MACsec Commands

This module describes the commands used to configure MACsec.


Note

All commands applicable for the Cisco NCS 5500 Series Router are also supported on the Cisco NCS 540 Series Router that is introduced from Cisco IOS XR Release 6.3.2. References to earlier releases in Command History tables apply to only the Cisco NCS 5500 Series Router.

For detailed information about keychain management concepts, configuration tasks, and examples, see the Implementing MACsec encryption chapter in the System Security Configuration Guide for Cisco NCS 5500 Series Routers.

allow (MACsec)

To specify MACsec policy exception to allow packets in clear text, use allow command under MACsec policy configuration mode. To remove this configuration, use the no form of this command.

allow lacp-in-clear

Syntax Description

lacp-in-clear

Allows Link Aggregation Control Plane protocol (LACP) packets in clear text.

Command Default

None

Command Modes

MACsec policy configuration mode

Command History

Release

Modification

Release 7.3.1

This command was introduced.

Usage Guidelines

The policy-exception lacp-in-clear command under MACsec policy configuration mode is deprecated. Hence, it is recommended to use the allow lacp-in-clear command instead, to allow LACP packets in clear-text format.

Task ID

Task ID

Operations

system

read, write

Examples

This example shows how to create a MACsec policy exception to allow LACP packets in clear text:


Router#configure
Router(config)#macsec-policy test-macsec-policy
Router(config-macsec-policy)#allow lacp-in-clear 
Router(config-macsec-policy)#commit

cipher-suite

Configures the cipher suite for encrypting traffic with MACsec in the MAcsec policy configuration mode.

The first portion of the cipher name indicates the encryption method, the second portion indicates the hash or integrity algorithm, and the third portion indicates the length of the cipher (128/256).

To disable this feature, use the no form of this command.

cipher-suite encryption_ suite

Syntax Description

encryption_suite

The GCM encryption method that uses the AES encryption algorithm. The available encryption suites are:

  • GCM-AES-128

  • GCM-AES-256

  • GCM-AES-XPN-128

  • GCM-AES-XPN-256

Command Default

The default cipher suite chosen for encryption is GCM-AES-XPN-256.

Command Modes

MACsec policy configuration.

Command History

Release

Modification

Release 5.3.2

This command was introduced.

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how to use the cipher-suite command: 


RP/0/RP0/CPU0:router# configure t
RP/0/RP0/CPU0:router(config)# macsec-policy mac_policy
RP/0/RP0/CPU0:router(config-mac_policy)# cipher-suite GCM-AES-XPN-256
RP/0/RP0/CPU0:router(config-mac_policy)#

conf-offset

Configures the confidentiality offset for MACsec encryption in the MACsec policy configuration mode.

To disable this feature, use the no form of this command.

conf-offset offset_value

Syntax Description

offset_value

Configures the offset value. The options are:

  • CONF-OFFSET-0 : Does not offset the encryption

  • CONF-OFFSET-30: Offsets the encryption by 30 characters

  • CONF-OFFSET-50: Offsets the encryption by 50 characters.

Command Default

Default value is 0.

Command Modes

MACsec policy configuration.

Command History

Release

Modification

Release 5.3.2

This command was introduced.

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how to use the conf-offset command: 


RP/0/RP0/CPU0:router# configure t
RP/0/RP0/CPU0:router(config)# macsec-policy mac_policy
RP/0/RP0/CPU0:router(config-mac_policy)# conf-offset CONF-OFFSET-30
RP/0/RP0/CPU0:router(config-mac_policy)#

crypto-sks-kme

To display details of the Quantum Key Distribution (QKD) server, use the crypto-sks-kme command in EXEC mode.

crypto-sks-kme profile-name { entropy | capability }

Syntax Description

profile-name

Specifies the key string in clear-text form.

entropy

Specifies the key in encrypted form.

capability

Specifies the key in Type 6 encrypted form.

Command Default

None

Command Modes

EXEC mode

Command History

Release

Modification

Release 7.9.1

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID

Operations

system

read, write

Examples

The following examples shows how to use the crypto-sks-kme command: 

Router# crypto sks kme remote_qkd_prof1 entropy
Entropy Details:
Key details Dump: 0000 - 406b004c9c7f00000000000000000000280c71794fa6f029d0ee2f6c4cd01b46
Key : 406b004c9c7f00000000000000000000280c71794fa6f029d0ee2f6c4cd01b46
Entropy Length: 32
Router# crypto sks kme QkdIP capability 
Capability Details:
  Entropy supported : False
  Key supported     : False
  Algorithm         : QKD
  Local identifier  : Alice1
  Remote identifier : Alice1, Bob1,

cryptographic-algorithm (MACsec)

Configures the cryptographic algorithm used for authenticating a peer for MACsec encryption in the Keychain-key configuration mode.

To disable this feature, use the no form of this command.

cryptographic-algorithm authentication algorithm

Syntax Description

authentication algorithm

Configures the 128-bit or 256-bit AES encryption algorithm.

Command Default

No default behavior or values.

Command Modes

Keychain-key configuration.

Usage Guidelines

If you do not specify the cryptographic algorithm, MAC computation and API verification would be invalid.

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how to use the cryptographic-algorithm command for MACsec Encryption: 



RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router# key chain mac_chain macsec
RP/0/RP0/CPU0:router(config-mac_chain-MacSec)# key 1234abcd5678
RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)# key-string 11111111111111111111111111111111 cryptographic-algorithm aes-256-cmac

Examples

The following example shows how to use the AES-128-CMAC authentication algorithm command: 



RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router# key chain mac_chain macsec
RP/0/RP0/CPU0:router(config-mac_chain-MacSec)# key 1234abcd5678
RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)# key-string 12345678123456781234567812345678 cryptographic-algorithm aes-128-cmac

Examples

The following example shows how to use the AES-256-CMAC authentication algorithm command: 



RP/0/RP0/CPU0:router#configure
RP/0/RP0/CPU0:router# key chain mac_chain macsec
RP/0/RP0/CPU0:router(config-mac_chain-MacSec) # key 1234abcd5678
RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)# key-string 1234567812345678123456781234567812345678123456781234567812345678 cryptographic-algorithm aes-256-cmac

enable-legacy-fallback

To enable interoperability with peer devices that do not support MACsec active fallback feature, use the enable-legacy-fallback command in MACsec policy configuration mode. To remove the configuration, use the no form of this command.

enable-legacy-fallback

Syntax Description

This command has no keywords or arguments.

