
Media Access Control Security (MACsec) an IEEE 802.1AE along with MACsec Key Agreement (MKA) protocol provide secure communications on Ethernet links. It offers the following :
-
Provides line rate encryption capabilities.
-
Helps to ensure data confidentiality by providing strong encryption at Layer 2.
-
Provides integrity checking to help ensure that data cannot be modified in transit.
-
Can be selectively enabled using a centralized policy to help ensure that it is enforced where required while allowing non-MACsec-capable components to access the network.
-
Encrypts packets on a hop-by-hop basis at Layer 2, allowing the network to inspect, monitor, mark, and forward traffic according to your existing policies, unlike end-to-end Layer 3 encryption techniques that hide the contents of packets from the network devices they cross.
Key Lifetime and Hitless Key Rollover
A MACsec keychain can have multiple pre-shared keys (PSKs), each configured with a key ID and an optional lifetime. A key lifetime specifies at which time the key activates and expires. In the absence of a lifetime configuration, the default lifetime is unlimited. When a lifetime is configured, MKA rolls over to the next configured pre-shared key in the keychain after the lifetime expires. The time zone of the key can be local or UTC. The default time zone is UTC.
To configure a MACsec keychain, see Configuring a MACsec Keychain and Keys.
A key can roll over to a second key within the same keychain by configuring the second key and a lifetime for the first key. When the lifetime of the first key expires, it automatically rolls over to the next key in the list. If the same key is configured on both sides of the link at the same time, then the key rollover is hitless, that is, the key rolls over without traffic interruption.
Fallback Key
A MACsec session can fail due to a key/key name (CKN) mismatch or a finite key duration between the switch and a peer. If a MACsec session does fail, a fallback session can take over if a fallback key is configured. A fallback session prevents downtime due to primary session failure and allows a user time to fix the key issue causing the failure. A fallback key also provides a backup session if the primary session fails to start. This feature is optional.
To configure a MACsec fallback key, see Configuring MACsec Fallback Key.
Guidelines and Limitations for MACsec
MACsec has the following guidelines and limitations:
-
MACsec is supported on the following interface types:
-
Layer 2 switch ports (access and trunk)
-
Layer 3 routed interfaces (no subinterfaces)
Note
Enabling MACsec on the Layer 3 routed interface also enables encryption on all the subinterfaces that are defined under that interface. However, selectively enabling MACsec on a subset of subinterfaces of the same Layer 3 routed interface is not supported.
-
Individual Layer 2 and Layer 3-port channel members (no subinterfaces)
-
-
Secure Channel Identified (SCI) encoding cannot be disabled on Cisco Nexus 3600 Series switches.
-
Support for MACsec is not available for Cisco Nexus ToR switches when you downgrade from Release 10.x.
-
MKA is the only supported key exchange protocol for MACsec. The Security Association Protocol (SAP) is not supported.
-
Link-level flow control (LLFC) and priority flow control (PFC) are not supported with MACsec.
-
Multiple MACsec peers (different SCI values) for the same interface are not supported.
-
You can retain the MACsec configuration when you disable MACsec using the macsec shutdown command.
-
MACsec sessions are liberal in accepting packets from a key server whose latest Rx and latest Tx flags have been retired after Tx SA installation for the first time. The MACsec session then converges into a secure state.
-
Beginning with Cisco NX-OS Release 10.1(1), you can modify MACSec policy while the policy is referenced by an interface.
-
Beginning with Cisco Nexus Release 10.1(1), MACsec is supported on the Cisco Nexus N3KC3636C-R platform switches.
-
N3K-C3636C-R—MACsec is supported on the following eight ports of N3K-C3636C-R, marked in green [Ports 29–36].
Note
On the Cisco N3K-C3636C-R platform switches, when MACsec is either configured or unconfigured on a port, there will be a port-flap occurrence irrespective of MACsec security-policy type.
-
Cisco Nexus 3600 Series switches do not support MACsec on any of the MACsec capable ports when QSA is being used.
-
MACsec is not supported on breakout ports, and breakout is not supported on the following eight ports, from Port 29 to Port 36, of N3K-C3636C-R when MACsec is configured.
-
Packet drops for a short period when the conf-offset parameter is changed dynamically for a MACsec policy. Change the conf-offset parameter only in static configuration when the policy is not active on the port.
-
MACsec is not supported on Cisco Nexus N3K-C36180YC-R platform switches.
Keychain Restrictions:
-
You cannot overwrite the octet string for a MACsec key. Instead, you must create a new key or a new keychain.
-
A new key in the keychain is configured when you enter end or exit. The default timeout for editor mode is 6 seconds. If the key is not configured with the key octet string or/and the send lifetime within the 6-second window, incomplete information may be used to bring up the MACsec session and could result in the session being stuck in an Authorization Pending state. If the MACsec sessions are not converged after the configuration is complete, you might be advised to shut/no shut the ports.
-
For a given keychain, key activation times should overlap to avoid any period of time when no key is activated. If a time period occurs during which no key is activated, session negotiation fails and traffic drops can occur. The key with the latest start time among the currently active keys takes precedence for a MACsec key rollover.
Fallback Restrictions:
-
If a MACsec session is secured on an old primary key, it does not go to a fallback session in case of mismatched latest active primary key. So the session remains secured on the old primary key and will show as rekeying on the old CA under status. And the MACsec session on the new key on primary PSK will be in init state.
-
Use only one key with infinite lifetime in the fallback key chain. Multiple keys are not supported.
-
The key ID (CKN) used in the fallback key chain must not match any of the key IDs (CKNs) used in the primary key chain.
-
Once configured, fallback configuration on an interface cannot be removed, unless the complete MACsec configuration on the interface is removed.
MACsec Policy Restrictions:
-
BPDU packets can be transmitted before a MACsec session becomes secure.
Layer 2 Tunneling Protocol (L2TP) Restrictions:
-
MACsec is not supported on ports configured for dot1q tunneling or L2TP.
-
L2TP does not work if STP is enabled on trunk ports for non-native VLANs.
Statistics Restrictions:
-
Few CRC errors should occur during the transition between MACsec and non-MACsec mode (regular port shut/no shut).
-
The IEEE8021-SECY-MIB OIDs secyRxSAStatsOKPkts, secyTxSAStatsProtectedPkts, and secyTxSAStatsEncryptedPkts can carry only up to 32 bits of counter values, but the traffic may exceed 32 bits.
Enabling MACsec
Before you can access the MACsec and MKA commands, you must enable the MACsec feature.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
feature macsec Example:
|
Enables MACsec and MKA on the device. |
Step 3 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
Disabling MACsec
Beginning with Cisco NX-OS Release 10.1(1), disabling the MACsec feature only deactivates this feature and does not remove the associated MACsec configurations.
Disabling MACsec has the following conditions:
-
MACsec shutdown is global command and is not available at the interface level.
-
The macsec shutdown, show macsec mka session/summary, show macsec mka session detail, and show macsec mka/secy statistics commands will display the 'Macsec is shutdown' message. However, the show macsec policy and show key chain commands will display the output.
-
Consecutive MACsec status changes from macsec shutdown to no macsec shutdown and vice versa needs a 30 seconds time interval in between the status change.
Procedure
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
||
Step 2 |
macsec shutdown Example:
|
Disables the MACsec configuration on the device. The no option restores the MACsec feature. |
||
Step 3 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. This step is required only if you want to retain the MACsec in the shutdown state after the switch reload.
|
Configuring a MACsec Keychain and Keys
You can create a MACsec keychain and keys on the device.
Note |
Only MACsec keychains will result in converged MKA sessions. |
Before you begin
Make sure that MACsec is enabled.
