Example: Configuring MKA on an Interface or Port Channel
This running configuration example shows how to configure MKA on an interface. Replace the <placeholders> with relevant values for your setup.
configure terminal
interface ethernet <11>/<31>
macsec keychain <k3> policy <p1>
end
This running configuration example shows how to configure MKA on a port channel. Replace the <placeholders> with relevant values for your setup.
configure terminal
interface port channel <100>
macsec keychain <k3> policy <p1>
end
The following example shows information about all the interfaces in the MKA session:
switch# show macsec mka session
Interface Local-TxSCI # Peers Status Key-Server
----------------- ------------------------- ------------------ ------------ ----------
Ethernet2/1 0000.0043.0038/0001 1 Secured Yes
Ethernet2/7 0000.0043.003e/0001 1 Secured Yes
Ethernet2/25 0000.0043.0050/0001 1 Secured No
Ethernet2/30 0000.0043.0055/0001 1 Secured No
----------------- ------------------------- ------------------ ------------ ----------
Total Number of Sessions : 4
Secured Sessions : 4
Pending Sessions : 0
The following example shows detailed information about all the interfaces in the MKA session:
switch# show macsec mka session details
Detailed Status for MKA Session
-----------------------------------
Interface Name : Ethernet11/25
Session Status : Secured
Local Tx-SCI : 00b0.e135.9c24/0001
Local Tx-SSCI : 3
MKA Port Identifier : 3
CAK Name (CKN) : 0100000000000000000000000000000000000000000000000000000000000000
Member Identifier (MI) : 17173194E288E086B275A49F
Message Number (MN) : 12465
MKA Policy Name : p1
Key Server Priority : 9
Key Server : No
SAK Cipher Suite : GCM-AES-XPN-128
SAK Cipher Suite (Operational) : GCM-AES-XPN-128
Replay Window Size : 0
Confidentiality Offset : CONF-OFFSET-0
Confidentiality Offset (Operational): CONF-OFFSET-0
Latest SAK Status : Rx & TX
Latest SAK AN : 0
Latest SAK KI : 10314879
Latest SAK KN : 57
Last SAK key time : 06:59:24 UTC Wed Apr 19 2017
Number of Macsec Capable Live Peers: 3
Number of SA consumed in Hardware : 3
Number of Macsec Capable Live Peers Responded: 0
Live Peer List:
MI MN SCI SSCI Key-Server Priority
-------------------------------------------------------------------------------------
7F649D00075CA2B14065F50D 12466 00b0.e135.9c23/0001 4 9
67DF7F5DE06AFC9A2F125914 12464 9c57.adfd.8acb/0001 2 9
57BCB803EB00453525F7382C 12466 9c57.adfd.8acc/0001 1 9
Detailed Status for MKA Session
-----------------------------------
Interface Name : Ethernet4/27
Session Status : Secured
Local Tx-SCI : 5006.ab91.9f4e/0001
Local Tx-SSCI : 2
MKA Port Identifier : 2
CAK Name (CKN) : 1000000000000000000000000000000000000000000000000000000000000000
Member Identifier (MI) : 4B18586C685B28F2354B1E2B
Message Number (MN) : 49
MKA Policy Name : mustsecureks
Key Server Priority : 9
Key Server : Yes
SAK Cipher Suite : GCM-AES-256
SAK Cipher Suite (Operational) : GCM-AES-256
Replay Window Size : 0
Confidentiality Offset : CONF-OFFSET-0
Confidentiality Offset (Operational): CONF-OFFSET-0
Latest SAK Status : Rx & TX
Latest SAK AN : 2
Latest SAK KI : 1817712715
Latest SAK KN : 1
Last SAK key time : 20:42:51 UTC Thu May 04 2017
Number of Macsec Capable Live Peers: 2
Number of SA consumed in Hardware : 2
Number of Macsec Capable Live Peers Responded: 2
Live Peer List:
MI MN SCI SSCI Key-Server-Priority Tx/Rx Programmed