Command Default

Disabled, by default.

Command Modes

MACsec policy configuration mode

Command History

Release Modification
Release 7.1.2

This command was introduced.

Usage Guidelines

For more details on MACsec active fallback feature, see the Fallback PSK section in the Configuring MACsec Encryption chapter in the System Security Configuration Guide for Cisco NCS 5500 Series Routers.

Task ID

Task ID Operation

system

read, write

Examples

This example shows how to enable interoperability with peer devices that do not support MACsec active fallback feature:


Router#configure
Router(config)#macsec-policy P1
Router(config-macsec-policy)#enable-legacy-fallback 
Router(config-macsec-policy)#commit

fallback-psk-keychain

To create or modify a fallback psk keychain key, use the fallback-psk-keychain command in keychain-key configuration mode.

To disable this feature, use the no form of this command.

fallback-psk-keychain key-id

Syntax Description

key-id

64-character hexadecimal string.

Command Default

No default behavior or values.

Command Modes

Key chain configuration

Usage Guidelines

The key must be of even number of characters. Entering an odd number of characters will exit the MACsec configuration mode.

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how to use the key command: 



RP/0/RP0/CPU0:router# configure 
RP/0/RP0/CPU0:router# fallback-psk-keychain fallback_mac_chain 
RP/0/RP0/CPU0:router(config-mac_chain-MacSec)# key 1234abcd5678

impose-overhead-on-bundle

To impose the MACsec overhead on the bundle interface, use impose-overhead-on-bundle command under MACsec policy configuration mode.

impose-overhead-on-bundle

Syntax Description

impose-overhead-on-bundle

Applies macsec overhead on the bundle interface.

Command Default

None

Command Modes

MACsec policy configuration mode

Command History

Release

Modification

Release 24.1.1

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID

Operations

system

read, write

Examples

This example shows how to configure MACsec policy exception to apply macsec overhead on the bundle interface:


Router#configure
Router(config)#macsec-policy test-macsec-policy
Router(config-macsec-policy)#impose-overhead-on-bundle 
Router(config-macsec-policy)#commit

key

To create or modify a keychain key, use the key command in keychain-key configuration mode. To disable this feature, use the no form of this command.

key key-id

Syntax Description

key-id

64-character hexadecimal string.

Command Default

No default behavior or values.

Command Modes

Key chain configuration

Usage Guidelines

The key must be of even number of characters. Entering an odd number of characters will exit the MACsec configuration mode.

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how to use the key command: 



RP/0/RP0/CPU0:router# configure 
RP/0/RP0/CPU0:router# key chain mac_chain macsec
RP/0/RP0/CPU0:router(config-mac_chain-MacSec)# key 1234abcd5678

key chain

To create or modify a keychain, use the key chain command in the key chain configuration mode.

To disable this feature, use the no form of this command.

key chain key-chain-name

Syntax Description

key-chain-name

Specifies the name of the keychain. The maximum length is 32 (128-bit encryption)/64 (256-bit encryption) character hexadecimal string.

Note

 
If you are configuring MACsec to interoperate with a MACsec server that is running software prior to IOS XR 6.1.3, then ensure that the MACsec key length is of 64 characters. If the key length is lesser than 64 characters, authentication will fail.

Command Modes

Key chain configuration

Command Default

No default behavior or values

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how you can configure a key chain for MACsec encryption: 



RP/0/RP0/CPU0:router# configure 
RP/0/RP0/CPU0:router(config)# key chain mac_chain macsec
RP/0/RP0/CPU0:router(config-mac_chain-MacSec)#

key-string

To specify the text string for the key, use the key-string command in keychain-key configuration mode.

To disable this feature, use the no form of this command.

key-string [clear | password] key-string-text

Syntax Description

clear

Specifies the key string in clear-text form.

password password

Specifies the key in encrypted form.

key-string-text

Text string for the key, which is encrypted by the parser process before being saved to the configuration. The text string has the following character limitations:

  • Plain-text key strings—Minimum of 1 character and a maximum of 32 (128-bit encryption)/64 (256-bit encryption) characters (hexadecimal string).

  • Encrypted key strings—Minimum of 4 characters and no maximum.

Command Default

The default value is clear.

Command Modes

Key chain configuration

Usage Guidelines

For an encrypted password to be valid, the following statements must be true:

  • String must contain an even number of characters, with a minimum of four.

  • The first two characters in the password string must be decimal numbers and the rest must be hexadecimals.

  • The first two digits must not be a number greater than 53.

Either of the following examples would be valid encrypted passwords:

1234abcd

or

50aefd

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how to use the keystring command: 

! For AES 128-bit encryption

RP/0/RP0/CPU0:router# configure 
RP/0/RP0/CPU0:router(config)# key chain mac_chain macsec
RP/0/RP0/CPU0:router(config-mac_chain-MacSec)# key 1234abcd5678
RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)# key-string 12345678123456781234567812345678 cryptographic-algorithm AES-128-CMAC

! For AES 256-bit encryption

RP/0/RP0/CPU0:router# configure 
RP/0/RP0/CPU0:router(config)# key chain mac_chain macsec
RP/0/RP0/CPU0:router(config-mac_chain-MacSec)# key 1234abcd5678
RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)# key-string 1234567812345678123456781234567812345678123456781234567812345678 cryptographic-algorithm AES-256-CMAC

key-server-priority

Configures the preference for a device to serve as the key server for MACsec encryption in the MACsec policy configuration mode. To disable this feature, use the no form of this command.

key-server-priority value

Syntax Description

value

Indicates the priority for a device to become the key server. Lower the value, higher the preference. The range is 0-255.

Command Default

Default value is 16.

Command Modes

MACsec policy configuration.

Command History

Release

Modification

Release 5.3.2

This command was introduced.

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how to use the key-server-priority command: 


RP/0/RP0/CPU0:router# configure t
RP/0/RP0/CPU0:router(config)# macsec-policy mac_policy
RP/0/RP0/CPU0:router(config-mac_policy)# key-server-priority 16
RP/0/RP0/CPU0:router(config-mac_policy)#

lifetime

Configures the validity period for the MACsec key or CKN in the Keychain-key configuration mode. To disable this feature, use the no form of this command.