Procedure
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
||
Step 2 |
(Optional) [no] key-chain macsec-psk no-show Example:
|
(Optional)
Hides the encrypted key octet string in the output of the show running-config and show startup-config by replacing the string with a wildcard character. By default, PSK keys are displayed in encrypted format and can be easily decrypted. This command applies only to MACsec keychains.
|
||
Step 3 |
key chain name macsec Example:
|
Creates a MACsec keychain to hold a set of MACsec keys and enters MACsec keychain configuration mode. |
||
Step 4 |
key key-id Example:
|
Creates a MACsec key and enters MACsec key configuration mode. The range is from 1 to 32 octets, and the maximum size is 64.
|
||
Step 5 |
key-octet-string octet-string cryptographic-algorithm {AES_128_CMAC | AES_256_CMAC} Example:
|
Configures the octet string for the key. The octet-string argument can contain up to 64 hexadecimal characters. The octet key is encoded internally, so the key in clear text does not appear in the output of the show running-config macsec command. The key octet string includes the following:
|
||
Step 6 |
send-lifetime start-time duration duration Example:
|
Configures a send lifetime for the key. By default, the device treats the start time as UTC. The start-time argument is the time of day and date that the key becomes active. The duration argument is the length of the lifetime in seconds. The maximum length is 2147483646 seconds (approximately 68 years). |
||
Step 7 |
(Optional) show key chain name Example:
|
(Optional)
Displays the keychain configuration. |
||
Step 8 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
Configuring MACsec Fallback Key
Beginning with Cisco NX-OS Release 10.1(1), you can configure a fallback key on the device to initiate a backup session if the primary session fails as a result of a key/key name (CKN) mismatch or a finite key duration between the switch and peer.
Before you begin
Make sure that MACsec is enabled and a primary and fallback keychain and key ID are configured. See Configuring a MACsec Keychain and Keys.
Procedure
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
||
Step 2 |
interface name Example:
|
Specifies the interface that you are configuring. You can specify the interface type and identity. For an Ethernet port, use ethernet slot/port. |
||
Step 3 |
macsec keychain keychain-name policy policy-name fallback-keychain keychain-name Example:
|
Specifies the fallback keychain to use after a MACsec session failure due to a key/key ID mismatch or a key expiration. The fallback key ID should not match any key ID from a primary keychain. Fallback keychain configuration for each interface can be changed on the corresponding interface, without removing the MACsec configuration, by reissuing the same command with the fallback keychain name changed.
|
||
Step 4 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
Configuring a MACsec Policy
You can create multiple MACsec policies with different parameters. However, only one policy can be active on an interface.
Before you begin
Make sure that MACsec is enabled.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
macsec policy name Example:
|
Creates a MACsec policy. |
Step 3 |
cipher-suite name Example:
|
Configures one of the following ciphers: GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, or GCM-AES-XPN-256. |
Step 4 |
key-server-priority number Example:
|
Configures the key server priority to break the tie between peers during a key exchange. The range is from 0 (highest) and 255 (lowest), and the default value is 16. |
Step 5 |
security-policy name Example:
|
Configures one of the following security policies to define the handling of data and control packets:
|
Step 6 |
window-size number Example:
|
Configures the replay protection window such that the secured interface will not accept any packet that is less than the configured window size. The range is from 0 to 596000000. |
Step 7 |
sak-expiry-time time Example:
|
Configures the time in seconds to force an SAK rekey. This command can be used to change the session key to a predictable time interval. The default is 0. |
Step 8 |
conf-offset name Example:
|
Configures one of the following confidentiality offsets in the Layer 2 frame, where encryption begins: CONF-OFFSET-0, CONF-OFFSET-30, or CONF-OFFSET-50. This command might be necessary for intermediate switches to use packet headers {dmac, smac, etype} like MPLS tags. |
Step 9 |
(Optional) show macsec policy Example:
|
(Optional)
Displays the MACsec policy configuration. |
Step 10 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
Rotating PSKs
Procedure
Step 1 |
Use the no sak-expiry-time command to remove the SAK expiry timer from the MACsec policy. You need to remove the SAK expiry timer only for the number of policies in the configuration. You do not need to remove it for each interface. If you have defined only one policy and applied it to all interfaces, you need to remove the SAK expiry timer only from this policy. |
Step 2 |
Wait for 2 minutes. |
Step 3 |
Use the key key-id command to program the new key under the keychain. |
Step 4 |
Once the session with the new key is secured, use the no key key-id command to delete the old key. |
Step 5 |
Wait for 2 minutes. |
Step 6 |
Use the sak-expiry-timer 60 command to add the SAK rekey timer to the MACsec policy. |
Verifying the MACsec Configuration
To display MACsec configuration information, perform one of the following tasks:
Command |
Purpose |
---|---|
show key chain name |
Displays the keychain configuration. |
show macsec mka session [interface type slot/port] [detail] |
Displays information about the MACsec MKA session for a specific interface or for all interfaces. |
show macsec mka session details |
Displays information about the MAC address. |
show macsec mka summary |
Displays the MACsec MKA configuration. |
show macsec policy [policy-name] |
Displays the configuration for a specific MACsec policy or for all MACsec policies. |
show running-config macsec |
Displays the running configuration information for MACsec. |
The following example displays information about the MACsec MKA session for all interfaces.
switch(config)# show macsec mka session
Interface Local-TxSCI # Peers Status Key-Server Auth Mode
------------------ -------------------------------- ------------------ ------------------ ------------------ ------------------
Ethernet1/29 6c8b.d3db.e968/0001 1 Secured No PRIMARY-PSK
Ethernet1/30 6c8b.d3db.e96c/0001 1 Secured No PRIMARY-PSK
Ethernet1/31 6c8b.d3db.e970/0001 1 Secured Yes PRIMARY-PSK
Ethernet1/32 6c8b.d3db.e974/0001 1 Secured Yes PRIMARY-PSK
Ethernet1/33 6c8b.d3db.e978/0001 1 Secured Yes PRIMARY-PSK
Ethernet1/34 6c8b.d3db.e97c/0001 1 Secured Yes PRIMARY-PSK
Ethernet1/35 6c8b.d3db.e980/0001 1 Secured Yes PRIMARY-PSK
Ethernet1/36 6c8b.d3db.e984/0001 1 Secured No PRIMARY-PSK
------------------ -------------------------------- ------------------ ------------------ ------------------ ------------------
Total Number of Sessions : 8
Secured Sessions : 8
Pending Sessions : 0
switch(config)#
The following example displays information about the MACsec MKA session for a specific interface. In addition to the common elements of the table as described in the previous example, the following also identifies the authentication mode which defines the current MACsec session type.
switch(config)# show macsec mka session interface e1/35
Interface Local-TxSCI # Peers Status Key-Server Auth Mode
------------------ -------------------------------- ------------------ ------------------ ------------------ ------------------
Ethernet1/35 6c8b.d3db.e980/0001 1 Secured Yes PRIMARY-PSK
switch(config)#
The following example displays detailed information about the MACsec MKA session for a specific Ethernet interface:
switch(config)# show macsec mka session interface e1/35 details
Detailed Status for MKA Session
-----------------------------------
Interface Name : Ethernet1/35
Session Status : SECURED - Secured MKA Session with MACsec
Local Tx-SCI : 6c8b.d3db.e980/0001
Local Tx-SSCI : 2
MKA Port Identifier : 2
CAK Name (CKN) : 2006
CA Authentication Mode : PRIMARY-PSK
Member Identifier (MI) : 50BE8367F1C6D0AB1C442229
Message Number (MN) : 1048
MKA Policy Name : mpsr1
Key Server Priority : 1
Key Server : Yes
Include ICV : Yes
SAK Cipher Suite : GCM-AES-128
SAK Cipher Suite (Operational) : GCM-AES-128
Replay Window Size : 148809600
Confidentiality Offset : CONF-OFFSET-30
Confidentiality Offset (Operational): CONF-OFFSET-30
Latest SAK Status : Rx & TX
Latest SAK AN : 0
Latest SAK KI : 50BE8367F1C6D0AB1C44222900000021
Latest SAK KN : 33
Last SAK key time : 11:23:53 pst Tue Dec 15 2020
CA Peer Count : 1
Eapol dest mac : 0180.c200.0003
Ether-type : 0x888e
Peer Status:
Peer MI : 37AFE73EC8617FD32F70E21A
RxSCI : 6c8b.d3db.e984/0001
Peer CAK : Match
Latest Rx MKPDU : 11:24:52 pst Tue Dec 15 2020
Fallback Data:
Fallback CKN : FB2004
Fallback MI : 849D72D5F6A900F5B0718C78
Fallback MN : 0x3d6
Fallback Peer:
Peer MI : 8DCE8CBE67B474D2C2955F58
RxSCI : 6c8b.d3db.e984/0001
Peer CAK : Match
Latest Rx MKPDU : 11:24:52 pst Tue Dec 15 2020
switch(config)#
The following example displays the MACsec MKA configuration:
switch# show macsec mka summary
Interface MACSEC-policy Keychain
------------------ -------------------------------- ------------------------
Ethernet2/13 1 1/10000000000000000
Ethernet2/14 1 1/10000000000000000
switch#
The following example displays the configuration for all MACsec policies:
switch# show macsec policy
MACSec Policy Cipher Pri Window Offset Security SAK Rekey time ICV Indicator
-------------------------------- ---------------- ---- ------------ -------- --------------
-------------- -------------
system-default-macsec-policy GCM-AES-XPN-256 16 148809600 0 should-secure
pn-rollover FALSE
tests1 GCM-AES-XPN-256 16 148809600 0 should-secure
pn-rollover FALSE
tests2 GCM-AES-XPN-256 16 148809600 0 should-secure
pn-rollover FALSE
tests3 GCM-AES-256 16 148809600 0 should-secure
pn-rollover FALSE
The following example displays the key octet string in the output of the show running-config and show startup-config commands when the key-chain macsec-psk no-show command is not configured:
key chain KC256-1 macsec
key 2000
key-octet-string 7 075e701e1c5a4a5143475e5a527d7c7c706a6c724306170103555a5c57510b051e47080
a05000101005e0e50510f005c4b5f5d0b5b070e234e4d0a1d0112175b5e cryptographic-algorithm AES_256_CMAC
The following example displays the key octet string in the output of the show running-config and show startup-config commands when the key-chain macsec-psk no-show command is configured:
key chain KC256-1 macsec
key 2000
key-octet-string 7 ****** cryptographic-algorithm AES_256_CMAC
Displaying MACsec Statistics
You can display MACsec statistics using the following commands.
