display macsec

Use display macsec to display MACsec information on ports.

Syntax

display macsec [ interface interface-type interface-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MACsec information on all ports.

verbose: Displays detailed MACsec information. If you do not specify this keyword, the command displays brief MACsec information.

Examples

# Display brief MACsec information on Ten-GigabitEthernet 4/1/1.

<Sysname> display macsec interface ten-gigabitethernet 4/1/1
Interface Ten-GigabitEthernet4/1/1
  Protect frames         : Yes
  Active MKA policy      : PL01
  Replay protection      : Enabled
  Replay window size     : 0 frames
  Confidentiality offset : 0 bytes
  Validation mode        : Check

# Display detailed MACsec information on Ten-GigabitEthernet 4/1/1.

<Sysname> display macsec interface ten-gigabitethernet 4/1/1 verbose
Interface Ten-GigabitEthernet4/1/1
  Protect frames         : Yes
  Active MKA policy      : PL01
  Replay protection      : Enabled
  Replay window size     : 0 frames
  Confidentiality offset : 0 bytes
  Validation mode        : Check
  Included SCI           : No
  SCI conflict           : No
  Cipher suite           : GCM-AES-128
  Transmit secure channel:
    SCI           : 000C29F6A4380004
      Elapsed time: 00h:02m:19s
      Current SA  : AN 0        PN 1
  Receive secure channels:
    SCI           : 000C29258D430124
      Elapsed time: 00h:02m:17s
      Current SA  : AN 0        LPN 1
      Previous SA : AN N/A      LPN N/A

Table 91: Command output

Field

Description

Protect frames

Status of MACsec desire on the port:

  • Yes.

  • No.

If the port does not have an MKA principal actor, this field displays N/A.

Active MKA policy

MKA policy applied to the port.

This field displays N/A if the port is not enabled with MACsec desire.

This field is not available if the port is enabled with MACsec desire but is not applied an MKA policy.

Replay protection

Status of replay protection on the port:

  • Enabled.

  • Disabled.

If the port is not enabled with MACsec desire, this field displays N/A.

Replay window size

Replay protection window size in number of frames.

This field displays N/A in the following situations:

  • The port is not enabled with MACsec desire.

  • The port is not enabled with replay protection.

Confidentiality offset

Confidentiality offset in bytes.

If the port is not enabled with MACsec desire, this field displays N/A.

Validation mode

Validation mode:

  • Check.

  • Strict.

If the port is not enabled with MACsec desire, this field displays N/A.

Included SCI

Whether the frame includes SCI tag:

  • Yes.

  • No.

If the port is not enabled with MACsec desire, this field displays N/A.

SCI conflict

Whether the SCI in the received MKA packets is the same as the local SCI:

  • Yes—The SCI in the received MKA packets is the same as the local SCI.

  • No—No MKA packet is received, or the SCI in the received MKA packets is different from the local SCI.

Cipher suite

If the port is not enabled with MACsec desire, this field displays N/A.

Transmit secure channel

Information about the secure channel for outbound traffic.

This field is not available if the port is not enabled with MACsec desire.

Receive secure channel

Information about the secure channel for inbound traffic.

This field is not available if the port is not enabled with MACsec desire.

Elapsed time

Lifetime of the secure channel.

SCI

A hexadecimal string that contains the MAC address and port ID.

Current SA

Current SA used by the secure channel.

If no current SA is available, each of the AN, PN, and LPN fields for the current SA displays N/A.

Previous SA

Previous SA used by the secure channel.

If no previous SA is available, each of the AN and LPN fields for the previous SA displays N/A.

PN

Packet number for outbound traffic.

AN

SA number.

LPN

The minimum received packet number allowed by SAK.

Related commands

mka apply policy