The lifetime period can be configured with a duration in seconds, as a validity period between two dates (for example, Jan 01 2014 to Dec 31 2014), or with an infinite validity.

The key is valid from the time you configure in HH:MM:SS format. Duration is configured in seconds.

When a key has expired, the MACsec session is torn down and running the show macsec mka session command does not display any information. If you run the show macsec mka interface and show macsec mka interface detail commands, you can see that the session is unsecured.

lifetime start_time start_date

{

end_time end_date |

duration validity | infinite

}

Syntax Description

start-time

Start time in hh:mm:ss from which the key becomes valid. The range is from 0:0:0 to 23:59:59.

end-time

End time in hh:mm:ss at which point the key becomes invalid. The range is from 0:0:0 to 23:59:59.

start_date

The date in DD month YYYY format that the key becomes valid.

end_date

The date in DD month YYYY format that the key becomes invalid.

duration validity

The key chain is valid for the duration you configure. You can configure duration in seconds.

infinite

The key chain is valid indefinitely.

Command Default

No default behavior or values

Command Modes

Keychain-key configuration

Command History

Release

Modification

Release 5.3.2

This command was introduced.

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how to use the lifetime command: 

! For AES 128-bit encryption

RP/0/RP0/CPU0:router# configure 
RP/0/RP0/CPU0:router(config)# key chain mac_chain macsec
RP/0/RP0/CPU0:router(config-mac_chain-MacSec)# key 1234abcd5678
RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)# key-string 12345678123456781234567812345678 cryptographic-algorithm AES-128-CMAC
RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)# lifetime 05:00:00 20 february 2015 12:00:00 30 september 2016

! For AES 256-bit encryption

RP/0/RP0/CPU0:router# configure 
RP/0/RP0/CPU0:router(config)# key chain mac_chain macsec
RP/0/RP0/CPU0:router(config-mac_chain-MacSec)# key 1234abcd5678
RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)# key-string 1234567812345678123456781234567812345678123456781234567812345678 cryptographic-algorithm AES-256-CMAC
RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)# lifetime 05:00:00 20 february 2015 12:00:00 30 september 2016

macsec

Enables MACsec on the router in the keychain configuration mode. To disable this feature, use the no form of this command.

macsec [ key key-id ]

Syntax Description

key-id

The key can be up to 64 bytes in length. The configured key is the CKN that is exchanged between the peers.

Command Default

No default behavior or values.

Command Modes

Keychain configuration

Command History

Release

Modification

Release 5.3.2

This command was introduced.

Release 7.1.2

Release 7.2.1

The key-id values are made case insensitive, and are stored as uppercase letters.

Usage Guidelines

From Cisco IOS XR Software Release 7.1.2 , Release 7.2.1 and later, the MACsec key IDs are considered to be case insensitive. These key IDs are stored as uppercase letters. For example, a key ID of value 'FF' and of value 'ff' are considered to be the same, and both these key IDs are now stored in uppercase as 'FF'. Whereas, prior to Release 7.1.2 and Release 7.2.1, both these values were treated as case sensitive, and hence considered as two separate key IDs. However, the support for this case insensitive IDs is applicable only for the configurations done through CLI, and not for configurations done through Netconf protocol. Hence, it is recommended to have unique strings as key IDs for a MACsec key chain to avoid flapping of MACsec sessions.

For example, the key IDs ('FF' and 'ff') in this example are not unique (although one is in uppercase and other is in lowercase), and hence this might cause a MACsec session flap. 


key chain 1
 macsec
  key FF
   lifetime 02:01:01 may 18 2020 infinite
  !
  key ff
   lifetime 01:01:01 may 18 2020 infinite

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how to use the macsec command: 



RP/0/RP0/CPU0:router# configure t
RP/0/RP0/CPU0:router(config)# key chain mac_chain macsec
RP/0/RP0/CPU0:router(config-mac_chain-MacSec)# key 1234abcd5678
RP/0/RP0/CPU0:router(config-mac_chain-MacSec-1234abcd5678)#

macsec-policy

Creates a MACsec policy for MACsec encryption in XR Config mode. To disable this feature, use the no form of this command.

macsec-policy policy_name

Syntax Description

policy_name

Name of the MACsec policy for encryption.

Command Default

No default behavior or values.

Command Modes

XR Config mode

Command History

Release

Modification

Release 5.3.2

This command was introduced.

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how to use the macsec-policy command: 


RP/0/RP0/CPU0:router# configure t
RP/0/RP0/CPU0:router(config)# macsec-policy mac_policy
RP/0/RP0/CPU0:router(config-mac_policy)#

macsec shutdown

To enable MACsec shutdown, use the macsec shutdown command in XR Config mode. To disable MACsec shutdown, use the no form of the command.

macsec shutdown

Syntax Description

This command has no keywords or arguments.

Command Default

The macsec shutdown command is disabled by default.

Command Modes

XR Config mode

Command History

Release Modification
Release 6.3.3

This command was introduced.

Usage Guidelines

Enabling the macsec shutdown command, brings down all macsec sessions on the MACsec-enabled interfaces and resets ports to non-macsec mode. The already existing MACsec configurations remain unaffected by enabling this feature.

Disabling the macsec shutdown command, brings up MACsec sessions for the configured interfaces and enforces MACsec policy on the port.


Warning

Configuring macsec shutdown command disables MACsec on all data ports, system wide. Execute clear command to erase cached configuration or commit command to continue.

Task ID

Task ID Operation
system

read, write

Examples

The following example shows how to enable MACsec shutdown: 

RP/0/RSP0/CPU0:router# configure terminal
RP/0/RSP0/CPU0:router(config)# macsec shutdown

show macsec mka summary

To display the Summary of MACsec Sessions, use the show macsec mka summary command in EXEC mode.

show macsec mka summary

Syntax Description

This command has no keywords or arguments.

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec mka summary command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
interface

read

Examples

This example shows how to view MACsec mka summary information for a specific interface.