Command |
Purpose |
---|---|
show macsec mka statistics [interface type slot/port] |
Displays MACsec MKA statistics. |
show macsec secy statistics [interface type slot/port] |
Displays MACsec security statistics. |
The following example shows the MACsec MKA statistics for a specific Ethernet interface:
switch# show macsec mka statistics interface ethernet 1/29
MKA Statistics for Session on interface (Ethernet1/29)
=======================================================
CA Statistics
Pairwise CAK Rekeys..... 0
SA Statistics
SAKs Generated.......... 0
SAKs Rekeyed............ 0
SAKs Received........... 0
SAK Responses Received.. 0
MKPDU Statistics
MKPDUs Transmitted...... 41
"Distributed SAK".. 0
MKPDUs Validated & Rx... 41
"Distributed SAK".. 0
MKA IDB Statistics
MKPDUs Tx Success.......... 82
MKPDUs Tx Fail............. 0
MKPDUS Tx Pkt build fail... 0
MKPDUS No Tx on intf down.. 0
MKPDUS No Rx on intf down.. 0
MKPDUs Rx CA Not found..... 0
MKPDUs Rx Error............ 0
MKPDUs Rx Success.......... 82
MKPDU Failures
MKPDU Rx Validation ..................... 0
MKPDU Rx Bad Peer MN..................... 0
MKPDU Rx Non-recent Peerlist MN.......... 0
MKPDU Rx Drop SAKUSE, KN mismatch........ 0
MKPDU Rx Drop SAKUSE, Rx Not Set......... 0
MKPDU Rx Drop SAKUSE, Key MI mismatch.... 0
MKPDU Rx Drop SAKUSE, AN Not in Use...... 0
MKPDU Rx Drop SAKUSE, KS Rx/Tx Not Set... 0
MKPDU Rx Drop Packet, Ethertype Mismatch. 0
MKPDU Rx Drop Packet, DestMAC Mismatch... 0
SAK Failures
SAK Generation................... 0
Hash Key Generation.............. 0
SAK Encryption/Wrap.............. 0
SAK Decryption/Unwrap............ 0
CA Failures
ICK Derivation................... 0
KEK Derivation................... 0
Invalid Peer MACsec Capability... 0
MACsec Failures
Rx SA Installation............... 0
Tx SA Installation............... 0
switch(config)#
The following example shows the MACsec security statistics for a specific Ethernet interface.
Note |
The following differences exist for uncontrolled and controlled packets in Rx and Tx statistics:
|
switch(config)# show macsec secy statistics interface e1/29
Interface Ethernet1/29 MACSEC SecY Statistics:
--------------------------------------------
Interface Rx Statistics:
Unicast Uncontrolled Pkts: 8067779
Multicast Uncontrolled Pkts: 14
Broadcast Uncontrolled Pkts: 0
Uncontrolled Pkts - Rx Drop: 0
Uncontrolled Pkts - Rx Error: 0
Unicast Controlled Pkts: N/A (N3K-C3636C-R not supported)
Multicast Controlled Pkts: N/A (N3K-C3636C-R not supported)
Broadcast Controlled Pkts: N/A (N3K-C3636C-R not supported)
Controlled Pkts: 8056748
Controlled Pkts - Rx Drop: N/A (N3K-C3636C-R not supported)
Controlled Pkts - Rx Error: N/A (N3K-C3636C-R not supported)
In-Octets Uncontrolled: 37641828280 bytes
In-Octets Controlled: 37324295914 bytes
Input rate for Uncontrolled Pkts: N/A (N3K-C3636C-R not supported)
Input rate for Uncontrolled Pkts: N/A (N3K-C3636C-R not supported)
Input rate for Controlled Pkts: N/A (N3K-C3636C-R not supported)
Input rate for Controlled Pkts: N/A (N3K-C3636C-R not supported)
Interface Tx Statistics:
Unicast Uncontrolled Pkts: N/A (N3K-C3636C-R not supported)
Multicast Uncontrolled Pkts: N/A (N3K-C3636C-R not supported)
Broadcast Uncontrolled Pkts: N/A (N3K-C3636C-R not supported)
Uncontrolled Pkts - Rx Drop: N/A (N3K-C3636C-R not supported)
Uncontrolled Pkts - Rx Error: N/A (N3K-C3636C-R not supported)
Unicast Controlled Pkts: N/A (N3K-C3636C-R not supported)
Multicast Controlled Pkts: N/A (N3K-C3636C-R not supported)
Broadcast Controlled Pkts: N/A (N3K-C3636C-R not supported)
Controlled Pkts: 8049279
Controlled Pkts - Rx Drop: N/A (N3K-C3636C-R not supported)
Controlled Pkts - Rx Error: N/A (N3K-C3636C-R not supported)
Out-Octets Uncontrolled: N/A (N3K-C3636C-R not supported)
Out-Octets Controlled: 37262189352 bytes
Out-Octets Common: 37699748491 bytes
Output rate for Uncontrolled Pkts: N/A (N3K-C3636C-R not supported)
Output rate for Uncontrolled Pkts: N/A (N3K-C3636C-R not supported)
Output rate for Controlled Pkts: N/A (N3K-C3636C-R not supported)
Output rate for Controlled Pkts: N/A (N3K-C3636C-R not supported)
SECY Rx Statistics:
Transform Error Pkts: N/A (N3K-C3636C-R not supported)
Control Pkts: 0
Untagged Pkts: N/A (N3K-C3636C-R not supported)
No Tag Pkts: 0
Bad Tag Pkts: 0
No SCI Pkts: 0
Unknown SCI Pkts: 0
Tagged Control Pkts: N/A (N3K-C3636C-R not supported)
SECY Tx Statistics:
Transform Error Pkts: N/A (N3K-C3636C-R not supported)
Control Pkts: 0
Untagged Pkts: N/A (N3K-C3636C-R not supported)
SAK Rx Statistics for AN [0]:
Unchecked Pkts: 0
Delayed Pkts: 0
Late Pkts: 0
OK Pkts: 8056748
Invalid Pkts: 0
Not Valid Pkts: 0
Not-Using-SA Pkts: 0
Unused-SA Pkts: 0
Decrypted In-Octets: 36952542946 bytes
Validated In-Octets: 0 bytes
SAK Tx Statistics for AN [0]:
Encrypted Protected Pkts: 8049279
Too Long Pkts: N/A (N3K-C3636C-R not supported)
SA-not-in-use Pkts: N/A (N3K-C3636C-R not supported)
Encrypted Protected Out-Octets: 36909704659 bytes
switch(config)#
Configuration Example for MACsec
The following example shows how to configure a user-defined MACsec policy and then apply the policy to interfaces:
switch(config)# macsec policy mpsr1
switch(config-macsec-policy)# cipher-suite GCM-AES-128
switch(config-macsec-policy)# key-server-priority 1
switch(config-macsec-policy)# window-size 1000
switch(config-macsec-policy)# conf-offset CONF-OFFSET-30
switch(config-macsec-policy)# security-policy must-secure
switch(config-macsec-policy)# sak-expiry-time 60
switch(config-macsec-policy)# include-icv-indicator
switch(config-macsec-policy)# interface e1/35-36
switch(config-if-range)# macsec keychain ksr policy mpsr1
switch(config-if-range)# show macsec mka session
Interface Local-TxSCI # Peers Status Key-Server Auth Mode
------------------ -------------------------------- ------------------ ------------------ ------------------ ------------------
Ethernet1/35 6c8b.d3db.e980/0001 1 Secured Yes PRIMARY-PSK
Ethernet1/36 6c8b.d3db.e984/0001 1 Secured No PRIMARY-PSK
