MACsec は、| xml を使用したスクリプト用に次の show コマンドの XML 出力をサポートします。
-
show key chain name | xml
-
show macsec mka session interface interface slot/port details | xml
-
show macsec mka statistics interface interface slot/port | xml
-
show macsec mka summary | xml
-
show macsec policy name | xml
-
show macsec secy statistics interface interface slot/port | xml
-
show running-config macsec | xml
次に、上記の各 show コマンドの出力例を示します。
例 1:キーチェーンの設定を表示します
switch# show key chain "Kc2" | xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<nf:rpc-reply xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://w
ww.cisco.com/nxos:1.0:rpm">
<nf:data>
<show>
<key>
<chain>
<__XML__OPT_Cmd_rpm_show_keychain_cmd_keychain>
<keychain>Kc2</keychain>
</__XML__OPT_Cmd_rpm_show_keychain_cmd_keychain>
</chain>
</key>
</show>
</nf:data>
</nf:rpc-reply>
]]>]]>
例 2:特定のインターフェイスの MACsec MKA セッションに関する情報を表示します。
switch# show macsec mka session interface ethernet 4/31 details | xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<nf:rpc-reply xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://w
ww.cisco.com/nxos:1.0">
<nf:data>
<show>
<macsec>
<mka>
<session>
<__XML__OPT_Cmd_show_macsec_mka_session_interface>
<interface>
<__XML__INTF_ifname>
<__XML__PARAM_value>
<__XML__INTF_output>Ethernet4/31</__XML__INTF_output>
</__XML__PARAM_value>
</__XML__INTF_ifname>
</interface>
<__XML__OPT_Cmd_show_macsec_mka_session_details>
<details/>
<__XML__OPT_Cmd_show_macsec_mka_session___readonly__>
<__readonly__>
<TABLE_mka_session_details>
<ROW_mka_session_details>
<ifname>Ethernet4/31</ifname>
<status>Secured</status>
<sci>0c75.bd03.5360/0001</sci>
<ssci>1</ssci>
<port_id>1</port_id>
<mi>0200000000000000000000000000000000000000000000000000000000000000
</mi>
<mi>F511280A765CE41C79458753</mi>
<mn>2770</mn>
<policy>am2</policy>
<ks_prio>0</ks_prio>
<keyserver>No</keyserver>
<cipher>GCM-AES-XPN-256</cipher>
<window>512</window>
<conf_offset>CONF-OFFSET-0</conf_offset>
<sak_status>Rx & TX</sak_status>
<sak_an>1</sak_an>
<sak_ki>516486241</sak_ki>
<sak_kn>90</sak_kn>
<last_sak_rekey_time>07:12:02 UTC Fri Jan 20 2017</last_sak_rekey_ti
me>
</ROW_mka_session_details>
</TABLE_mka_session_details>
</__readonly__>
</__XML__OPT_Cmd_show_macsec_mka_session___readonly__>
</__XML__OPT_Cmd_show_macsec_mka_session_details>
</__XML__OPT_Cmd_show_macsec_mka_session_interface>
</session>
</mka>
</macsec>
</show>
</nf:data>
</nf:rpc-reply>
]]>]]>
例 3:MACsec MKA 統計情報を表示します。
switch# show macsec mka statistics interface ethernet 4/31 | xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<nf:rpc-reply xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://w
ww.cisco.com/nxos:1.0">
<nf:data>
<show>
<macsec>
<mka>
<statistics>
<__XML__OPT_Cmd_some_macsec_mka_statistics_interface>
<interface>
<__XML__INTF_ifname>
<__XML__PARAM_value>
<__XML__INTF_output>Ethernet4/31</__XML__INTF_output>
<__XML__INTF_output>Ethernet4/31</__XML__INTF_output>
</__XML__PARAM_value>
</__XML__INTF_ifname>
</interface>
<__XML__OPT_Cmd_some_macsec_mka_statistics___readonly__>
<__readonly__>
<TABLE_mka_intf_stats>
<ROW_mka_intf_stats>
<TABLE_ca_stats>
<ROW_ca_stats>
<ca_stat_ckn>0x2</ca_stat_ckn>
<ca_stat_pairwise_cak_rekey>0</ca_stat_pairwise_cak_rekey>