 Router# show macsec mka summary 
Fri Dec 15 06:41:13.299 UTC

NODE: node0_RP0_CPU0
========================================================================================
   Interface-Name     Status     Cipher-Suite       KeyChain       PSK/EAP      CKN
========================================================================================
     TF0/0/0/24       Secured  GCM-AES-XPN-256         kc1         PRIMARY     1111
     TF0/0/0/25       Secured  GCM-AES-XPN-256         kc1         PRIMARY     1111
     TF0/0/0/26       Secured  GCM-AES-XPN-256         kc1         PRIMARY     1111
     TF0/0/0/27       Secured  GCM-AES-XPN-256         kc1         PRIMARY     1111

Total MACSec Sessions  : 4
    Secured Sessions   : 4
    Pending Sessions   : 0
    Suspended Sessions : 0
    Active  Sessions   : 0

show macsec mka session

To display the detailed Information of MACsec Sessions, use the show macsec mka session command in EXEC mode.

show macsec mka session interface interface name location location name detail

Syntax Description

interface

Specifies the interface name to view MACsec details.
interface name

Enables MACsec mode for a specified interface.
location

Specifies the node location to enable the MACsec details.
location name

Enables MACsec mode for a specific node.
detail

(Optional) Detailed information specific to session.

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec mka session command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
interface

read

Examples

This example shows how to view MACsec mka session information for a specific interface.


 Router# show macsec mka session 
Fri Dec 15 06:31:38.457 UTC

NODE: node0_RP0_CPU0
===============================================================================================
   Interface-Name        Local-TxSCI       #Peers   Status   Key-Server   PSK/EAP      CKN
===============================================================================================
     TF0/0/0/24      ac3a.67ee.281c/0001     1      Secured      YES      PRIMARY     1111
     TF0/0/0/25      ac3a.67ee.281d/0001     1      Secured      YES      PRIMARY     1111
     TF0/0/0/26      ac3a.67ee.281e/0001     1      Secured      YES      PRIMARY     1111
     TF0/0/0/27      ac3a.67ee.281f/0001     1      Secured      YES      PRIMARY     1111

show macsec mka interface detail

To display detailed information on MACsec interfaces, use the show macsec mka interface detail command in the EXEC mode.

show macsec mka interface interface name detail

Syntax Description

interface name Specifies the name of the interface for which you want to view the MACsec details.

Command Modes

EXEC mode

Command History

Release Modification
Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec mka interface detail command is available only with the installation of the k9sec rpm.

The show macsec mka interface detail command displays information about all MACsec-enabled interfaces across all nodes. If you need MACsec information for a specific interface, use the show macsec mka interface interface name detail command.

Task ID

Task ID Operation
system

read

Examples

This example shows how to view the MACsec information for a specific interface:


 Router# show macsec mka interface detail 
Fri Dec 15 09:03:02.553 UTC

Number of interfaces on node node0_RP0_CPU0 : 4
----------------------------------------------------

Interface Name : TwentyFiveGigE0/0/0/24
    Interface Namestring     : TwentyFiveGigE0/0/0/24
    Interface short name     : TF0/0/0/24
    Interface handle         : 0x3c000060
    Interface number         : 0x3c000060
    MacSecControlledIfh      : 0x3c0081b0
    MacSecUnControlledIfh    : 0x3c0081b8
    Interface MAC            : ac3a.67ee.281c
    Ethertype                : 888E
    EAPoL Destination Addr   : 0180.c200.0003
    MACsec Shutdown          : FALSE
    Config Received          : TRUE
    IM notify Complete       : TRUE
    MACsec Power Status      : N/A
    Interface CAPS Add       : TRUE
    RxSA CAPS Add            : TRUE
    TxSA CAPS Add            : TRUE
    Principal Actor          : Primary
    MKA PSK Info
      Key Chain Name         : kc1
      MKA Cipher Suite       : AES-128-CMAC
      CKN                    : 11 11
    MKA fallback_PSK Info
      fallback keychain Name : - NA -
    Policy                   : DEFAULT-POLICY
    SKS Profile              : N/A
    Traffic Status           : Protected
    Rx SC 1
      Rx SCI                 : ac4a6730061c0001
      Rx SSCI                : 1
      Peer MAC               : ac:4a:67:30:06:1c
      Is XPN                 : YES
      SC State               : Provisioned
      SAK State[0]           : Provisioned
      Rx SA Program Req[0]   : 2023 Dec 13 09:26:12.110
      Rx SA Program Rsp[0]   : 2023 Dec 13 09:26:12.172
      SAK Data
        SAK[0]               : ***
        SAK Len              : 32
        SAK Version          : 1
        HashKey[0]           : ***
        HashKey Len          : 16
        Conf offset          : 0
        Cipher Suite         : GCM-AES-XPN-256
        CtxSalt[0]           : ea ae af 7a b4 8b 1f 60 dd e9 60 a9
        CtxSalt Len          : 12
        ssci                 : 1

This example shows how to view the MACsec information for a interface:

router#show macsec mka interface
Fri Dec 15 06:45:25.738 UTC
==========================================================================
   Interface-Name      KeyChain-Name   Fallback-KeyChain     Policy Name
==========================================================================
     TF0/0/0/24             kc1              - NA -        DEFAULT-POLICY
     TF0/0/0/25             kc1              - NA -        DEFAULT-POLICY
     TF0/0/0/26             kc1              - NA -        DEFAULT-POLICY
     TF0/0/0/27             kc1              - NA -        DEFAULT-POLICY

show macsec mka statistics

To display MKA interface and session statistics, use the show macsec mka statistics command in EXEC mode.

show macsec mka statistics [ interface interface name | location location name ]

Syntax Description

interface

Specifies the interface name to view MACsec details.
interface name

Enables MACsec mode for a specified interface.
location location name

(Optional) Location of the node to view global statistics of the MKA instance.