------------------ -------------------------------- ------------------ ------------------ ------------------ ------------------
switch(config-if-range)# show macsec mka summary
Interface Status Cipher (Operational) Key-Server MACSEC-policy Keychain Fallback-keychain
------------------ -------- ---------------------- ------------ -------------------------------- -------------------------------- --------------------------------
Ethernet1/35 Secured GCM-AES-128 Yes mpsr1 ksr no keychain
Ethernet1/36 Secured GCM-AES-128 No mpsr1 ksr no keychain
switch(config-if-range)# show running-config macsec
!Command: show running-config macsec
!Running configuration last done at: Tue Dec 15 11:41:53 2020
!Time: Tue Dec 15 11:45:06 2020
version 10.1(1) Bios:version 01.14
feature macsec
macsec policy mpsr1
cipher-suite GCM-AES-128
key-server-priority 1
window-size 1000
conf-offset CONF-OFFSET-30
sak-expiry-time 60
include-icv-indicator
interface Ethernet1/35
macsec keychain ksr policy mpsr1
interface Ethernet1/36
macsec keychain ksr policy mpsr1
The following example shows how to configure a MACsec keychain and then add the system default MACsec policy to the interfaces:
switch(config)# key chain ksr macsec
switch(config-macseckeychain)# key 2006
switch(config-macseckeychain-macseckey)# key-octet-string 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef cryptographic-algorithm AES_256_CMAC
switch(config-macseckeychain-macseckey)# interface e1/35-36
switch(config-if-range)# macsec keychain ksr
switch(config-if-range)# show running-config macsec
!Command: show running-config macsec
!Running configuration last done at: Tue Dec 15 11:53:10 2020
!Time: Tue Dec 15 11:54:40 2020
version 10.1(1) Bios:version 01.14
feature macsec
interface Ethernet1/35
macsec keychain ksr policy system-default-macsec-policy
interface Ethernet1/36
macsec keychain ksr policy system-default-macsec-policy
switch(config-if-range)# show macsec mka summary
Interface Status Cipher (Operational) Key-Server MACSEC-policy Keychain Fallback-keychain
------------------ -------- ---------------------- ------------ -------------------------------- -------------------------------- --------------------------------
Ethernet1/35 Secured GCM-AES-XPN-256 Yes system-default-macsec-policy ksr no keychain
Ethernet1/36 Secured GCM-AES-XPN-256 No system-default-macsec-policy ksr no keychain
switch(config-if-range)# show macsec mka session
Interface Local-TxSCI # Peers Status Key-Server Auth Mode
------------------ -------------------------------- ------------------ ------------------ ------------------ ------------------
Ethernet1/35 6c8b.d3db.e980/0001 1 Secured Yes PRIMARY-PSK
Ethernet1/36 6c8b.d3db.e984/0001 1 Secured No PRIMARY-PSK
------------------ -------------------------------- ------------------ ------------------ ------------------ ------------------
Total Number of Sessions : 2
Secured Sessions : 2
Pending Sessions : 0
switch(config-if-range)#
XML Examples
MACsec supports XML output for the following show commands for scripting purposes using | xml :
-
show key chain name | xml
-
show macsec mka session interface interface slot/port details |xml
-
show macsec mka statistics interface interface slot/port |xml
-
show macsec mka summary |xml
-
show macsec policy name |xml
-
show macsec secy statistics interface interface slot/port |xml
-
show running-config macsec |xml
The following are example outputs for each of the preceding show commands:
Example 1: Displays the keychain configuration
switch(config)# show key chain "ksr" | xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<nf:rpc-reply xmlns="http://www.cisco.com/nxos:1.0:rpm" xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0">
<nf:data>
<show>
<key>
<chain>
<__XML__OPT_Cmd_rpm_show_keychain_cmd_keychain>
<keychain>ksr</keychain>
<__XML__OPT_Cmd_rpm_show_keychain_cmd___readonly__>
<__readonly__>
<TABLE_keychain>
<ROW_keychain>
<chain_name>ksr</chain_name>
<TABLE_key>
<ROW_key>
<key_id>2006</key_id>
<key_string>075e731f1a5c4f524f4b5b0d06292f212e62677147524054590f095951570a061e470b0b030604020c520b07055b5301155756085f535976141759180714160e0a</key_string>
<crypto_algo>AES_256_CMAC</crypto_algo>
<send_valid>true</send_valid>
</ROW_key>
</TABLE_key>
</ROW_keychain>
</TABLE_keychain>
</__readonly__>
</__XML__OPT_Cmd_rpm_show_keychain_cmd___readonly__>
</__XML__OPT_Cmd_rpm_show_keychain_cmd_keychain>
</chain>
</key>
</show>
</nf:data>
</nf:rpc-reply>
]]>]]>
switch(config)#
Example 2: Displays information about the MACsec MKA session for a specific interface
switch(config)# show macsec mka session interface e1/35 details | xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<nf:rpc-reply xmlns="http://www.cisco.com/nxos:1.0:cts" xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0">
<nf:data>
<show>
<macsec>
<mka>
<session>
<__XML__OPT_Cmd_show_macsec_mka_session_interface>
<interface>
<__XML__INTF_ifname>
<__XML__PARAM_value>
<__XML__INTF_output>Ethernet1/35</__XML__INTF_output>
</__XML__PARAM_value>
</__XML__INTF_ifname>
</interface>
<__XML__OPT_Cmd_show_macsec_mka_session_details>
<details/>
<__XML__OPT_Cmd_show_macsec_mka_session___readonly__>
<__readonly__>
<TABLE_mka_session_details>
<ROW_mka_session_details>
<ifname>Ethernet1/35</ifname>
<status>SECURED - Secured MKA Session with MACsec</status>
<sci>6c8b.d3db.e980/0001</sci>
<ssci>2</ssci>
<port_id>2</port_id>
<ckn>2006</ckn>
<ca_auth_mode>PRIMARY-PSK</ca_auth_mode>
<mi>5AABE0AB9CC867AB0FF40F7D</mi>
<mn>3550</mn>
<policy>system-default-macsec-policy</policy>
<ks_prio>16</ks_prio>
<keyserver>Yes</keyserver>
<include_icv_indicator>No</include_icv_indicator>
<cipher>GCM-AES-XPN-256</cipher>
<cipher_operational>GCM-AES-XPN-256</cipher_operational>
<window>148809600</window>
<conf_offset>CONF-OFFSET-0</conf_offset>
<conf_offset_operational>CONF-OFFSET-0</conf_offset_operational>
<sak_status>Rx & TX</sak_status>
<sak_an>0</sak_an>
<sak_ki>5AABE0AB9CC867AB0FF40F7D00000001</sak_ki>