------------------------------------------------------------------------------- ------
3634B7ADE028833E219C2304 7624 9c57.adfc.0f34/0001 1 16 Yes
92D6F93C2BC4058AD25FA0E5 7655 5006.ab91.4584/0001 3 16 Yes
The following example shows information about a configured port channel in an MKA session:
switch# show macsec mka session interface port-channel 100
Interface Local-TxSCI # Peers Status Key-Server
----------------- -------------------------------- --------------- -------- ----------
Ethernet2/7 0000.0043.003e/0001 1 Secured Yes
Ethernet2/30 0000.0043.0055/0001 1 Secured No
The following example shows detailed information about a configured port channel in the MKA session:
switch# show macsec mka session interface port-channel 100 details
Detailed Status for MKA Session
-----------------------------------
Interface Name : Ethernet2/7
Session Status : Secured
Local Tx-SCI : 0000.0043.003e/0001
Local Tx-SSCI : 2
MKA Port Identifier : 2
CAK Name (CKN) : 0300000000000000000000000000000000000000000000000000000000000000
Member Identifier (MI) : 057D3366D35DA9A19D259D7F
Message Number (MN) : 1534
MKA Policy Name : p1
Key Server Priority : 16
Key Server : Yes
SAK Cipher Suite : GCM-AES-XPN-256
SAK Cipher Suite (Operational) : GCM-AES-XPN-256
Replay Window Size : 0
Confidentiality Offset : CONF-OFFSET-0
Confidentiality Offset (Operational): CONF-OFFSET-0
Latest SAK Status : Rx & TX
Latest SAK AN : 0
Latest SAK KI : 1714650373
Latest SAK KN : 49
Last SAK key time : 08:07:29 UTC Fri Jan 06 2017
Number of Macsec Capable Live Peers: 1
Number of SA consumed in Hardware : 1
Number of Macsec Capable Live Peers Responded: 1
Live Peer List:
MI MN SCI SSCI Key-Server-Priority Tx/Rx Programmed
------------------------------------------------------------------------------------------
E7A5637789614DB8550C8967 1533 0000.0043.0055/0001 1 16 Yes
Interface Name : Ethernet2/30
Session Status : Secured
Local Tx-SCI : 0000.0043.0055/0001
Local Tx-SSCI : 1
MKA Port Identifier : 1
CAK Name (CKN) : 0300000000000000000000000000000000000000000000000000000000000000
Member Identifier (MI) : E7A5637789614DB8550C8967
Message Number (MN) : 1534
MKA Policy Name : p1
Key Server Priority : 16
Key Server : No
SAK Cipher Suite : GCM-AES-XPN-256
SAK Cipher Suite (Operational) : GCM-AES-XPN-256
Replay Window Size : 0
Confidentiality Offset : CONF-OFFSET-0
Confidentiality Offset (Operational): CONF-OFFSET-0
Latest SAK Status : Rx & TX
Latest SAK AN : 0
Latest SAK KI : 1714650373
Latest SAK KN : 49
Last SAK key time : 08:07:29 UTC Fri Jan 06 2017
Number of Macsec Capable Live Peers: 1
Number of SA consumed in Hardware : 1
Number of Macsec Capable Live Peers Responded: 0
Live Peer List:
MI MN SCI SSCI Key-Server-Priority Tx/Rx Programmed
-------------------------------------------------------------------------------------------
057D3366D35DA9A19D259D7F 1533 0000.0043.003e/0001 2 16 Yes
The following example shows the summary of the MKA session for the configured interface:
switch# show macsec mka summary
Interface Status Cipher Key-Server MACSEC-policy CKN Keychain
------------- --------- ---------------- ------------ ----------------- ---------------------------------------------------------------- --------
Ethernet11/25 Secured GCM-AES-XPN-128 No p1 0100000000000000000000000000000000000000000000000000000000000000 k1
Ethernet11/31 Secured GCM-AES-XPN-128 Yes p1 0300000000000000000000000000000000000000000000000000000000000000 k3