Displays a summary of all MACsec Key Agreement (MKA) sessions on the device.

show dot1x-mka sessions brief
show dot1x-mka sessions ethernet device/slot/port
brief
Displays a brief status of all MKA sessions.
ethernet device/slot/port
Displays MKA sessions that are active on a specified Ethernet interface. The Ethernet interface is specified by device position in stack, slot on the device, and interface on the slot.

User EXEC mode

The show dot1x-mka sessions command with the brief option displays the following information:

Output field Description
Port Designates the interface for which MACsec information is listed (by device, slot, and port).
Link-Status Indicates whether the link is up or down.
MKA-Status Indicates whether a secure channel has been established.
Key-Server Indicates whether the interface is operating as a key-server.
Negotiated Capability Indicates MACsec parameters configured on the designated interface.

The show dot1x-mka sessions command with the ethernet interface options displays the following information:

Output field Description
Interface The information that follows applies to the designated interface.
MKA cfg group Name The designated MKA configuration group has been applied to the designated interface.
DOT1X-MKA Enabled (Yes, No) Indicates whether MACsec is enabled for the designated interface.
DOT1X-MKA Active (Yes, No) Indicates whether MACsec is active on the interface.
Key Server (Yes, No) Indicates whether the MACsec key-server is active over the interface.
Configuration Status: The following fields describe the MKA configuration applied to the interface.
Enabled (Yes, No) Indicates whether MACsec is currently enabled.
Capability (Integrity and or confidentiality) Indicates whether ICV checks are being performed on MACsec frames and whether encryption is being applied.
Desired (Yes, No) Indicates whether port is interested in becoming the key-server.
Protection (Yes, No) Indicates whether replay protection is applied to the interface.
Frame Validation (Yes, No) Indicates whether frames received are being checked for valid MACsec headers.
Replay Protection (Strict, Out of Order) Indicates that replay protection is configured and whether frames must be received in exact order or within an allowable window.
Replay Protection Size Indicates the allowable window size within which frames may be received.
Cipher Suite (GCM-AES-128) Specifies the cipher suite used for ICV checking, encryption, and decryption.
Key Server Priority (1 to 127) Specifies the key-server priority configured on the interface.
Secure Channel Information The following fields describe a secure channel established on this interface.
Local SCI Provides the hexadecimal value of the Secure Channel Identifier for this channel.
Member Identifier Provides the MACsec number assigned to the MKA peer.
Message Number Provides the Message Number contained in Hello packets from this MKA peer. Hello packets are exchanged to determine peer status, MACsec capabilities, and SAK Key Identifier.
Latest SAK Status (RX and or TX) Indicates the Secure Association Key (SAK) state.
Latest SAK AN Provides the Association Number for the most recently active Secure Association Key.
Latest SAK KI Provides the Key Identifier for the most recently active Secure Association Key.
Negotiated Capability (Integrity and or Confidentiality with offset) Indicates whether ICV checking, encryption, and a confidentiality offset have been applied on the secure channel. (The negotiated capability may differ from parameters configured on the interface when it does not have key-server status.)
Peer Information: The output fields that follow provide information on actual and potential MACsec peer interfaces.
State (Live or Potential) Indicates whether the peer is considered a live peer or a potential peer for MKA protocol.
Member Identifier Designates the peer by its Member Identifier, a hexadecimal value.
Message Number Provides the Message Number that appears in Hello packets from the designated peer interface as a hexadecimal value.
SCI Provides the peer's Secure Channel Identifier.
Priority Provides the key-server priority configured on the peer interface.

In the following example, all enabled MKA interfaces on the device are listed, along with configured parameters and current status.

device(config-dot1x-mka-1/3/2)# show dot1x-mka sessions brief

Port    Link-Status  MKA-Status  Key-Server  Negotiated Capability                   

1/3/2   Down         Pending     ---         ---                                     
1/3/3   Up           Secured     No          Integrity, Confidentiality with Off. 30 
1/3/4   Up           Secured     No          Integrity, Confidentiality with Off. 30 

The following example lists MKA sessions that are active on Ethernet interface 1/3/3 (device 1, slot 3, port 3), with configuration details for each active interface.

device(config-dot1x-mka-1/3/3)# show dot1x-mka sessions ethernet 1/3/3

Interface                 : 1/3/3

  MACsec Status           : Secured
  DOT1X-MKA Enabled       : Yes
  DOT1X-MKA Active        : Yes
  Key Server              : No

Configuration Status:
  Enabled                 : Yes
  Capability              :  Integrity,  Confidentiality
  Desired                 : Yes
  Protection              : Yes
  Frame Validation        : Disable
  Replay Protection       : Strict
  Replay Protection Size  : 0
  Cipher Suite            : GCM-AES-128
  Key Server Priority     : 20

  Local SCI               : 748ef8344a510082
  Member Identifier       : 802ed0536fcafc43407ba222
  Message Number          : 8612

Secure Channel Information:                                       
  Latest SAK Status       : Rx & Tx
  Latest SAK AN           : 0
  Latest KI               : d08483062aa9457e7c2470e300000001
  Negotiated Capability   : Integrity, Confidentiality with offset 30

Peer Information:
State    	Member Identifier       	Message Number	SCI             	Priority
-----    	-----------------       	--------------	----------------	--------
Live     	d08483062aa9457e7c2470e3	          8527	748ef83443910082	      20
 
Release version Command history
08.0.20 This command was introduced.
08.0.30 Support for this command was added on ICX 7450 devices.
08.0.70 Support for this command was added on ICX 7650 devices.
08.0.90 Support for this command was added on ICX 7850 devices.