<sak_kn>1</sak_kn>
<last_sak_rekey_time>11:53:25 pst Tue Dec 15 2020</last_sak_rekey_time>
<peer_count>1</peer_count>
<mac_addr>0180.c200.0003</mac_addr>
<ether_type>0x888e</ether_type>
<TABLE_mka_peer_status>
<ROW_mka_peer_status>
<peer_mi>27FC36C2BFAFBDBC65419A40</peer_mi>
<rxsci>6c8b.d3db.e984/0001</rxsci>
<icv_status>Match</icv_status>
<last_rx_time>13:51:39 pst Tue Dec 15 2020</last_rx_time>
</ROW_mka_peer_status>
</TABLE_mka_peer_status>
</ROW_mka_session_details>
</TABLE_mka_session_details>
</__readonly__>
</__XML__OPT_Cmd_show_macsec_mka_session___readonly__>
</__XML__OPT_Cmd_show_macsec_mka_session_details>
</__XML__OPT_Cmd_show_macsec_mka_session_interface>
</session>
</mka>
</macsec>
</show>
</nf:data>
</nf:rpc-reply>
]]>]]>
switch(config)#
Example 3: Displays MACsec MKA statistics
switch(config)# show macsec mka statistics interface e1/29 | xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<nf:rpc-reply xmlns="http://www.cisco.com/nxos:1.0:cts" xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0">
<nf:data>
<show>
<macsec>
<mka>
<statistics>
<__XML__OPT_Cmd_some_macsec_mka_statistics_interface>
<interface>
<__XML__INTF_ifname>
<__XML__PARAM_value>
<__XML__INTF_output>Ethernet1/29</__XML__INTF_output>
</__XML__PARAM_value>
</__XML__INTF_ifname>
</interface>
<__XML__OPT_Cmd_some_macsec_mka_statistics___readonly__>
<__readonly__>
<TABLE_mka_intf_stats>
<ROW_mka_intf_stats>
<ifname2>Ethernet1/29</ifname2>
<TABLE_ca_stats>
<ROW_ca_stats>
<ca_stat_ckn>2002</ca_stat_ckn>
<ca_stat_pairwise_cak_rekey>0</ca_stat_pairwise_cak_rekey>
<sa_stat_sak_generated>0</sa_stat_sak_generated>
<sa_stat_sak_rekey>0</sa_stat_sak_rekey>
<sa_stat_sak_received>2</sa_stat_sak_received>
<sa_stat_sak_response_rx>0</sa_stat_sak_response_rx>
<mkpdu_stat_mkpdu_tx>4335</mkpdu_stat_mkpdu_tx>
<mkpdu_stat_mkpdu_tx_distsak>0</mkpdu_stat_mkpdu_tx_distsak>
<mkpdu_stat_mkpdu_rx>4335</mkpdu_stat_mkpdu_rx>
<mkpdu_stat_mkpdu_rx_distsak>2</mkpdu_stat_mkpdu_rx_distsak>
</ROW_ca_stats>
</TABLE_ca_stats>
<TABLE_idb_stats>
<ROW_idb_stats>
<ca_stat_pairwise_cak_rekey>0</ca_stat_pairwise_cak_rekey>
<sa_stat_sak_generated>0</sa_stat_sak_generated>
<sa_stat_sak_rekey>0</sa_stat_sak_rekey>
<sa_stat_sak_received>2</sa_stat_sak_received>
<sa_stat_sak_response_rx>0</sa_stat_sak_response_rx>
<mkpdu_stat_mkpdu_tx>4335</mkpdu_stat_mkpdu_tx>
<mkpdu_stat_mkpdu_tx_distsak>0</mkpdu_stat_mkpdu_tx_distsak>
<mkpdu_stat_mkpdu_rx>4335</mkpdu_stat_mkpdu_rx>
<mkpdu_stat_mkpdu_rx_distsak>2</mkpdu_stat_mkpdu_rx_distsak>
<idb_stat_mkpdu_tx_success>8666</idb_stat_mkpdu_tx_success>
<idb_stat_mkpdu_tx_fail>0</idb_stat_mkpdu_tx_fail>
<idb_stat_mkpdu_tx_pkt_build_fail>0</idb_stat_mkpdu_tx_pkt_build_fail>
<idb_stat_mkpdu_no_tx_on_intf_down>0</idb_stat_mkpdu_no_tx_on_intf_down>
<idb_stat_mkpdu_no_rx_on_intf_down>0</idb_stat_mkpdu_no_rx_on_intf_down>
<idb_stat_mkpdu_rx_ca_notfound>0</idb_stat_mkpdu_rx_ca_notfound>
<idb_stat_mkpdu_rx_error>0</idb_stat_mkpdu_rx_error>
<idb_stat_mkpdu_rx_success>8666</idb_stat_mkpdu_rx_success>
<idb_stat_mkpdu_failure_rx_integrity_check_error>0</idb_stat_mkpdu_failure_rx_integrity_check_error>
<idb_stat_mkpdu_failure_invalid_peer_mn_error>0</idb_stat_mkpdu_failure_invalid_peer_mn_error>
<idb_stat_mkpdu_failure_nonrecent_peerlist_mn_error>0</idb_stat_mkpdu_failure_nonrecent_peerlist_mn_error>
<idb_stat_mkpdu_failure_sakuse_kn_mismatch_error>0</idb_stat_mkpdu_failure_sakuse_kn_mismatch_error>
<idb_stat_mkpdu_failure_sakuse_rx_not_set_error>0</idb_stat_mkpdu_failure_sakuse_rx_not_set_error>
<idb_stat_mkpdu_failure_sakuse_key_mi_mismatch_error>0</idb_stat_mkpdu_failure_sakuse_key_mi_mismatch_error>
<idb_stat_mkpdu_failure_sakuse_an_not_in_use_error>0</idb_stat_mkpdu_failure_sakuse_an_not_in_use_error>
<idb_stat_mkpdu_failure_sakuse_ks_rx_tx_not_set_error>0</idb_stat_mkpdu_failure_sakuse_ks_rx_tx_not_set_error>
<idb_stat_mkpdu_failure_sakuse_eapol_ethertype_mismatch_error>0</idb_stat_mkpdu_failure_sakuse_eapol_ethertype_mismatch_error>
<idb_stat_mkpdu_failure_sakuse_eapol_destmac_mismatch_error>0</idb_stat_mkpdu_failure_sakuse_eapol_destmac_mismatch_error>
<idb_stat_sak_failure_sak_generate_error>0</idb_stat_sak_failure_sak_generate_error>
<idb_stat_sak_failure_hash_generate_error>0</idb_stat_sak_failure_hash_generate_error>
<idb_stat_sak_failure_sak_encryption_error>0</idb_stat_sak_failure_sak_encryption_error>
<idb_stat_sak_failure_sak_decryption_error>0</idb_stat_sak_failure_sak_decryption_error>
<idb_stat_sak_failure_ick_derivation_error>0</idb_stat_sak_failure_ick_derivation_error>
<idb_stat_sak_failure_kek_derivation_error>0</idb_stat_sak_failure_kek_derivation_error>
<idb_stat_sak_failure_invalid_macsec_capability_error>0</idb_stat_sak_failure_invalid_macsec_capability_error>
<idb_stat_macsec_failure_rx_sa_create_error>0</idb_stat_macsec_failure_rx_sa_create_error>
<idb_stat_macsec_failure_tx_sa_create_error>0</idb_stat_macsec_failure_tx_sa_create_error>
</ROW_idb_stats>
</TABLE_idb_stats>
</ROW_mka_intf_stats>
</TABLE_mka_intf_stats>
</__readonly__>
</__XML__OPT_Cmd_some_macsec_mka_statistics___readonly__>
</__XML__OPT_Cmd_some_macsec_mka_statistics_interface>
</statistics>
</mka>
</macsec>
</show>
</nf:data>
</nf:rpc-reply>
]]>]]>
switch(config)#
Example 4: Displays the MACsec MKA configuration
switch(config)# show macsec mka summary | xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<nf:rpc-reply xmlns="http://www.cisco.com/nxos:1.0:cts" xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0">
<nf:data>
<show>
<macsec>
<mka>
<__XML__OPT_Cmd_some_macsec_summary>
<__XML__OPT_Cmd_some_macsec___readonly__>
<__readonly__>
<TABLE_mka_summary>
<ROW_mka_summary>
<ifname>Ethernet1/29</ifname>
<status>Secured</status>
<cipher>GCM-AES-128</cipher>
<keyserver>No</keyserver>
<policy>mpd1</policy>
<keychain>kd</keychain>
<fallback_keychain>fbkd</fallback_keychain>
</ROW_mka_summary>
<ROW_mka_summary>
<ifname>Ethernet1/30</ifname>
<status>Secured</status>
<cipher>GCM-AES-128</cipher>