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec mka statistics command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
interface

read

Examples

This example shows the output for show macsec mka statistics : 


 Router# show macsec mka statistics location 0/RP0/CPU0 
Fri Dec 15 06:43:21.985 UTC


MKA Global Statistics
=====================
MKA Session Totals
   Secured.................... 10
   Reauthentication Attempts.. 0

   Deleted (Secured).......... 6
   Keepalive Timeouts......... 0

CA Statistics
   Pairwise CAKs Derived...... 0
   Pairwise CAK Rekeys........ 0
   Group CAKs Generated....... 0
   Group CAKs Received........ 0

SA Statistics
   SAKs Generated............. 10
   SAKs Rekeyed............... 0
   SAKs Received.............. 0
   SAK Responses Received..... 10
   PPK Tuple Generated........ 0
   PPK Retrieved.............. 0

MKPDU Statistics
   MKPDUs Validated & Rx...... 480156
      "Distributed SAK"..... 0
      "Distributed CAK"..... 0
      "Distributed PPK"..... 0
      "PPK Capable"......... 0
   MKPDUs Transmitted......... 480167
      "Distributed SAK"..... 10
      "Distributed CAK"..... 0
      "Distributed PPK"..... 0
      "PPK Capable"......... 0

show macsec mka client

To display MACsec MKA client traces, use the show macsec mka client command in EXEC mode.

show macsec mka client [trace {all | errors | events | info}]

Syntax Description

all

(Optional) Show all MACsec MKA client traces for the specified node, or the current node if none is specified.
errors

(Optional) Show MACsec MKA client error traces for the specified node, or the current node if none is specified.
events

(Optional) Show MACsec MKA client event traces for the specified node, or the current node if none is specified

info

(Optional) Show MACsec MKA client info traces for the specified node, or the current node if none is specified

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec mka trace command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
interface

read

Examples

This example shows the output for show macsec mka client trace all : 


 Router# show macsec mka client trace all 
Tue Dec  5 10:32:14.266 UTC
1 wrapping entries (10432 possible, 192 allocated, 0 filtered, 1 total)
Dec  4 09:56:25.544 macsec_mka/client/events 0/RP0/CPU0 t5544 TP257:aipc, server:driver, client:default, init from pid:4779

show macsec mka standby

To display MACsec MKA information from hot standby node, use the show macsec mka standby command in EXEC mode.

show macsec mka standby [interface | session | statistics] { interface name detail } [summary]

Syntax Description

interface

Specifies the interface name to view MACsec details.
interface name

Enables MACsec mode for a specified interface.
detail

(Optional) detailed information specific to Interface/Session

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec mka standby command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
interface

read

Examples

This example shows the output for show macsec mka standby summary :

 Router# show macsec mka standby summary 
Tue Dec  5 10:38:29.004 UTC

Total MACSec Sessions  : 0
    Secured Sessions   : 0
    Pending Sessions   : 0
    Suspended Sessions : 0
     Active  Sessions : 0

show macsec mka trace

To display MACsec MKA traces, use the show macsec mka trace command in EXEC mode.

show macsec mka trace [all | base | config | errors | events | new-errors | new-events ]

Syntax Description

all

(Optional) Show all MACsec MKA traces for the specified node, or the current node if none is specified.
base

(Optional) Show MACsec MKA base traces for the specified node, or the current node if none is specified.

config

(Optional) Show MACsec MKA config traces for the specified node, or the current node if none is specified.
errors (Optional) Show MACsec MKA error traces for the specified node, or the current node if none is specified.
events

(Optional) Show MACsec MKA event traces for the specified node, or the current node if none is specified.
new-errors

(Optional) Show MACsec MKA new-errors traces for the specified node, or the current node if none is specified.
new-events

(Optional) Show MACsec MKA new-event traces for the specified node, or the current node if none is specified.

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec mka trace command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
interface

read

Examples

This example shows the output for show macsec mka trace all : 


 Router# show macsec mka trace all 
Fri Dec 15 06:42:04.919 UTC
2385 wrapping entries (8576 possible, 3968 allocated, 0 filtered, 2385 total)
Dec 12 15:12:30.077 macsec_mka/base 0/RP0/CPU0 t10778 TP1002: ********** MacSec MKA(10778) init start ********.
Dec 12 15:12:30.077 macsec_mka/new_events 0/RP0/CPU0 t10778 TP1002: ********** MacSec MKA(10778) init start ********.
Dec 12 15:12:30.077 macsec_mka/events 0/RP0/CPU0 t10778 TP18: MKA_EVENT: Successfully created mka event queue
Dec 12 15:12:30.077 macsec_mka/base 0/RP0/CPU0 t10778 TP10: Timer init Success
Dec 12 15:12:30.077 macsec_mka/base 0/RP0/CPU0 t10778 TP801: process respawn_count:1
Dec 12 15:12:30.080 macsec_mka/base 0/RP0/CPU0 t10778 TP164: platform_capa : macsec:1, macsec-service:0, macsec-subif:0, if_capa:1, ddp:1, secy_intf:1
Dec 12 15:12:30.080 macsec_mka/base 0/RP0/CPU0 t10778 TP164: platform_capa : ea_ha:0, driver_ha:1, ea_retry:1, plt_sci:0, persist:0, max_an:3, no_secure_loc:1
Dec 12 15:12:30.080 macsec_mka/base 0/RP0/CPU0 t10778 TP164: platform_capa : issu:0, ppk_support:1, pl_if_data:0, power_status:0, hot_stdby:0
Dec 12 15:12:30.080 macsec_mka/base 0/RP0/CPU0 t10778 TP1341: HA role: Active

show macsec secy

To display Interface based MACsec dataplane (SecY) statistics, use the show macsec secy command in EXEC mode.

show macsec secy [ stats { interface interface name sc } ]

Syntax Description

interface name

MACsec enabled Interface to be specified..
sc

(Optional) Display Secure Channel Statistics for both Rx-SC,SA and Tx-SC,SA specific to the given interface

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec secy command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
interface

read

Examples

This example shows the output for show macsec secy : 


 Router# show macsec mka secy stats interface HundredGigE 0/0/0/29 sc 
Interface Stats
    InPktsUntagged     :  0
    InPktsNoTag        :  0
    InPktsBadTag       :  0
    InPktsUnknownSCI   :  0
    InPktsNoSCI        :  0
    InPktsOverrun      :  0
    InOctetsValidated  :  0
    InOctetsDecrypted  :  3510182
    OutPktsUntagged    :  0
    OutPktsTooLong     :  0
    OutOctetsProtected :  0
    OutOctetsEncrypted :  1827580

show macsec ea

To display MACsec programming details for each interface, use the show macsec ea command in EXEC mode.

show macsec ea [ idb { interface | | interface name | | | location | | location name } | trace {all | errors | events| base}

Syntax Description

interface

Specifies the interface name to view MACsec details.
interface name

Enables MACsec mode for a specified interface.
location

Specifies the node location to enable the MACsec details.
location name

Enables MACsec mode for a specific node.
all

(Optional) Show all MACsec EA traces for the specified node, or the current node if none is specified.

base

(Optional) Show MACsec EA base traces for the specified node, or the current node if none is specified.

errors

(Optional) Show MACsec EA error traces for the specified node, or the current node if none is specified.

events

(Optional) Show MACsec EA event traces for the specified node, or the current node if none is specified.

