Verify whether the MKA session is secured with MACsec on the respective interface.
Before the introduction of active fallback functionality:
RP/0/RSP0/CPU0:router#show macsec mka session interface Fo0/0/0/1/0 detail
MKA Detailed Status for MKA Session
===================================
Status: SECURED - Secured MKA Session with MACsec
Local Tx-SCI : 001d.e5e9.aa39/0005
Local Tx-SSCI : 1
Interface MAC Address : 001d.e5e9.aa39
MKA Port Identifier : 1
Interface Name : Fo0/0/0/1/0
CAK Name (CKN) : 1020000000000000000000000000000000000000000000000000000000000000
Member Identifier (MI) : A880BB45B9CE01584535F239
Message Number (MN) : 5382
Authenticator : NO
Key Server : YES
MKA Cipher Suite : AES-128-CMAC
Latest SAK Status : Rx & Tx
Latest SAK AN : 0
Latest SAK KI (KN) : A880BB45B9CE01584535F23900000001 (1)
Old SAK Status : FIRST-SAK
Old SAK AN : 0
Old SAK KI (KN) : FIRST-SAK (0)
SAK Transmit Wait Time : 0s (Not waiting for any peers to respond)
SAK Retire Time : 0s (No Old SAK to retire)
MKA Policy Name : scale-21
Key Server Priority : 20
Replay Window Size : 40
Confidentiality Offset : 50
Algorithm Agility : 80C201
SAK Cipher Suite : 0080C20001000001 (GCM-AES-128)
MACsec Capability : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired : YES
# of MACsec Capable Live Peers : 1
# of MACsec Capable Live Peers Responded : 1
Live Peer List:
MI MN Rx-SCI (Peer) SSCI KS-Priority
---------------------------------------------------------------------------
4E33A276E7F79C04D80FE346 27114 d46d.5023.3704/0001 2 235
Potential Peer List:
MI MN Rx-SCI (Peer) SSCI KS-Priority
---------------------------------------------------------------------------
! If sub-interfaces are configured, the output would be as follows:
RP/0/RSP0/CPU0:router# show macsec mka session interface Fo0/0/0/1/1.8 detail
MKA Detailed Status for MKA Session
===================================
Status: SECURED - Secured MKA Session with MACsec
Local Tx-SCI : e0ac.f172.4124/001d
Local Tx-SSCI : 1
Interface MAC Address : e0ac.f172.4124
MKA Port Identifier : 29
Interface Name : Fo0/0/0/1/1.8
CAK Name (CKN) : ABC1000000000000000000000000000000000000000000000000000000000000
Member Identifier (MI) : 1EC4A4D1B0D75D3D5C2F6393
Message Number (MN) : 1915
Authenticator : NO
Key Server : NO
MKA Cipher Suite : AES-128-CMAC
Latest SAK Status : Rx & Tx
Latest SAK AN : 3
Latest SAK KI (KN) : EB1E04894327E4EFA283C66200000003 (3)
Old SAK Status : No Rx, No Tx
Old SAK AN : 0
Old SAK KI (KN) : RETIRED (4)
SAK Transmit Wait Time : 0s (Not waiting for any peers to respond)
SAK Retire Time : 0s (No Old SAK to retire)
MKA Policy Name : test12
Key Server Priority : 0
Replay Window Size : 1024
Confidentiality Offset : 50
Algorithm Agility : 80C201
SAK Cipher Suite : 0080C20001000004 (GCM-AES-XPN-256)
MACsec Capability : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired : YES
# of MACsec Capable Live Peers : 1
# of MACsec Capable Live Peers Responded : 0
Live Peer List:
MI MN Rx-SCI (Peer) SSCI KS-Priority
---------------------------------------------------------------------------
EB1E04894327E4EFA283C662 1908 001d.e5e9.b1c0/0037 2 0
Potential Peer List:
MI MN Rx-SCI (Peer) SSCI KS-Priority
---------------------------------------------------------------------------
RP/0/RSP0/CPU0:macsec-CE1#sh macsec mka interface Fo0/0/0/1/1.8
=============================================================
Interface-name KeyChain-Name Policy Name
=============================================================
Fo0/0/0/1/1.8 kc3 test12
! In a VPLS network with multipoint interface, the output would be as follows:
RP/0/RSP0/CPU0:router#show macsec mka session interface FortyGigE0/0/0/1/0.1 detail
MKA Detailed Status for MKA Session
===================================
Status: SECURED - Secured MKA Session with MACsec
Local Tx-SCI : e0ac.f172.4123/0001
Local Tx-SSCI : 1
Interface MAC Address : e0ac.f172.4123
MKA Port Identifier : 1
Interface Name : Fo0/0/0/1/0.1
CAK Name (CKN) : ABC1000000000000000000000000000000000000000000000000000000000000
Member Identifier (MI) : A1DB3E42B4A543FBDBC281A6
Message Number (MN) : 1589
Authenticator : NO
Key Server : NO
MKA Cipher Suite : AES-128-CMAC
Latest SAK Status : Rx & Tx
Latest SAK AN : 1
Latest SAK KI (KN) : AEC899297F5B0BDEF7C9FC6700000002 (2)
Old SAK Status : No Rx, No Tx
Old SAK AN : 0
Old SAK KI (KN) : RETIRED (1)
SAK Transmit Wait Time : 0s (Not waiting for any peers to respond)
SAK Retire Time : 0s (No Old SAK to retire)
MKA Policy Name : mk_xpn1
Key Server Priority : 0
Replay Window Size : 1024
Confidentiality Offset : 50
Algorithm Agility : 80C201
SAK Cipher Suite : 0080C20001000004 (GCM-AES-XPN-256)
MACsec Capability : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired : YES
# of MACsec Capable Live Peers : 2
# of MACsec Capable Live Peers Responded : 0
Live Peer List:
MI MN Rx-SCI (Peer) SSCI KS-Priority
---------------------------------------------------------------------------
AEC899297F5B0BDEF7C9FC67 225 001d.e5e9.b1bf/0001 3 0
0A4C49EE5B7401F1BECB7E22 147 001d.e5e9.f329/0001 2 0
Potential Peer List:
MI MN Rx-SCI (Peer) SSCI KS-Priority
---------------------------------------------------------------------------
With the introduction of active fallback functionality:
The following show command output verifies that the primary and fallback keys (CAK) are matched on both peer ends.
RP/0/RSP0/CPU0:router#show macsec mka session interface Hu0/0/0/11 detail
MKA Detailed Status for MKA Session
===================================
Status: Secured - Secured MKA Session with MACsec
Local Tx-SCI : 7061.7bea.1df4/0001
Local Tx-SSCI : 1
Interface MAC Address : 7061.7bea.1df4
MKA Port Identifier : 1
Interface Name : Hu0/0/0/11
CAK Name (CKN) : 2111
CA Authentication Mode : PRIMARY-PSK
Keychain : test1
Member Identifier (MI) : 42A78BD6243539E917B8C6B2
Message Number (MN) : 555
Authenticator : NO
Key Server : NO
MKA Cipher Suite : AES-128-CMAC
Configured MACSec Cipher Suite : GCM-AES-XPN-128
Latest SAK Status : Rx & Tx
Latest SAK AN : 0
Latest SAK KI (KN) : 69B39E87B3CBA673401E989100000001 (1)
Old SAK Status : FIRST-SAK
Old SAK AN : 0
Old SAK KI (KN) : FIRST-SAK (0)
SAK Transmit Wait Time : 0s (Not waiting for any peers to respond)
SAK Retire Time : 0s (No Old SAK to retire)
Time to SAK Rekey : NA
Time to exit suspension : NA