<keyserver>No</keyserver>
<policy>mpd2</policy>
<keychain>kd</keychain>
<fallback_keychain>fbkd</fallback_keychain>
</ROW_mka_summary>
<ROW_mka_summary>
<ifname>Ethernet1/31</ifname>
<status>Secured</status>
<cipher>GCM-AES-128</cipher>
<keyserver>Yes</keyserver>
<policy>mps1</policy>
<keychain>ks</keychain>
<fallback_keychain>fbks</fallback_keychain>
</ROW_mka_summary>
<ROW_mka_summary>
<ifname>Ethernet1/32</ifname>
<status>Secured</status>
<cipher>GCM-AES-128</cipher>
<keyserver>Yes</keyserver>
<policy>mps2</policy>
<keychain>ks</keychain>
<fallback_keychain>fbks</fallback_keychain>
</ROW_mka_summary>
<ROW_mka_summary>
<ifname>Ethernet1/33</ifname>
<status>Secured</status>
<cipher>GCM-AES-128</cipher>
<keyserver>Yes</keyserver>
<policy>mpsr1</policy>
<keychain>ksr</keychain>
<fallback_keychain>fbksr</fallback_keychain>
</ROW_mka_summary>
<ROW_mka_summary>
<ifname>Ethernet1/34</ifname>
<status>Secured</status>
<cipher>GCM-AES-128</cipher>
<keyserver>Yes</keyserver>
<policy>mpsr2</policy>
<keychain>ksr</keychain>
<fallback_keychain>fbksr</fallback_keychain>
</ROW_mka_summary>
<ROW_mka_summary>
<ifname>Ethernet1/35</ifname>
<status>Secured</status>
<cipher>GCM-AES-XPN-256</cipher>
<keyserver>Yes</keyserver>
<policy>system-default-macsec-policy</policy>
<keychain>ksr</keychain>
<fallback_keychain>no keychain</fallback_keychain>
</ROW_mka_summary>
<ROW_mka_summary>
<ifname>Ethernet1/36</ifname>
<status>Secured</status>
<cipher>GCM-AES-XPN-256</cipher>
<keyserver>No</keyserver>
<policy>system-default-macsec-policy</policy>
<keychain>ksr</keychain>
<fallback_keychain>no keychain</fallback_keychain>
</ROW_mka_summary>
</TABLE_mka_summary>
</__readonly__>
</__XML__OPT_Cmd_some_macsec___readonly__>
</__XML__OPT_Cmd_some_macsec_summary>
</mka>
</macsec>
</show>
</nf:data>
</nf:rpc-reply>
]]>]]>
switch(config)#
Example 5: Displays the configuration for a specific MACsec policy
switch(config)# show macsec policy mpsr1 | xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<nf:rpc-reply xmlns="http://www.cisco.com/nxos:1.0:cts" xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0">
<nf:data>
<show>
<macsec>
<policy>
<__XML__OPT_Cmd_show_macsec_policy_policy_name>
<policy_name>mpsr1</policy_name>
<__XML__OPT_Cmd_show_macsec_policy___readonly__>
<__readonly__>
<TABLE_macsec_policy>
<ROW_macsec_policy>
<name>mpsr1</name>
<cipher_suite>GCM-AES-128</cipher_suite>
<keyserver_priority>1</keyserver_priority>
<window_size>1000</window_size>
<conf_offset>30</conf_offset>
<security_policy>should-secure</security_policy>
<sak-expiry-time>60</sak-expiry-time>
<include_icv_indicator>TRUE</include_icv_indicator>
</ROW_macsec_policy>
</TABLE_macsec_policy>
</__readonly__>
</__XML__OPT_Cmd_show_macsec_policy___readonly__>
</__XML__OPT_Cmd_show_macsec_policy_policy_name>
</policy>
</macsec>
</show>
</nf:data>
</nf:rpc-reply>
]]>]]>
switch(config)#
Example 6: Displays MACsec Security statistics
switch(config)# show macsec secy statistics interface e1/29 | xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<nf:rpc-reply xmlns="http://www.cisco.com/nxos:1.0:cts" xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0">
<nf:data>
<show>
<macsec>
<secy>
<statistics>
<__XML__OPT_Cmd_some_macsec_secy_statistics_interface>
<interface>
<__XML__INTF_ifname>
<__XML__PARAM_value>
<__XML__INTF_output>Ethernet1/29</__XML__INTF_output>
</__XML__PARAM_value>
</__XML__INTF_ifname>
</interface>
<__XML__OPT_Cmd_some_macsec_secy_statistics___readonly__>
<__readonly__>
<TABLE_statistics>
<ROW_statistics>
<ifname2>Ethernet1/29</ifname2>
<in_pkts_unicast_uncontrolled>6536205587</in_pkts_unicast_uncontrolled>
<in_pkts_multicast_uncontrolled>10775</in_pkts_multicast_uncontrolled>
<in_pkts_broadcast_uncontrolled>0</in_pkts_broadcast_uncontrolled>
<in_rx_drop_pkts_uncontrolled>0</in_rx_drop_pkts_uncontrolled>
<in_rx_err_pkts_uncontrolled>0</in_rx_err_pkts_uncontrolled>
<in_pkts_unicast_controlled>N/A (N3K-C3636C-R not supported)</in_pkts_unicast_controlled>
<in_pkts_multicast_controlled>N/A (N3K-C3636C-R not supported)</in_pkts_multicast_controlled>
<in_pkts_broadcast_controlled>N/A (N3K-C3636C-R not supported)</in_pkts_broadcast_controlled>
<in_pkts_controlled>5173107800</in_pkts_controlled>
<in_rx_drop_pkts_controlled>N/A (N3K-C3636C-R not supported)</in_rx_drop_pkts_controlled>
<in_rx_err_pkts_controlled>N/A (N3K-C3636C-R not supported)</in_rx_err_pkts_controlled>
<in_octets_uncontrolled>30491280431357</in_octets_uncontrolled>
<in_octets_controlled>23935220809548</in_octets_controlled>
<input_rate_uncontrolled_pps>N/A (N3K-C3636C-R not supported)</input_rate_uncontrolled_pps>
<input_rate_uncontrolled_bps>N/A (N3K-C3636C-R not supported)</input_rate_uncontrolled_bps>
<input_rate_controlled_pps>N/A (N3K-C3636C-R not supported)</input_rate_controlled_pps>
<input_rate_controlled_bps>N/A (N3K-C3636C-R not supported)</input_rate_controlled_bps>
<out_pkts_unicast_uncontrolled>N/A (N3K-C3636C-R not supported)</out_pkts_unicast_uncontrolled>
<out_pkts_multicast_uncontrolled>N/A (N3K-C3636C-R not supported)</out_pkts_multicast_uncontrolled>
<out_pkts_broadcast_uncontrolled>N/A (N3K-C3636C-R not supported)</out_pkts_broadcast_uncontrolled>
<out_rx_drop_pkts_uncontrolled>N/A (N3K-C3636C-R not supported)</out_rx_drop_pkts_uncontrolled>
<out_rx_err_pkts_uncontrolled>N/A (N3K-C3636C-R not supported)</out_rx_err_pkts_uncontrolled>
<out_pkts_unicast_controlled>N/A (N3K-C3636C-R not supported)</out_pkts_unicast_controlled>
<out_pkts_multicast_controlled>N/A (N3K-C3636C-R not supported)</out_pkts_multicast_controlled>
<out_pkts_broadcast_controlled>N/A (N3K-C3636C-R not supported)</out_pkts_broadcast_controlled>
<out_pkts_controlled>5173113173</out_pkts_controlled>
<out_rx_drop_pkts_controlled>N/A (N3K-C3636C-R not supported)</out_rx_drop_pkts_controlled>
<out_rx_err_pkts_controlled>N/A (N3K-C3636C-R not supported)</out_rx_err_pkts_controlled>
<out_octets_uncontrolled>N/A (N3K-C3636C-R not supported)</out_octets_uncontrolled>
