show dot1x-mka sessions
-
- Last UpdatedNov 11, 2022
- 4 minutes read
Displays a summary of all MACsec Key Agreement (MKA) sessions on the device.
brief
| Displays a brief status of all MKA sessions.
|
ethernet
device/slot/port
| Displays MKA sessions that are active on a specified Ethernet interface. The Ethernet interface is specified by device position in stack, slot on the device, and interface on the slot.
|
User EXEC mode
The show dot1x-mka sessions command with the brief option displays the following information:
Output field | Description |
---|---|
Port | Designates the interface for which MACsec information is listed (by device, slot, and port). |
Link-Status | Indicates whether the link is up or down. |
MKA-Status | Indicates whether a secure channel has been established. |
Key-Server | Indicates whether the interface is operating as a key-server. |
Negotiated Capability | Indicates MACsec parameters configured on the designated interface. |
The show dot1x-mka sessions command with the ethernet interface options displays the following information:
Output field | Description |
---|---|
Interface | The information that follows applies to the designated interface. |
MKA cfg group Name | The designated MKA configuration group has been applied to the designated interface. |
DOT1X-MKA Enabled (Yes, No) | Indicates whether MACsec is enabled for the designated interface. |
DOT1X-MKA Active (Yes, No) | Indicates whether MACsec is active on the interface. |
Key Server (Yes, No) | Indicates whether the MACsec key-server is active over the interface. |
Configuration Status: | The following fields describe the MKA configuration applied to the interface. |
Enabled (Yes, No) | Indicates whether MACsec is currently enabled. |
Capability (Integrity and or confidentiality) | Indicates whether ICV checks are being performed on MACsec frames and whether encryption is being applied. |
Desired (Yes, No) | Indicates whether port is interested in becoming the key-server. |
Protection (Yes, No) | Indicates whether replay protection is applied to the interface. |
Frame Validation (Yes, No) | Indicates whether frames received are being checked for valid MACsec headers. |
Replay Protection (Strict, Out of Order) | Indicates that replay protection is configured and whether frames must be received in exact order or within an allowable window. |
Replay Protection Size | Indicates the allowable window size within which frames may be received. |
Cipher Suite (GCM-AES-128) | Specifies the cipher suite used for ICV checking, encryption, and decryption. |
Key Server Priority (1 to 127) | Specifies the key-server priority configured on the interface. |
Secure Channel Information | The following fields describe a secure channel established on this interface. |
Local SCI | Provides the hexadecimal value of the Secure Channel Identifier for this channel. |
Member Identifier | Provides the MACsec number assigned to the MKA peer. |
Message Number | Provides the Message Number contained in Hello packets from this MKA peer. Hello packets are exchanged to determine peer status, MACsec capabilities, and SAK Key Identifier. |
Latest SAK Status (RX and or TX) | Indicates the Secure Association Key (SAK) state. |
Latest SAK AN | Provides the Association Number for the most recently active Secure Association Key. |
Latest SAK KI | Provides the Key Identifier for the most recently active Secure Association Key. |
Negotiated Capability (Integrity and or Confidentiality with offset) | Indicates whether ICV checking, encryption, and a confidentiality offset have been applied on the secure channel. (The negotiated capability may differ from parameters configured on the interface when it does not have key-server status.) |
Peer Information: | The output fields that follow provide information on actual and potential MACsec peer interfaces. |
State (Live or Potential) | Indicates whether the peer is considered a live peer or a potential peer for MKA protocol. |
Member Identifier | Designates the peer by its Member Identifier, a hexadecimal value. |
Message Number | Provides the Message Number that appears in Hello packets from the designated peer interface as a hexadecimal value. |
SCI | Provides the peer's Secure Channel Identifier. |
Priority | Provides the key-server priority configured on the peer interface. |
In the following example, all enabled MKA interfaces on the device are listed, along with configured parameters and current status.
device(config-dot1x-mka-1/3/2)# show dot1x-mka sessions brief
Port Link-Status MKA-Status Key-Server Negotiated Capability
1/3/2 Down Pending --- ---
1/3/3 Up Secured No Integrity, Confidentiality with Off. 30
1/3/4 Up Secured No Integrity, Confidentiality with Off. 30
The following example lists MKA sessions that are active on Ethernet interface 1/3/3 (device 1, slot 3, port 3), with configuration details for each active interface.
device(config-dot1x-mka-1/3/3)# show dot1x-mka sessions ethernet 1/3/3
Interface : 1/3/3
MACsec Status : Secured
DOT1X-MKA Enabled : Yes
DOT1X-MKA Active : Yes
Key Server : No
Configuration Status:
Enabled : Yes
Capability : Integrity, Confidentiality
Desired : Yes
Protection : Yes
Frame Validation : Disable
Replay Protection : Strict
Replay Protection Size : 0
Cipher Suite : GCM-AES-128
Key Server Priority : 20
Local SCI : 748ef8344a510082
Member Identifier : 802ed0536fcafc43407ba222
Message Number : 8612
Secure Channel Information:
Latest SAK Status : Rx & Tx
Latest SAK AN : 0
Latest KI : d08483062aa9457e7c2470e300000001
Negotiated Capability : Integrity, Confidentiality with offset 30
Peer Information:
State Member Identifier Message Number SCI Priority
----- ----------------- -------------- ---------------- --------
Live d08483062aa9457e7c2470e3 8527 748ef83443910082 20
Release version | Command history |
---|---|
08.0.20 | This command was introduced. |
08.0.30 | Support for this command was added on ICX 7450 devices. |
08.0.70 | Support for this command was added on ICX 7650 devices. |
08.0.90 | Support for this command was added on ICX 7850 devices. |