MKA Policy Name : P12
Key Server Priority : 20
Delay Protection : TRUE
Replay Window Size : 100
Include ICV Indicator : TRUE
Confidentiality Offset : 0
Algorithm Agility : 80C201
SAK Cipher Suite : 0080C20001000003 (GCM-AES-XPN-128)
MACsec Capability : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired : YES
# of MACsec Capable Live Peers : 1
# of MACsec Capable Live Peers Responded : 0
Live Peer List:
-------------------------------------------------------------------------------
MI MN Rx-SCI SSCI KS-Priority
-------------------------------------------------------------------------------
69B39E87B3CBA673401E9891 617 008a.96d6.194c/0001 2 20
Potential Peer List:
-------------------------------------------------------------------------------
MI MN Rx-SCI SSCI KS-Priority
-------------------------------------------------------------------------------
Peers Status:
Last Tx MKPDU : 2021 May 18 13:27:56.548
Peer Count : 1
RxSCI : 008A96D6194C0001
MI : 69B39E87B3CBA673401E9891
Peer CAK : Match
Latest Rx MKPDU : 2021 May 18 13:27:56.518
MKA Detailed Status for MKA Session
===================================
Status: Active - Marked Peer as Live (Waiting for SAK generation/distribution)
Local Tx-SCI : 7061.7bea.1df4/0001
Local Tx-SSCI : 1
Interface MAC Address : 7061.7bea.1df4
MKA Port Identifier : 1
Interface Name : Hu0/0/0/11
CAK Name (CKN) : 2000
CA Authentication Mode : FALLBACK-PSK
Keychain : test1f
Member Identifier (MI) : 1BB9428C721F6EE3E538C942
Message Number (MN) : 553
Authenticator : NO
Key Server : NO
MKA Cipher Suite : AES-128-CMAC
Configured MACSec Cipher Suite : GCM-AES-XPN-128
Latest SAK Status : Rx & Tx
Latest SAK AN : 0
Latest SAK KI (KN) : 69B39E87B3CBA673401E989100000001 (1)
Old SAK Status : FIRST-SAK
Old SAK AN : 0
Old SAK KI (KN) : FIRST-SAK (0)
SAK Transmit Wait Time : 0s (Not waiting for any peers to respond)
SAK Retire Time : 0s (No Old SAK to retire)
Time to SAK Rekey : NA
Time to exit suspension : NA
MKA Policy Name : P12
Key Server Priority : 20
Delay Protection : TRUE
Replay Window Size : 100
Include ICV Indicator : TRUE
Confidentiality Offset : 0
Algorithm Agility : 80C201
SAK Cipher Suite : 0080C20001000003 (GCM-AES-XPN-128)
MACsec Capability : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired : YES
# of MACsec Capable Live Peers : 1
# of MACsec Capable Live Peers Responded : 0
Live Peer List:
-------------------------------------------------------------------------------
MI MN Rx-SCI SSCI KS-Priority
-------------------------------------------------------------------------------
8F59AD6021FA3E2D5F9E6231 615 008a.96d6.194c/0001 2 20
Potential Peer List:
-------------------------------------------------------------------------------
MI MN Rx-SCI SSCI KS-Priority
-------------------------------------------------------------------------------
Peers Status:
Last Tx MKPDU : 2021 May 18 13:27:56.547
Peer Count : 1
RxSCI : 008A96D6194C0001
MI : 8F59AD6021FA3E2D5F9E6231
Peer CAK : Match
Latest Rx MKPDU : 2021 May 18 13:27:56.518
RP/0/RSP0/CPU0:router#
If sub-interfaces are configured, the output would be as follows. In this example, the status of FALLBACK-PSK is Secured .