<out_octets_controlled>23946219872208</out_octets_controlled>
<out_octets_common>30664229104600</out_octets_common>
<output_rate_uncontrolled_pps>N/A (N3K-C3636C-R not supported)</output_rate_uncontrolled_pps>
<output_rate_uncontrolled_bps>N/A (N3K-C3636C-R not supported)</output_rate_uncontrolled_bps>
<output_rate_controlled_pps>N/A (N3K-C3636C-R not supported)</output_rate_controlled_pps>
<output_rate_controlled_bps>N/A (N3K-C3636C-R not supported)</output_rate_controlled_bps>
<in_pkts_transform_error>N/A (N3K-C3636C-R not supported)</in_pkts_transform_error>
<in_pkts_control>0</in_pkts_control>
<in_pkts_untagged>N/A (N3K-C3636C-R not supported)</in_pkts_untagged>
<in_pkts_no_tag>0</in_pkts_no_tag>
<in_pkts_badtag>0</in_pkts_badtag>
<in_pkts_no_sci>0</in_pkts_no_sci>
<in_pkts_unknown_sci>0</in_pkts_unknown_sci>
<in_pkts_tagged_ctrl>N/A (N3K-C3636C-R not supported)</in_pkts_tagged_ctrl>
<out_pkts_transform_error>N/A (N3K-C3636C-R not supported)</out_pkts_transform_error>
<out_pkts_control>0</out_pkts_control>
<out_pkts_untagged>N/A (N3K-C3636C-R not supported)</out_pkts_untagged>
<TABLE_rx_sa_an>
<ROW_rx_sa_an>
<rx_sa_an>2</rx_sa_an>
<in_pkts_unchecked>0</in_pkts_unchecked>
<in_pkts_delayed>0</in_pkts_delayed>
<in_pkts_late>0</in_pkts_late>
<in_pkts_ok>1951781408</in_pkts_ok>
<in_pkts_invalid>0</in_pkts_invalid>
<in_pkts_not_valid>0</in_pkts_not_valid>
<in_pkts_not_using_sa>0</in_pkts_not_using_sa>
<in_pkts_unused_sa>0</in_pkts_unused_sa>
<in_octets_decrypted>8952613134278</in_octets_decrypted>
<in_octets_validated>0</in_octets_validated>
</ROW_rx_sa_an>
</TABLE_rx_sa_an>
<TABLE_tx_sa_an>
<ROW_tx_sa_an>
<tx_sa_an>2</tx_sa_an>
<out_pkts_encrypted_protected>1951773387</out_pkts_encrypted_protected>
<out_pkts_too_long>N/A (N3K-C3636C-R not supported)</out_pkts_too_long>
<out_pkts_sa_not_inuse>N/A (N3K-C3636C-R not supported)</out_pkts_sa_not_inuse>
<out_octets_encrypted_protected>8952606203313</out_octets_encrypted_protected>
</ROW_tx_sa_an>
</TABLE_tx_sa_an>
</ROW_statistics>
</TABLE_statistics>
</__readonly__>
</__XML__OPT_Cmd_some_macsec_secy_statistics___readonly__>
</__XML__OPT_Cmd_some_macsec_secy_statistics_interface>
</statistics>
</secy>
</macsec>
</show>
</nf:data>
</nf:rpc-reply>
]]>]]>
switch(config)#
Example 7: Displays the running configuration information for MACsec
switch(config)# show running-config macsec | xml
!Command: show running-config macsec
!Running configuration last done at: Tue Dec 15 11:53:10 2020
!Time: Tue Dec 15 13:58:58 2020
version 10.1(1) Bios:version 01.14
******************************************
This may take time. Please be patient.
******************************************
<?xml version="1.0"?>
<nf:rpc xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://www.cisco.com/nxos:10.1.1.:configure_" xmlns:m="http://www.cisco.com/nxos:10.1.1.:_exec"
xmlns:m1="http://www.cisco.com/nxos:10.1.1.:configure__macsec-policy" xmlns:m2="http://www.cisco.com/nxos:10.1.1.:configure__if-ethernet-all" message-id="1">
<nf:get-config>
<nf:source>
<nf:running/>
</nf:source>
<nf:filter>
<m:configure>
<m:terminal>
<feature>
<macsec/>
</feature>
<macsec>
<policy>
<__XML__PARAM__policy_name>
<__XML__value>mpd1</__XML__value>
<m1:cipher-suite>
<m1:__XML__PARAM__suite>
<m1:__XML__value>GCM-AES-128</m1:__XML__value>
</m1:__XML__PARAM__suite>
</m1:cipher-suite>
<m1:conf-offset>
<m1:__XML__PARAM__offset>
<m1:__XML__value>CONF-OFFSET-30</m1:__XML__value>
</m1:__XML__PARAM__offset>
</m1:conf-offset>
</__XML__PARAM__policy_name>
</policy>
</macsec>
<macsec>
<policy>
<__XML__PARAM__policy_name>
<__XML__value>mpd2</__XML__value>
<m1:cipher-suite>
<m1:__XML__PARAM__suite>
<m1:__XML__value>GCM-AES-128</m1:__XML__value>
</m1:__XML__PARAM__suite>
</m1:cipher-suite>
<m1:conf-offset>
<m1:__XML__PARAM__offset>
<m1:__XML__value>CONF-OFFSET-30</m1:__XML__value>
</m1:__XML__PARAM__offset>
</m1:conf-offset>
<m1:security-policy>
<m1:__XML__PARAM__policy>
<m1:__XML__value>must-secure</m1:__XML__value>
</m1:__XML__PARAM__policy>
</m1:security-policy>
</__XML__PARAM__policy_name>
</policy>
</macsec>
<macsec>
<policy>
<__XML__PARAM__policy_name>
<__XML__value>mps1</__XML__value>
<m1:cipher-suite>
<m1:__XML__PARAM__suite>
<m1:__XML__value>GCM-AES-128</m1:__XML__value>
</m1:__XML__PARAM__suite>
</m1:cipher-suite>
<m1:key-server-priority>
<m1:__XML__PARAM__pri>
<m1:__XML__value>1</m1:__XML__value>
</m1:__XML__PARAM__pri>
</m1:key-server-priority>
<m1:conf-offset>
<m1:__XML__PARAM__offset>
<m1:__XML__value>CONF-OFFSET-30</m1:__XML__value>
</m1:__XML__PARAM__offset>
</m1:conf-offset>
<m1:sak-expiry-time>
<m1:__XML__PARAM__ts>
<m1:__XML__value>60</m1:__XML__value>
</m1:__XML__PARAM__ts>
</m1:sak-expiry-time>
<m1:include-icv-indicator/>
</__XML__PARAM__policy_name>
</policy>
</macsec>
<macsec>
<policy>
<__XML__PARAM__policy_name>
<__XML__value>mps2</__XML__value>
<m1:cipher-suite>
<m1:__XML__PARAM__suite>
<m1:__XML__value>GCM-AES-128</m1:__XML__value>
</m1:__XML__PARAM__suite>
</m1:cipher-suite>
<m1:key-server-priority>
<m1:__XML__PARAM__pri>
<m1:__XML__value>1</m1:__XML__value>
</m1:__XML__PARAM__pri>
</m1:key-server-priority>
<m1:window-size>
<m1:__XML__PARAM__size>
<m1:__XML__value>1000</m1:__XML__value>
</m1:__XML__PARAM__size>
</m1:window-size>
<m1:conf-offset>
<m1:__XML__PARAM__offset>
<m1:__XML__value>CONF-OFFSET-30</m1:__XML__value>
</m1:__XML__PARAM__offset>
</m1:conf-offset>
<m1:security-policy>
<m1:__XML__PARAM__policy>
<m1:__XML__value>must-secure</m1:__XML__value>
</m1:__XML__PARAM__policy>
</m1:security-policy>
<m1:sak-expiry-time>
<m1:__XML__PARAM__ts>
<m1:__XML__value>60</m1:__XML__value>
</m1:__XML__PARAM__ts>
</m1:sak-expiry-time>
<m1:include-icv-indicator/>
</__XML__PARAM__policy_name>
</policy>
</macsec>
<macsec>
<policy>
<__XML__PARAM__policy_name>
<__XML__value>mpsr1</__XML__value>
<m1:cipher-suite>
<m1:__XML__PARAM__suite>
<m1:__XML__value>GCM-AES-128</m1:__XML__value>
</m1:__XML__PARAM__suite>
</m1:cipher-suite>
<m1:key-server-priority>