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec ea command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
interface

read

Examples

This example shows how to view MACsec information for a specific interface located on location 0/RP0/CPU0.


 Router# show macsec ea idb location 0/RP0/CPU0 
Mon Dec  4 03:59:07.481 UTC

IDB Details:
  if_sname                : TF0/0/0/23
  if_handle               : 0x3c000068
  MacSecControlledIfh     : 0x3c008120
  MacSecUnControlledIfh   : 0x3c008128
  Replay window size      : 64
  Local MAC               : ac:4a:67:30:06:1b
  Rx SC Option(s)         : Validate-Frames Replay-Protect
  Tx SC Option(s)         : Protect-Frames Always-Include-SCI
  Security Policy         : MUST SECURE
  Delay Protection        : FALSE
  Sectag offset           : 0
  db_init Req             : 2023 Dec 03 09:36:22.656
  db_init Rsp             : 2023 Dec 03 09:36:22.662
  if_enable Req           : 2023 Dec 03 09:36:22.663
  if_enable Rsp           : 2023 Dec 03 09:36:23.127
  Rx SC 1
    Rx SCI                : ac3a67ee281b0001
    Peer MAC              : ac:3a:67:ee:28:1b
    Stale                 : NO
    SAK Data
      SAK[2]              : ***
      SAK Len             : 32
      SAK Version         : 1
      HashKey[2]          : ***
      HashKey Len         : 16
      Conf offset         : 0
      Cipher Suite        : GCM-AES-XPN-256
      CtxSalt[2]          : e8 5c ca 8f b3 7a 9d 65 2a 35 ac f8
      ssci                : 2
      Rx SA Program Req[2]: 2023 Dec 03 09:36:27.632
      Rx SA Program Rsp[2]: 2023 Dec 03 09:36:27.712

Examples

This example shows how to view events associated with the MACsec ea command.
Router#show macsec ea trace events

Mon Dec  4 03:57:58.463 UTC
59 wrapping entries (18496 possible, 320 allocated, 0 filtered, 59 total)
Dec  3 09:36:02.903 macsec_ea/events 0/RP0/CPU0 t6945 TP155: ********** MacSec EA(0x1b21) process START ********.
Dec  3 09:36:02.926 macsec_ea/events 0/RP0/CPU0 t6945 TP180: macsec_ea_programming_conn_up_cb received.
Dec  3 09:36:02.966 macsec_ea/events 0/RP0/CPU0 t6945 TP191: macsec_ea_platform_init success
Dec  3 09:36:03.050 macsec_ea/events 0/RP0/CPU0 t6945 TP208: ea_plat_cb_evq: event_async_attach success, pulse_code:0x7c
Dec  3 09:36:03.050 macsec_ea/events 0/RP0/CPU0 t6945 TP211: ea_plat_cb_evq: created successfully
Dec  3 09:36:03.083 macsec_ea/events 0/RP0/CPU0 t6945 TP121: ********** Started MacSec EA(0x1b21) Successfully ********.

show macsec open-config

To display Open-config MACSEC traces, use the show macsec open-config command in EXEC mode.

show macsec opwn-config trace

Syntax Description

This command has no keywords or arguments.

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec open-config command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
cisco-support

read

Examples

This example shows the output for show macsec open-config trace : 


 Router#show macsec open-config trace
Fri Dec 15 09:08:37.760 UTC
20 wrapping entries (320 possible, 64 allocated, 0 filtered, 20 total)
Dec 12 12:42:43.823 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_edm_open:313, Successful
Dec 12 12:42:43.823 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_mka_oper_gl_sysdb_bind:173, sysdb_bind successful
Dec 12 12:42:43.823 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_if_sysdb_bind:315, sysdb bind successful
Dec 12 12:42:43.827 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_mka_sysdb_bind:343, sysdb bind: success
Dec 12 12:42:43.827 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_mka_gl_stats_oper_sysdb_bind:372, sysdb_bind success
Dec 12 12:42:43.847 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_reg_cfg_notif:250, Successful
Dec 12 15:12:31.317 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TwentyFiveGigE0_0_0_20: notif macsec_if_config, create/update
Dec 12 15:13:52.560 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TwentyFiveGigE0_0_0_21: notif macsec_if_config, create/update
Dec 12 15:16:41.447 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TwentyFiveGigE0_0_0_22: notif macsec_if_config, create/update
Dec 12 15:18:12.700 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TwentyFiveGigE0_0_0_23: notif macsec_if_config, create/update
Dec 12 15:47:30.887 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TenGigE0_0_0_24: notif macsec_if_config, create/update
Dec 13 08:39:35.878 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TenGigE0_0_0_24: notif macsec_if_config, delete
Dec 13 08:46:15.995 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TwentyFiveGigE0_0_0_20: notif macsec_if_config, delete
Dec 13 08:46:15.995 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TwentyFiveGigE0_0_0_21: notif macsec_if_config, delete
Dec 13 08:46:15.995 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TwentyFiveGigE0_0_0_22: notif macsec_if_config, delete
Dec 13 08:46:15.995 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TwentyFiveGigE0_0_0_23: notif macsec_if_config, delete
Dec 13 09:25:40.478 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TwentyFiveGigE0_0_0_24: notif macsec_if_config, create/update
Dec 13 09:27:59.242 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TwentyFiveGigE0_0_0_25: notif macsec_if_config, create/update
Dec 13 09:29:32.355 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TwentyFiveGigE0_0_0_26: notif macsec_if_config, create/update
Dec 13 09:31:03.658 oc_macsec/all 0/RP0/CPU0 t16252 oc_macsec_notify_if_macsec:74, TwentyFiveGigE0_0_0_27: notif macsec_if_config, create/update

show macsec platform hardware

To display hardware-specific details for MACsec on each interface, use the show macsec platform hardware command in EXEC mode.

show macsec platform hardware [flow | sa | stats] { interface interface name | location location name }

Syntax Description

interface

Specifies the interface name to view MACsec details.
interface name

Enables MACsec mode for a specified interface.
location

Specifies the node location to enable the MACsec details.
location name

Enables MACsec mode for a specific node.