<sa_stat_sak_generated>0</sa_stat_sak_generated>
<sa_stat_sak_rekey>0</sa_stat_sak_rekey>
<sa_stat_sak_received>91</sa_stat_sak_received>
<sa_stat_sak_response_rx>0</sa_stat_sak_response_rx>
<mkpdu_stat_mkpdu_tx>2808</mkpdu_stat_mkpdu_tx>
<mkpdu_stat_mkpdu_tx_distsak>0</mkpdu_stat_mkpdu_tx_distsak>
<mkpdu_stat_mkpdu_rx>2714</mkpdu_stat_mkpdu_rx>
<mkpdu_stat_mkpdu_rx_distsak>91</mkpdu_stat_mkpdu_rx_distsak>
</ROW_ca_stats>
</TABLE_ca_stats>
</ROW_mka_intf_stats>
</TABLE_mka_intf_stats>
</__readonly__>
</__XML__OPT_Cmd_some_macsec_mka_statistics___readonly__>
<interface>
<__XML__INTF_ifname>
<__XML__PARAM_value>
<__XML__INTF_output>Ethernet4/31</__XML__INTF_output>
</__XML__PARAM_value>
</__XML__INTF_ifname>
</interface>
<__XML__OPT_Cmd_some_macsec_mka_statistics___readonly__>
<__readonly__>
<TABLE_mka_intf_stats>
<ROW_mka_intf_stats>
<TABLE_idb_stats>
<ROW_idb_stats>
<ca_stat_pairwise_cak_rekey>0</ca_stat_pairwise_cak_rekey>
<sa_stat_sak_generated>0</sa_stat_sak_generated>
<sa_stat_sak_rekey>0</sa_stat_sak_rekey>
<sa_stat_sak_received>91</sa_stat_sak_received>
<sa_stat_sak_response_rx>0</sa_stat_sak_response_rx>
<mkpdu_stat_mkpdu_tx>2808</mkpdu_stat_mkpdu_tx>
<mkpdu_stat_mkpdu_tx_distsak>0</mkpdu_stat_mkpdu_tx_distsak>
<mkpdu_stat_mkpdu_rx>2714</mkpdu_stat_mkpdu_rx>
<mkpdu_stat_mkpdu_rx_distsak>91</mkpdu_stat_mkpdu_rx_distsak>
<idb_stat_mkpdu_tx_success>2808</idb_stat_mkpdu_tx_success>
<idb_stat_mkpdu_tx_fail>0</idb_stat_mkpdu_tx_fail>
<idb_stat_mkpdu_tx_pkt_build_fail>0</idb_stat_mkpdu_tx_pkt_build_fail>
<idb_stat_mkpdu_no_tx_on_intf_down>0</idb_stat_mkpdu_no_tx_on_intf_down>
<idb_stat_mkpdu_no_rx_on_intf_down>0</idb_stat_mkpdu_no_rx_on_intf_down>
<idb_stat_mkpdu_rx_ca_notfound>0</idb_stat_mkpdu_rx_ca_notfound>
<idb_stat_mkpdu_rx_error>0</idb_stat_mkpdu_rx_error>
<idb_stat_mkpdu_rx_success>2714</idb_stat_mkpdu_rx_success>
<idb_stat_mkpdu_failure_rx_integrity_check_error>0</idb_stat_mkpdu_
failure_rx_integrity_check_error>
<idb_stat_mkpdu_failure_invalid_peer_mn_error>0</idb_stat_mkpdu_fai
lure_invalid_peer_mn_error>
<idb_stat_mkpdu_failure_nonrecent_peerlist_mn_error>1</idb_stat_mkp
du_failure_nonrecent_peerlist_mn_error>
<idb_stat_mkpdu_failure_sakuse_kn_mismatch_error>0</idb_stat_mkpdu_
failure_sakuse_kn_mismatch_error>
<idb_stat_mkpdu_failure_sakuse_rx_not_set_error>0</idb_stat_mkpdu_f
ailure_sakuse_rx_not_set_error>
<idb_stat_mkpdu_failure_sakuse_key_mi_mismatch_error>0</idb_stat_mk
pdu_failure_sakuse_key_mi_mismatch_error>
<idb_stat_mkpdu_failure_sakuse_an_not_in_use_error>0</idb_stat_mkpd
u_failure_sakuse_an_not_in_use_error>
<idb_stat_mkpdu_failure_sakuse_ks_rx_tx_not_set_error>0</idb_stat_m
kpdu_failure_sakuse_ks_rx_tx_not_set_error>
<idb_stat_mkpdu_failure_sakuse_eapol_ethertype_mismatch_error>0</id
b_stat_mkpdu_failure_sakuse_eapol_ethertype_mismatch_error>
<idb_stat_sak_failure_sak_generate_error>0</idb_stat_sak_failure_sa
k_generate_error>
<idb_stat_sak_failure_hash_generate_error>0</idb_stat_sak_failure_h
ash_generate_error>
<idb_stat_sak_failure_sak_encryption_error>0</idb_stat_sak_failure_
sak_encryption_error>
<idb_stat_sak_failure_sak_decryption_error>0</idb_stat_sak_failure_
sak_decryption_error>
<idb_stat_sak_failure_ick_derivation_error>0</idb_stat_sak_failure_