<m1:__XML__PARAM__pri>
<m1:__XML__value>1</m1:__XML__value>
</m1:__XML__PARAM__pri>
</m1:key-server-priority>
<m1:window-size>
<m1:__XML__PARAM__size>
<m1:__XML__value>1000</m1:__XML__value>
</m1:__XML__PARAM__size>
</m1:window-size>
<m1:conf-offset>
<m1:__XML__PARAM__offset>
<m1:__XML__value>CONF-OFFSET-30</m1:__XML__value>
</m1:__XML__PARAM__offset>
</m1:conf-offset>
<m1:sak-expiry-time>
<m1:__XML__PARAM__ts>
<m1:__XML__value>60</m1:__XML__value>
</m1:__XML__PARAM__ts>
</m1:sak-expiry-time>
<m1:include-icv-indicator/>
</__XML__PARAM__policy_name>
</policy>
</macsec>
<macsec>
<policy>
<__XML__PARAM__policy_name>
<__XML__value>mpsr2</__XML__value>
<m1:cipher-suite>
<m1:__XML__PARAM__suite>
<m1:__XML__value>GCM-AES-128</m1:__XML__value>
</m1:__XML__PARAM__suite>
</m1:cipher-suite>
<m1:key-server-priority>
<m1:__XML__PARAM__pri>
<m1:__XML__value>1</m1:__XML__value>
</m1:__XML__PARAM__pri>
</m1:key-server-priority>
<m1:window-size>
<m1:__XML__PARAM__size>
<m1:__XML__value>1000</m1:__XML__value>
</m1:__XML__PARAM__size>
</m1:window-size>
<m1:conf-offset>
<m1:__XML__PARAM__offset>
<m1:__XML__value>CONF-OFFSET-30</m1:__XML__value>
</m1:__XML__PARAM__offset>
</m1:conf-offset>
<m1:security-policy>
<m1:__XML__PARAM__policy>
<m1:__XML__value>must-secure</m1:__XML__value>
</m1:__XML__PARAM__policy>
</m1:security-policy>
<m1:sak-expiry-time>
<m1:__XML__PARAM__ts>
<m1:__XML__value>60</m1:__XML__value>
</m1:__XML__PARAM__ts>
</m1:sak-expiry-time>
<m1:include-icv-indicator/>
</__XML__PARAM__policy_name>
</policy>
</macsec>
<interface>
<__XML__PARAM__interface>
<__XML__value>Ethernet1/29</__XML__value>
<m2:macsec>
<m2:keychain>
<m2:__XML__PARAM__keychain_name>
<m2:__XML__value>kd</m2:__XML__value>
<m2:policy>
<m2:__XML__PARAM__policy_name>
<m2:__XML__value>mpd1</m2:__XML__value>
<m2:fallback-keychain>
<m2:__XML__PARAM__fallback_kc_name>
<m2:__XML__value>fbkd</m2:__XML__value>
</m2:__XML__PARAM__fallback_kc_name>
</m2:fallback-keychain>
</m2:__XML__PARAM__policy_name>
</m2:policy>
</m2:__XML__PARAM__keychain_name>
</m2:keychain>
</m2:macsec>
</__XML__PARAM__interface>
</interface>
<interface>
<__XML__PARAM__interface>
<__XML__value>Ethernet1/30</__XML__value>
<m2:macsec>
<m2:keychain>
<m2:__XML__PARAM__keychain_name>
<m2:__XML__value>kd</m2:__XML__value>
<m2:policy>
<m2:__XML__PARAM__policy_name>
<m2:__XML__value>mpd2</m2:__XML__value>
<m2:fallback-keychain>
<m2:__XML__PARAM__fallback_kc_name>
<m2:__XML__value>fbkd</m2:__XML__value>
</m2:__XML__PARAM__fallback_kc_name>
</m2:fallback-keychain>
</m2:__XML__PARAM__policy_name>
</m2:policy>
</m2:__XML__PARAM__keychain_name>
</m2:keychain>
</m2:macsec>
</__XML__PARAM__interface>
</interface>
<interface>
<__XML__PARAM__interface>
<__XML__value>Ethernet1/31</__XML__value>
<m2:macsec>
<m2:keychain>
<m2:__XML__PARAM__keychain_name>
<m2:__XML__value>ks</m2:__XML__value>
<m2:policy>
<m2:__XML__PARAM__policy_name>
<m2:__XML__value>mps1</m2:__XML__value>
<m2:fallback-keychain>
<m2:__XML__PARAM__fallback_kc_name>
<m2:__XML__value>fbks</m2:__XML__value>
</m2:__XML__PARAM__fallback_kc_name>
</m2:fallback-keychain>
</m2:__XML__PARAM__policy_name>
</m2:policy>
</m2:__XML__PARAM__keychain_name>
</m2:keychain>
</m2:macsec>
</__XML__PARAM__interface>
</interface>
<interface>
<__XML__PARAM__interface>
<__XML__value>Ethernet1/32</__XML__value>
<m2:macsec>
<m2:keychain>
<m2:__XML__PARAM__keychain_name>
<m2:__XML__value>ks</m2:__XML__value>
<m2:policy>
<m2:__XML__PARAM__policy_name>
<m2:__XML__value>mps2</m2:__XML__value>
<m2:fallback-keychain>
<m2:__XML__PARAM__fallback_kc_name>
<m2:__XML__value>fbks</m2:__XML__value>
</m2:__XML__PARAM__fallback_kc_name>
</m2:fallback-keychain>
</m2:__XML__PARAM__policy_name>
</m2:policy>
</m2:__XML__PARAM__keychain_name>
</m2:keychain>
</m2:macsec>
</__XML__PARAM__interface>
</interface>
<interface>
<__XML__PARAM__interface>
<__XML__value>Ethernet1/33</__XML__value>
<m2:macsec>
<m2:keychain>
<m2:__XML__PARAM__keychain_name>
<m2:__XML__value>ksr</m2:__XML__value>
<m2:policy>
<m2:__XML__PARAM__policy_name>
<m2:__XML__value>mpsr1</m2:__XML__value>
<m2:fallback-keychain>
<m2:__XML__PARAM__fallback_kc_name>
<m2:__XML__value>fbksr</m2:__XML__value>
</m2:__XML__PARAM__fallback_kc_name>
</m2:fallback-keychain>
</m2:__XML__PARAM__policy_name>
</m2:policy>
</m2:__XML__PARAM__keychain_name>
</m2:keychain>
</m2:macsec>
</__XML__PARAM__interface>
</interface>
<interface>
<__XML__PARAM__interface>
<__XML__value>Ethernet1/34</__XML__value>
<m2:macsec>
<m2:keychain>
<m2:__XML__PARAM__keychain_name>
<m2:__XML__value>ksr</m2:__XML__value>
<m2:policy>
<m2:__XML__PARAM__policy_name>
<m2:__XML__value>mpsr2</m2:__XML__value>
<m2:fallback-keychain>
<m2:__XML__PARAM__fallback_kc_name>
<m2:__XML__value>fbksr</m2:__XML__value>
</m2:__XML__PARAM__fallback_kc_name>
</m2:fallback-keychain>
</m2:__XML__PARAM__policy_name>
</m2:policy>
</m2:__XML__PARAM__keychain_name>
</m2:keychain>
</m2:macsec>
</__XML__PARAM__interface>
</interface>
<interface>
<__XML__PARAM__interface>
<__XML__value>Ethernet1/35</__XML__value>
<m2:macsec>
<m2:keychain>
<m2:__XML__PARAM__keychain_name>
<m2:__XML__value>ksr</m2:__XML__value>
<m2:policy>
<m2:__XML__PARAM__policy_name>
<m2:__XML__value>system-default-macsec-policy</m2:__XML__value>
</m2:__XML__PARAM__policy_name>
</m2:policy>
</m2:__XML__PARAM__keychain_name>
</m2:keychain>
</m2:macsec>
</__XML__PARAM__interface>
</interface>
<interface>
<__XML__PARAM__interface>
<__XML__value>Ethernet1/36</__XML__value>
<m2:macsec>
<m2:keychain>
<m2:__XML__PARAM__keychain_name>
<m2:__XML__value>ksr</m2:__XML__value>
<m2:policy>
<m2:__XML__PARAM__policy_name>
<m2:__XML__value>system-default-macsec-policy</m2:__XML__value>
</m2:__XML__PARAM__policy_name>
</m2:policy>
</m2:__XML__PARAM__keychain_name>
</m2:keychain>
</m2:macsec>
</__XML__PARAM__interface>
</interface>
</m:terminal>
</m:configure>
</nf:filter>
</nf:get-config>
</nf:rpc>
]]>]]>
switch(config)#
MIBs
MACsec supports the following MIBs:
-
IEEE8021-SECY-MIB
-
CISCO-SECY-EXT-MIB