RP/0/RSP0/CPU0:router# show macsec mka session interface Hu0/0/0/0.6 detail
MKA Detailed Status for MKA Session
===================================
Status: Secured - Secured MKA Session with MACsec
Local Tx-SCI : 7061.7bea.1dc8/0006
Local Tx-SSCI : 1
Interface MAC Address : 7061.7bea.1dc8
MKA Port Identifier : 6
Interface Name : Hu0/0/0/0.6
CAK Name (CKN) : 9999
CA Authentication Mode : FALLBACK-PSK
Keychain : D_tagf
Member Identifier (MI) : 1DE18714A098B80964CC651E
Message Number (MN) : 6203
Authenticator : NO
Key Server : YES
MKA Cipher Suite : AES-128-CMAC
Configured MACSec Cipher Suite : GCM-AES-XPN-256
Latest SAK Status : Rx & Tx
Latest SAK AN : 0
Latest SAK KI (KN) : 1DE18714A098B80964CC651E00000001 (1)
Old SAK Status : FIRST-SAK
Old SAK AN : 0
Old SAK KI (KN) : FIRST-SAK (0)
SAK Transmit Wait Time : 0s (Not waiting for any peers to respond)
SAK Retire Time : 0s (No Old SAK to retire)
Time to SAK Rekey : 23510s
Time to exit suspension : NA
MKA Policy Name : D_tag1
Key Server Priority : 1
Delay Protection : FALSE
Replay Window Size : 1000
Include ICV Indicator : TRUE
Confidentiality Offset : 50
Algorithm Agility : 80C201
SAK Cipher Suite : 0080C20001000004 (GCM-AES-XPN-256)
MACsec Capability : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired : YES
# of MACsec Capable Live Peers : 1
# of MACsec Capable Live Peers Responded : 1
# of MACSec Suspended Peers : 0
Live Peer List:
-------------------------------------------------------------------------------
MI MN Rx-SCI SSCI KS-Priority
-------------------------------------------------------------------------------
5C852D8F920306893D2BFB8F 10978 00c1.645f.2dd4/0006 2 11
Potential Peer List:
-------------------------------------------------------------------------------
MI MN Rx-SCI SSCI KS-Priority
-------------------------------------------------------------------------------
Suspended Peer List:
-------------------------------------------------------------------------------
Rx-SCI SSCI
-------------------------------------------------------------------------------
Peers Status:
Last Tx MKPDU : 2021 May 18 13:29:15.687
Peer Count : 1
RxSCI : 00C1645F2DD40006
MI : 5C852D8F920306893D2BFB8F
Peer CAK : Match
Latest Rx MKPDU : 2021 May 18 13:29:15.769
RP/0/RSP0/CPU0:router#
! In a VPLS network with multipoint interface, the output would be as follows:
RP/0/RSP0/CPU0:router#show macsec mka session interface Hu0/0/1/7 detail
Fri May 28 07:19:11.362 UTC
MKA Detailed Status for MKA Session
===================================
Status: Secured - Secured MKA Session with MACsec
Local Tx-SCI : 6c8b.d34f.0635/0001
Local Tx-SSCI : 2
Interface MAC Address : 6c8b.d34f.0635
MKA Port Identifier : 1
Interface Name : Te0/0/0/1
CAK Name (CKN) : 5556
CA Authentication Mode : FALLBACK-PSK
Keychain : test2f
Member Identifier (MI) : 6D14ECCDFB70E7E0463BD509
Message Number (MN) : 20455
Authenticator : NO
Key Server : NO
MKA Cipher Suite : AES-256-CMAC
Configured MACSec Cipher Suite : GCM-AES-XPN-256
Latest SAK Status : Rx & Tx
Latest SAK AN : 2
Latest SAK KI (KN) : 1BBDDC0520C797C26AB7F1BF00000002 (2)
Old SAK Status : No Rx, No Tx
Old SAK AN : 1
Old SAK KI (KN) : RETIRED (1)
SAK Transmit Wait Time : 0s (Not waiting for any peers to respond)
SAK Retire Time : 0s (No Old SAK to retire)
Time to SAK Rekey : NA
Time to exit suspension : NA
MKA Policy Name : *DEFAULT POLICY*
Key Server Priority : 16
Delay Protection : FALSE
Replay Window Size : 64
Include ICV Indicator : FALSE
Confidentiality Offset : 0
Algorithm Agility : 80C201