ick_derivation_error>
<idb_stat_sak_failure_kek_derivation_error>0</idb_stat_sak_failure_
kek_derivation_error>
<idb_stat_sak_failure_invalid_macsec_capability_error>0</idb_stat_s
ak_failure_invalid_macsec_capability_error>
<idb_stat_macsec_failure_rx_sa_create_error>0</idb_stat_macsec_fail
ure_rx_sa_create_error>
<idb_stat_macsec_failure_tx_sa_create_error>0</idb_stat_macsec_fail
ure_tx_sa_create_error>
</ROW_idb_stats>
</TABLE_idb_stats>
</ROW_mka_intf_stats>
</TABLE_mka_intf_stats>
</__readonly__>
</__XML__OPT_Cmd_some_macsec_mka_statistics___readonly__>
</__XML__OPT_Cmd_some_macsec_mka_statistics_interface>
</statistics>
</mka>
</macsec>
</show>
</nf:data>
</nf:rpc-reply>
]]>]]>
例 4:MACsec MKA 設定を表示します。
switch# show macsec mka summary | xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<nf:rpc-reply xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://w
ww.cisco.com/nxos:1.0">
<nf:data>
<show>
<macsec>
<mka>
<__XML__OPT_Cmd_some_macsec_summary>
<__XML__OPT_Cmd_some_macsec___readonly__>
<__readonly__>
<TABLE_mka_summary>
<ROW_mka_summary>
<ifname>Ethernet2/1</ifname>
<policy>am2</policy>
<keychain>kc2/02000000000000000000000000000000000000000000000000000000
00000000</keychain>
</ROW_mka_summary>
<ROW_mka_summary>
<ifname>Ethernet3/1</ifname>
<policy>am2</policy>
<keychain>kc2/02000000000000000000000000000000000000000000000000000000
00000000</keychain>
</ROW_mka_summary>
[TRUNCATED FOR READABILITY]
<ROW_mka_summary>
<ifname>Ethernet3/32</ifname>
<policy>am2</policy>
<keychain>kc2/02000000000000000000000000000000000000000000000000000000
00000000</keychain>
</ROW_mka_summary>
</TABLE_mka_summary>
</__readonly__>
</__XML__OPT_Cmd_some_macsec___readonly__>
</__XML__OPT_Cmd_some_macsec_summary>
</mka>
</macsec>
</show>
</nf:data>
</nf:rpc-reply>
]]>]]>
例 5:特定の MACsec ポリシーの設定を表示します。
switch# show macsec policy am2 | xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<nf:rpc-reply xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://w
ww.cisco.com/nxos:1.0">
<nf:data>
<show>
<macsec>
<policy>
<__XML__OPT_Cmd_some_macsec_policy_name>
<policy_name>am2</policy_name>
<__XML__OPT_Cmd_some_macsec___readonly__>
<__readonly__>
<TABLE_macsec_policy>
<ROW_macsec_policy>
<name>am2</name>
<cipher_suite>GCM-AES-XPN-256</cipher_suite>
<keyserver_priority>0</keyserver_priority>
<window_size>512</window_size>
<conf_offset>0</conf_offset>
<security_policy>must-secure</security_policy>
<sak-expiry-time>60</sak-expiry-time>
</ROW_macsec_policy>
</TABLE_macsec_policy>
</__readonly__>
</__XML__OPT_Cmd_some_macsec___readonly__>
</__XML__OPT_Cmd_some_macsec_policy_name>
</policy>
</macsec>
</show>
</nf:data>
</nf:rpc-reply>
]]>]]>
例 6:MACsec セキュリティ統計情報を表示します。
switch# show macsec secy statistics interface ethernet 4/31 | xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<nf:rpc-reply xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://w
ww.cisco.com/nxos:1.0">
<nf:data>
<show>
<macsec>
<secy>
<statistics>
<interface>
<__XML__INTF_ifname>
<__XML__PARAM_value>
<__XML__INTF_output>Ethernet4/31</__XML__INTF_output>
</__XML__PARAM_value>
<__XML__OPT_Cmd_some_macsec_secy_statistics___readonly__>
<__readonly__>
<TABLE_statistics>
