MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

MACsec SecY statistics

Updated: February 28, 2026

Want to summarize with AI?

Overview

Describes MACsec SecY statistics, which track operational metrics for packet processing, encryption, and decryption, helping administrators identify issues in secure network communications.

The MACsec SecY statistics are operational metrics that

monitor the performance of the MAC Security (MACsec) Secure Channel (SecY) component,
provide detailed visibility into packet and octet processing activities, and
help identify encryption or decryption issues in secure network communication.

MACsec SecY statistics track the behavior of encrypted traffic, including packet processing, encryption, decryption, and error conditions. They serve as diagnostic indicators that allow network administrators to confirm proper MACsec operation and troubleshoot encrypted traffic flows.

Key aspects of SecY statistics include:

Interface statistics: Track untagged packets, packets without MACsec tags, packets with invalid tags, unknown Secure Channel Identifiers (SCI), and counts of validated or decrypted octets.
Secure Channel (SC) statistics: Include transmit (TxSC) and receive (RxSC) data, such as packets protected, encrypted, dropped for being too long, and octet encryption or decryption counts.
Secure Association (SA) statistics: Provide detailed per-SA data for both transmit and receive directions, including packets protected, encrypted, and the next packet number (NextPN).

These statistics can be accessed using CLI commands such as show macsec secy stats on supported controllers or interfaces, and through SNMP queries using the IEEE8021-SECY-MIB.

Network administrators rely on these statistics to ensure that MACsec encryption is functioning correctly and to detect anomalies in encrypted traffic.

Administrators can query MACsec SecY statistics using the following methods:

CLI – for real-time interface and controller-level statistics
SNMP MIB – for remote monitoring and integration with network management systems

Query SNMP statistics

Administrators can query SNMP statistics through the CLI to view detailed information about MACsec SecY statistics on a specific interface.

Use the show macsec secy statistics interface command to display detailed MACsec SecY statistics for a specified interface.

Example:

Router# show macsec secy stats interface hundredGigE 0/1/0/10 sc

Interface Stats
    InPktsUntagged     :  0
    InPktsNoTag        :  0
    InPktsBadTag       :  0
    InPktsUnknownSCI   :  0
    InPktsNoSCI        :  0
    InPktsOverrun      :  0
    InOctetsValidated  :  0
    InOctetsDecrypted  :  0
    OutPktsUntagged    :  0
    OutPktsTooLong     :  0
    OutOctetsProtected :  0
    OutOctetsEncrypted :  0

SC Stats
  TxSC Stats
    OutPktsProtected   : 0
    OutPktsEncrypted   : 0
    OutOctetsProtected : 0
    OutOctetsEncrypted : 0
    OutPktsTooLong     : 0
    TxSA Stats
      TxSA 0: 
        OutPktsProtected : 0
        OutPktsEncrypted : 0
        NextPN           : 1
      TxSA 1: 
        OutPktsProtected : 0
        OutPktsEncrypted : 0
        NextPN           : 0
      TxSA 2: 
        OutPktsProtected : 0
        OutPktsEncrypted : 0
        NextPN           : 0
      TxSA 3: 
        OutPktsProtected : 0
        OutPktsEncrypted : 0
        NextPN           : 0

  RxSC Stats
    RxSC 1: 10000742d968a00
      InPktsUnchecked     : 0
      InPktsDelayed       : 0
      InPktsLate          : 0
      InPktsOK            : 0
      InPktsInvalid       : 0
      InPktsNotValid      : 0
      InPktsNotUsingSA    : 0
      InPktsUnusedSA      : 0
      InPktsUntaggedHit   : 0
      InOctetsValidated   : 0
      InOctetsDecrypted   : 0
    RxSA Stats
      RxSA 0: 
        InPktsUnusedSA      : 0
        InPktsNotUsingSA    : 0
        InPktsNotValid      : 0
        InPktsInvalid       : 0
        InPktsOK            : 0
        NextPN              : 1
      RxSA 1: 
        InPktsUnusedSA      : 0
        InPktsNotUsingSA    : 0
        InPktsNotValid      : 0
        InPktsInvalid       : 0
        InPktsOK            : 0
        NextPN              : 0
      RxSA 2: 
        InPktsUnusedSA      : 0
        InPktsNotUsingSA    : 0
        InPktsNotValid      : 0
        InPktsInvalid       : 0
        InPktsOK            : 0
        NextPN              : 0
      RxSA 3: 
        InPktsUnusedSA      : 0
        InPktsNotUsingSA    : 0
        InPktsNotValid      : 0
        InPktsInvalid       : 0
        InPktsOK            : 0
        NextPN              : 0

On Cisco 8712-MOD-M routers, all TxSC (Transmit Secure Channel) counters display a value of zero. This behavior occurs due to a hardware limitation — K100 ASIC-based systems used in these routers do not support the collection of TxSC statistics.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.