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec platform hardware command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
interface

read

Examples

This example shows how to view MACsec platform hardware information for a specific interface located on location 0/RP0/CPU0.


 Router# show macsec platform hardware flow location 0/RP0/CPU0 
Wed Dec 20 08:39:18.958 UTC
-------------------------------------------
Interface : TwentyFiveGigE0_0_0_27


-------------------------------------------
Interface : TwentyFiveGigE0_0_0_26


-------------------------------------------
Interface : TwentyFiveGigE0_0_0_25


-------------------------------------------
Interface : TwentyFiveGigE0_0_0_24

show macsec platform idb

To display interface database (IDB) details specific to MACsec, use the show macsec platform idb command in EXEC mode.

show macsec platform idb { interface interface name | location location name }

Syntax Description

interface

Specifies the interface name to view MACsec details.
interface name

Enables MACsec mode for a specified interface.
location

Specifies the node location to enable the MACsec details.
location name

Enables MACsec mode for a specific node.

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec platform idb command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
interface

read

Examples

This example shows how to view MACsec platform idb information for a specific interface located on location 0/RP0/CPU0.


 Router# show macsec platform idb location 0/RP0/CPU0
Wed Dec 20 08:55:47.745 UTC

----------------------------------------------------------------
        EA IDB Details:
----------------------------------------------------------------
    IF Handle             : 0x3c000048
    IF Name               : TF0/0/0/27

----------------------------------------------------------------
        EA IDB Details:
----------------------------------------------------------------
    IF Handle             : 0x3c000050
    IF Name               : TF0/0/0/26

----------------------------------------------------------------
        EA IDB Details:
----------------------------------------------------------------
    IF Handle             : 0x3c000058
    IF Name               : TF0/0/0/25

----------------------------------------------------------------
        EA IDB Details:
----------------------------------------------------------------
    IF Handle             : 0x3c000060
    IF Name               : TF0/0/0/24

show macsec platform stats

To display MACsec platform statistics, use the show macsec platform stats command in EXEC mode.

show macsec platform stats { interface interface name | location location name }

Syntax Description

interface

Specifies the interface name to view MACsec details.
interface name

Enables MACsec mode for a specified interface.
location

Specifies the node location to enable the MACsec details.
location name

Enables MACsec mode for a specific node.

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec platform stats command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
interface

read

Examples

This example shows how to view MACsec platform statistics information for a specific interface located on location 0/RP0/CPU0.


 Router# show macsec platform stats location 0/RP0/CPU0
Wed Dec 20 08:56:13.285 UTC

-------------------------------------------
Interface : TwentyFiveGigE0_0_0_27

----------------------------------------------------------------
    Global Statistics: Ingress
----------------------------------------------------------------
    Rx Ctrl Pkts                             : 47300
    Rx Ctrl Octets                           : 6905732
    Rx Data Pkts                             : 13
    Rx Data Octets                           : 894
    Rx OverSized Pkts                        : 0
    Rx Pkts Bad Tag                          : 0
    Rx Pkts No SCI                           : 0
    Rx Pkts No Tag                           : 0
    Rx Pkts Tagged                           : 0
    Rx Pkts Untagged                         : 0
    Rx Pkts Unknown SCI                      : 0
    Rx Pkts Untagged Miss                    : 0
    Rx Transform Error Pkts                  : 0
    Rx Pkts SA Not In Use                    : 0

----------------------------------------------------------------
    Global Statistics: Egress
----------------------------------------------------------------
    Tx Ctrl Pkts                             : 47308
    Tx Ctrl Octets                           : 6906216
    Tx Data Pkts                             : 16
    Tx Data Octets                           : 894
    Tx Pkts SA Not In Use                    : 0
    Tx Untagged Pkts                         : 0
    Tx Transform Error Pkts                  : 0

----------------------------------------------------------------
    SA Statistics:Ingress
----------------------------------------------------------------
    Index                                    : 0
    SCI                                      : ac3a67ee281f0001
    Current AN                               : 0
    Port                                     : 27
    Rx Data Pkts Decrypted                   : 13
    Rx Data Octets Decrypted                 : 894
    Rx Pkts Delayed                          : 0
    Rx Pkts Invalid                          : 0
    Rx Pkts Late                             : 0
    Rx Pkts Not Using SA                     : 0
    Rx Pkts Not Valid                        : 0
    Rx Pkts Unchecked                        : 0
    Rx Pkts Untagged Hit                     : 0
    Rx Pkts Unused SA                        : 0

show macsec platform trace

To display MACsec platform trace logs, use the show macsec platform trace command in EXEC mode.

show macsec platform hardware trace [all | detail | errors | events] { interface interface name | location location name }

Syntax Description

interface

Specifies the interface name to view MACsec details.
interface name

Enables MACsec mode for a specified interface.
location

Specifies the node location to enable the MACsec details.
location name

Enables MACsec mode for a specific node.
all

(Optional) Show all MACsec Platform traces for the specified node, or the current node if none is specified.

detail

(Optional) Show MACsec Platformdetail traces for the specified node, or the current node if none is specified.

errors

Optional) Show MACsec Platform error traces for the specified node, or the current node if none is specified.

events

(Optional) Show MACsec Platform event traces for the specified node, or the current node if none is specified.

Command Default

No default behavior or values.

Command Modes

EXEC mode

Command History

Release Modification

Release 7.0.1

This command was introduced.

Usage Guidelines

The show macsec platform trace command is available only with the installation of the k9sec rpm.

Task ID

Task ID Operation
interface

read

Examples

This example shows how to view MACsec platform trace information for a specific interface located on location 0/RP0/CPU0.


