display macsec
Use display macsec to display MACsec information on ports.
Syntax
display macsec [ interface interface-type interface-number ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MACsec information on all ports.
verbose: Displays detailed MACsec information. If you do not specify this keyword, the command displays brief MACsec information.
Examples
# Display brief MACsec information on Ten-GigabitEthernet 4/1/1.
<Sysname> display macsec interface ten-gigabitethernet 4/1/1 Interface Ten-GigabitEthernet4/1/1 Protect frames : Yes Active MKA policy : PL01 Replay protection : Enabled Replay window size : 0 frames Confidentiality offset : 0 bytes Validation mode : Check
# Display detailed MACsec information on Ten-GigabitEthernet 4/1/1.
<Sysname> display macsec interface ten-gigabitethernet 4/1/1 verbose Interface Ten-GigabitEthernet4/1/1 Protect frames : Yes Active MKA policy : PL01 Replay protection : Enabled Replay window size : 0 frames Confidentiality offset : 0 bytes Validation mode : Check Included SCI : No SCI conflict : No Cipher suite : GCM-AES-128 Transmit secure channel: SCI : 000C29F6A4380004 Elapsed time: 00h:02m:19s Current SA : AN 0 PN 1 Receive secure channels: SCI : 000C29258D430124 Elapsed time: 00h:02m:17s Current SA : AN 0 LPN 1 Previous SA : AN N/A LPN N/A
Table 91: Command output
Field | Description |
---|---|
Protect frames | Status of MACsec desire on the port:
If the port does not have an MKA principal actor, this field displays N/A. |
Active MKA policy | MKA policy applied to the port. This field displays N/A if the port is not enabled with MACsec desire. This field is not available if the port is enabled with MACsec desire but is not applied an MKA policy. |
Replay protection | Status of replay protection on the port:
If the port is not enabled with MACsec desire, this field displays N/A. |
Replay window size | Replay protection window size in number of frames. This field displays N/A in the following situations:
|
Confidentiality offset | Confidentiality offset in bytes. If the port is not enabled with MACsec desire, this field displays N/A. |
Validation mode | Validation mode:
If the port is not enabled with MACsec desire, this field displays N/A. |
Included SCI | Whether the frame includes SCI tag:
If the port is not enabled with MACsec desire, this field displays N/A. |
SCI conflict | Whether the SCI in the received MKA packets is the same as the local SCI:
|
Cipher suite | If the port is not enabled with MACsec desire, this field displays N/A. |
Transmit secure channel | Information about the secure channel for outbound traffic. This field is not available if the port is not enabled with MACsec desire. |
Receive secure channel | Information about the secure channel for inbound traffic. This field is not available if the port is not enabled with MACsec desire. |
Elapsed time | Lifetime of the secure channel. |
SCI | A hexadecimal string that contains the MAC address and port ID. |
Current SA | Current SA used by the secure channel. If no current SA is available, each of the AN, PN, and LPN fields for the current SA displays N/A. |
Previous SA | Previous SA used by the secure channel. If no previous SA is available, each of the AN and LPN fields for the previous SA displays N/A. |
PN | Packet number for outbound traffic. |
AN | SA number. |
LPN | The minimum received packet number allowed by SAK. |
Related commands
mka apply policy