SAK Cipher Suite : 0080C20001000004 (GCM-AES-XPN-256)
MACsec Capability : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired : YES
# of MACsec Capable Live Peers : 2
# of MACsec Capable Live Peers Responded : 0
Live Peer List:
-------------------------------------------------------------------------------
MI MN Rx-SCI SSCI KS-Priority
-------------------------------------------------------------------------------
1BBDDC0520C797C26AB7F1BF 19997 008a.96d6.194c/0001 3 16
B25B1000CC6FAE92D1F85738 139 dc77.4c3e.59c3/0001 1 16
Potential Peer List:
-------------------------------------------------------------------------------
MI MN Rx-SCI SSCI KS-Priority
-------------------------------------------------------------------------------
Peers Status:
Last Tx MKPDU : 2021 May 28 07:19:10.153
Peer Count : 2
RxSCI : 008A96D6194C0001
MI : 1BBDDC0520C797C26AB7F1BF
Peer CAK : Match
Latest Rx MKPDU : 2021 May 28 07:19:09.960
RxSCI : DC774C3E59C30001
MI : B25B1000CC6FAE92D1F85738
Peer CAK : Match
Latest Rx MKPDU : 2021 May 28 07:19:10.180
RP/0/RSP0/CPU0:router#
RP/0/RSP0/CPU0:router#show macsec mka session interface Hu0/0/1/7.1 detail
MKA Detailed Status for MKA Session
===================================
Status: Secured - Secured MKA Session with MACsec
Local Tx-SCI : 7061.7bff.e5e8/0001
Local Tx-SSCI : 2
Interface MAC Address : 7061.7bff.e5e8
MKA Port Identifier : 1
Interface Name : Hu0/0/1/7.1
CAK Name (CKN) : 5556
CA Authentication Mode : FALLBACK-PSK
Keychain : test22f
Member Identifier (MI) : 8FF3D1BBF09EA4AD6A0FC1B5
Message Number (MN) : 81
Authenticator : NO
Key Server : YES
MKA Cipher Suite : AES-256-CMAC
Configured MACSec Cipher Suite : GCM-AES-XPN-256
Latest SAK Status : Rx & Tx
Latest SAK AN : 3
Latest SAK KI (KN) : 8FF3D1BBF09EA4AD6A0FC1B500000002 (2)
Old SAK Status : No Rx, No Tx
Old SAK AN : 2
Old SAK KI (KN) : RETIRED (1)
SAK Transmit Wait Time : 0s (Not waiting for any peers to respond)
SAK Retire Time : 0s (No Old SAK to retire)
Time to SAK Rekey : 17930s
Time to exit suspension : NA
MKA Policy Name : P123
Key Server Priority : 10
Delay Protection : FALSE
Replay Window Size : 64
Include ICV Indicator : FALSE
Confidentiality Offset : 30
Algorithm Agility : 80C201
SAK Cipher Suite : 0080C20001000004 (GCM-AES-XPN-256)
MACsec Capability : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired : YES
# of MACsec Capable Live Peers : 2
# of MACsec Capable Live Peers Responded : 2
# of MACSec Suspended Peers : 0
Live Peer List:
-------------------------------------------------------------------------------
MI MN Rx-SCI SSCI KS-Priority
-------------------------------------------------------------------------------
6BCF91135F807CB9F57DDAAA 61 dc77.4c3e.5b05/0001 1 24
D81CFE93D07E932DDC33666E 44 00a7.4250.56c2/0001 3 25
Potential Peer List:
-------------------------------------------------------------------------------
MI MN Rx-SCI SSCI KS-Priority
-------------------------------------------------------------------------------
Suspended Peer List:
-------------------------------------------------------------------------------
Rx-SCI SSCI
-------------------------------------------------------------------------------
Peers Status:
Last Tx MKPDU : 2021 May 28 13:16:50.992
Peer Count : 2
RxSCI : DC774C3E5B050001
MI : 6BCF91135F807CB9F57DDAAA
Peer CAK : Match
Latest Rx MKPDU : 2021 May 28 13:16:51.312
RxSCI : 00A7425056C20001
MI : D81CFE93D07E932DDC33666E
Peer CAK : Match
Latest Rx MKPDU : 2021 May 28 13:16:50.945
RP/0/RSP0/CPU0:router#