 Router# show macsec platform trace detail location 0/RP0/CPU0 
Wed Dec 20 08:57:03.178 UTC
2023-12-19:06.28.09.556530212:34390:secydrv_client_commu_ipc_common_fvt_init:COMMU_IPC_DET_36:secydrv_client_commu_ipc_common_fvt_init called
2023-12-19:06.28.09.556530980:34390:secydrv_client_commu_ipc_fvt_init:COMMU_IPC_DET_53:secydrv_client_commu_ipc_fvt_init called
2023-12-19:06.28.09.558317574:34390:secydrv_commu_ipc_platform_init:COMMU_IPC_DET_83:secydrv_commu_ipc_platform_init called
2023-12-19:06.28.10.579426302:34390:secydrv_commu_ipc_resync_start:COMMU_IPC_DET_106:secydrv_commu_ipc_resync_start called
2023-12-19:06.28.10.596378984:34390:secydrv_commu_ipc_resync_stop:COMMU_IPC_DET_129:secydrv_commu_ipc_resync_stop called
2023-12-19:06.28.19.598852376:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.28.29.598939886:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.28.39.599043710:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.28.49.599136368:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.28.59.599221556:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.29.09.599315246:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.29.19.599396186:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.29.29.599470492:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.29.39.599542858:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.29.49.599616712:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.29.59.599691262:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.30.09.599768752:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.30.19.599842944:34390:macsec_ea_platform_poll_pn_exceeded:EAPD_DET_3192:PN Threshold Check:No active sessions
2023-12-19:06.30.27.011625732:34390:macsec_ea_platform_idb_init:EAPD_DET_1026:IDB Init: ifh: 0x3c000060, if_name TF0/0/0/24, slot 0
2023-12-19:06.30.27.011632184:34390:secydrv_commu_ipc_if_init:COMMU_IPC_DET_151:secydrv_commu_ipc_if_init called

sak-rekey-interval

To set a timer value to rekey the MACsec secure association key (SAK) at a specified interval, use the sak-rekey-interval command in the macsec-policy configuration mode. To disable this feature, use the no form of this command.

sak-rekey-interval timer-value

Syntax Description

timer-value

Specifies the timer value, in seconds.

Range is 60 to 2592000.

Command Default

The timer is set to OFF, by default

Command Modes

MACsec policy configuration.

Command History

Release

Modification

Release 6.3.3

This command was introduced.

Task ID

Task ID

Operations

system

read, write

Examples

This example shows how to set a timer value to rekey the MACsec SAK: 


Router#configure
Router(config)#macsec-policy test-policy
Router(config-macsec-policy)#sak-rekey-interval 120
Router(config-macsec-policy)#commit

security-policy

Configures the type of data that is allowed to transit out of the interface configured with MACsec in the MACsec policy configuration mode. To disable this feature, use the no form of this command.

security-policy {should-secure | must-secure}

Syntax Description

should-secure

Configures the interface on which the MACsec policy is applied, to permit all data.

must-secure

Configures the interface on which the MACsec policy is applied, to permit only MACsec encrypted data.

Command Default

Default value is must-secure.

Command Modes

MACsec policy configuration.

Command History

Release

Modification

Release 5.3.2

This command was introduced.

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how to use the security-policy command: 


RP/0/RP0/CPU0:router# configure t
RP/0/RP0/CPU0:router(config)# macsec-policy mac_policy
RP/0/RP0/CPU0:router(config-mac_policy)# security-policy must-secure
RP/0/RP0/CPU0:router(config-mac_policy)#

show crypto sks profile

To display the details or statistics of the Session Key Service (SKS) profiles in the router, use the show crypto sks profile command in the XR EXEC mode.

show crypto sks profile { profile-name | all } [ stats ]

Syntax Description

profile name

Specifies the name of the SKS profile.
all

Specifies all the SKS profiles in the router.
stats

Displays the statistics of the SKS profiles.

Command Default

None

Command Modes

XR EXEC mode

Command History

Release Modification
Release 7.9.1

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID Operation
system

read

Examples

The following example shows how to view the SKS profile details in a router:

Router(config)# show crypto sks profile all
Profile Name        :ProfileR1toR2
Myidentifier       :Router1
Type               :Remote
Reg Client Count     :1

Server
IP                  :192.0.2.35
Port                :10001
Vrf                 :Notconfigured
Source Interface    :Notconfigured
Status              :Connected
Entropy             :true
Key                 :true
Algorithm           :QKD
Local identifier    :Alice
Remote identifier   :Alice

Peerlist
QKD ID               :Bob
State                :Connected

Peerlist
QKD ID               :Alice
State                :Connected

Examples

The following example shows how to view the SKS profile statistics in a router:

Router# show crypto sks profile all stats
Profile Name            : ProfileR1toR2
My identifier           : Router1
Server
 IP                     : 192.0.2.35
 Port                   : 10001
 Status                 : connected
Counters
 Capability request         : 1
 Key request                : 3
 Key-id request             : 0
 Entropy request            : 0
 Capability response        : 1
 Key response               : 3
 Key-id response            : 0
 Entropy response           : 0
 Total request              : 4
 Request failed             : 0
 Request success            : 4
 Total response             : 4
 Response failed            : 0
 Response success           : 4
 Retry count                : 0
 Response Ignored           : 0
 Cancelled count            : 0
Response time
 Max Time                   : 100 ms
 Avg Time                   : 10  ms
 Min Time                   : 50  ms
Last transaction
 Transaction Id             : 9
 Transaction type           : Get key
 Transaction status         : Response data received, successfully
 Http code                  : 200 OK (200)

window-size

Configures the replay protection window size in MACsec policy configuration mode. To disable this feature, use the no form of this command.

The replay protection window size indicates the number of out-of-sequence frames that can be accepted at the interface configured with MACsec, without being dropped.

window-size value

Syntax Description

value

Number of out-of-sequence frames that can be accepted at the interface without being dropped. The range is 0-1024.

Command Default

Default value is 64.

Command Modes

MACsec policy configuration.

Command History

Release

Modification

Release 5.3.2

This command was introduced.

Task ID

Task ID

Operations

system

read, write

Examples

The following example shows how to use the window-size command: 


RP/0/RP0/CPU0:router# configure t
RP/0/RP0/CPU0:router(config)# macsec-policy mac_policy
RP/0/RP0/CPU0:router(config-mac_policy)# window-size 64