[x]

MACsec commands > display mka session

 

 Next

display mka session

Use display mka session to display MKA session information.

Syntax

display mka session [ interface interface-type interface-number | local-sci sci-id ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MKA session information on all ports.

local-sci sci-id: Specifies a local SCI, a case-insensitive hexadecimal string of 16 characters.

verbose: Displays detailed MKA session information. If you do not specify this keyword, the command displays brief MKA session information.

Examples

# Display brief MKA session information on Ten-GigabitEthernet 4/1/1.

<Sysname> display mka session interface ten-gigabitethernet 4/1/1
Interface Ten-GigabitEthernet4/1/1
Tx-SCI    : 000C29F6A4380004
Priority  : 0
Capability: 3
  CKN for participant: ABCD
    Key server            : Yes
    MI (MN)               : D7B00EDA353242704CC6B0DB (7)
    Live peers            : 1
    Potential peers       : 0
    Principal actor       : Yes
    MKA session status    : Secured
    Confidentiality offset: 30 bytes

# Display detailed MKA session information on Ten-GigabitEthernet 4/1/1.

<Sysname> display mka session interface ten-gigabitethernet 4/1/1 verbose
Interface Ten-GigabitEthernet4/1/1
Tx-SCI    : 000C29F6A4380004
Priority  : 0
Capability: 3
  CKN for participant: ABCD
    Key server            : Yes
    MI (MN)               : D7B00EDA353242704CC6B0DB (7)
    Live peers            : 1
    Potential peers       : 0
    Principal actor       : Yes
    MKA session status    : Secured
    Confidentiality offset: 30 bytes
    Current SAK status    : Rx & Tx
    Current SAK AN        : 0
    Current SAK KI (KN)   : 4273791304C1C26259C94C3400000001 (1)
    Previous SAK status   : N/A
    Previous SAK AN       : N/A
    Previous SAK KI (KN)  : N/A
    Live peer list:
    MI                        MN         Priority  Capability  Rx-SCI
    EA58DC3F8715953DBC6593F0  840        100       3           00E0020000000106

    Potential peer list:
    MI                        MN         Priority  Capability  Rx-SCI
    DA58DC3Q4573543DBC6699F0  3          200       3           00E0021200000107

Table 93: Command output

Field

Description

Tx-SCI

SCI for outbound traffic, in hexadecimal notation.

Priority

Key server priority, in the range of 0 to 255.

Capability

MACsec capability:

  • 0—The port is MACsec incapable.

  • 1—The port supports integrity check only.

  • 2—The port supports integrity check and packet encryption. The confidentiality offset must be 0.

  • 3—The port supports integrity check and packet encryption. The confidentiality offset can be 0, 30, or 50.

CKN for participant

CAK name of the MKA instance.

Key server

Whether the local end is the key server.

MI

Member identifier in hexadecimal notation.

MN

Message number.

Live peers

Numbers of peers that have already been learned.

Potential peers

Numbers of peers that are being negotiated.

Principal actor

Whether the MKA instance is the principal actor.

MKA instance refers to the operation entity of the MKA protocol on a port. A port might have multiple MKA instances. The principal actor is the MKA instance in active state.

MKA session status

MKA session status:

  • Unknown.

  • Pending.

  • Secured—The session will be secured.

If the MKA instance is not the principal actor, this field displays N/A.

Confidentiality offset

Confidentiality offset issued by the key server.

This field displays N/A in the following situations:

  • The packet is transmitted in plain text.

  • The MKA instance is not the principal actor.

Current SAK status

Status of the current SAK:

  • Tx—The SAK is used to send packets.

  • Rx—The SAK is used to receive packets.

This field displays N/A in the following situations:

  • The MKA instance is not the principal actor.

  • The SAK does not exist.

Current SAK AN

SA number of the current SAK in use.

This field displays N/A in the following situations:

  • The MKA instance is not the principal actor.

  • The SAK does not exist.

Current SAK KI

Key identifier of the current SAK in use, a string of hexadecimal digits that contains the key server's 12-byte MI and KN.

This field displays N/A in the following situations:

  • The MKA instance is not the principal actor.

  • The SAK does not exist.

KN

SAK number.

This field displays N/A in the following situations:

  • The MKA instance is not the principal actor.

  • The SAK does not exist.

Previous SAK status

Status of the previous SAK:

  • Tx—The SAK is used to send packets.

  • Rx—The SAK is used to receive packets.

This field displays N/A in the following situations:

  • The MKA instance is not the principal actor.

  • The SAK does not exist.

Previous SAK AN

SA number of the previous SAK.

This field displays N/A in the following situations:

  • The MKA instance is not the principal actor.

  • The SAK does not exist.

Previous SAK KI

Key identifier of the previous SAK, a string of hexadecimal digits that contains the key server's 12-byte MI and KN.

This field displays N/A in the following situations:

  • The MKA instance is not the principal actor.

  • The SAK does not exist.

Live peer list

List of peers that have participated in the MKA session.

This field is not available if no live peer exists.

Potential peer list

List of peers that are being negotiated.

This field is not available if no potential peer exists.

Rx-SCI

SCI for inbound traffic, in hexadecimal notation.

Related commands

reset mka session

prev

 

up

 next

display mka policy 

home

 display mka statistics

© Copyright 2018 Hewlett Packard Enterprise Development LP