<ROW_statistics>
<in_pkts_unicast_uncontrolled>0</in_pkts_unicast_uncontrolled>
<in_pkts_multicast_uncontrolled>42</in_pkts_multicast_uncontrolled>
<in_pkts_broadcast_uncontrolled>0</in_pkts_broadcast_uncontrolled>
<in_rx_drop_pkts_uncontrolled>0</in_rx_drop_pkts_uncontrolled>
<in_rx_err_pkts_uncontrolled>0</in_rx_err_pkts_uncontrolled>
<in_pkts_unicast_controlled>0</in_pkts_unicast_controlled>
<in_pkts_multicast_controlled>2</in_pkts_multicast_controlled>
<in_pkts_broadcast_controlled>0</in_pkts_broadcast_controlled>
<in_rx_drop_pkts_controlled>0</in_rx_drop_pkts_controlled>
<in_rx_err_pkts_controlled>0</in_rx_err_pkts_controlled>
<in_octets_uncontrolled>7230</in_octets_uncontrolled>
<in_octets_controlled>470</in_octets_controlled>
<input_rate_uncontrolled_pps>0</input_rate_uncontrolled_pps>
<input_rate_uncontrolled_bps>9</input_rate_uncontrolled_bps>
<input_rate_controlled_pps>0</input_rate_controlled_pps>
<input_rate_controlled_bps>23</input_rate_controlled_bps>
<out_pkts_unicast_uncontrolled>0</out_pkts_unicast_uncontrolled>
<out_pkts_multicast_uncontrolled>41</out_pkts_multicast_uncontrolled>
<out_pkts_broadcast_uncontrolled>0</out_pkts_broadcast_uncontrolled>
<out_rx_drop_pkts_uncontrolled>0</out_rx_drop_pkts_uncontrolled>
<out_rx_err_pkts_uncontrolled>0</out_rx_err_pkts_uncontrolled>
<out_pkts_unicast_controlled>0</out_pkts_unicast_controlled>
<out_pkts_multicast_controlled>2</out_pkts_multicast_controlled>
<out_pkts_broadcast_controlled>0</out_pkts_broadcast_controlled>
<out_rx_drop_pkts_controlled>0</out_rx_drop_pkts_controlled>
<out_rx_err_pkts_controlled>0</out_rx_err_pkts_controlled>
<out_octets_uncontrolled>6806</out_octets_uncontrolled>
<out_octets_controlled>470</out_octets_controlled>
<out_octets_common>7340</out_octets_common>
<output_rate_uncontrolled_pps>2598190092</output_rate_uncontrolled_pps>
<output_rate_uncontrolled_bps>2598190076</output_rate_uncontrolled_bps>
<output_rate_controlled_pps>0</output_rate_controlled_pps>
<output_rate_controlled_bps>23</output_rate_controlled_bps>
<in_pkts_transform_error>0</in_pkts_transform_error>
<in_pkts_control>40</in_pkts_control>
<in_pkts_untagged>0</in_pkts_untagged>
<in_pkts_no_tag>0</in_pkts_no_tag>
<in_pkts_badtag>0</in_pkts_badtag>
<in_pkts_no_sci>0</in_pkts_no_sci>
<in_pkts_unknown_sci>0</in_pkts_unknown_sci>
<in_pkts_tagged_ctrl>0</in_pkts_tagged_ctrl>
<out_pkts_transform_error>0</out_pkts_transform_error>
<out_pkts_control>41</out_pkts_control>
<out_pkts_untagged>0</out_pkts_untagged>
<rx_sa_an>1</rx_sa_an>
<in_pkts_unchecked>0</in_pkts_unchecked>
<in_pkts_delayed>0</in_pkts_delayed>
<in_pkts_late>0</in_pkts_late>
<in_pkts_ok>1</in_pkts_ok>
<in_pkts_invalid>0</in_pkts_invalid>
<in_pkts_not_valid>0</in_pkts_not_valid>
<in_pkts_not_using_sa>0</in_pkts_not_using_sa>
<in_pkts_unused_sa>0</in_pkts_unused_sa>
<in_octets_decrypted>223</in_octets_decrypted>
<in_octets_validated>0</in_octets_validated>
<tx_sa_an>1</tx_sa_an>
<out_pkts_encrypted_protected>1</out_pkts_encrypted_protected>
<out_pkts_too_long>0</out_pkts_too_long>
<out_pkts_sa_not_inuse>0</out_pkts_sa_not_inuse>
<out_octets_encrypted_protected>223</out_octets_encrypted_protected>
</ROW_statistics>
</TABLE_statistics>
</__readonly__>
</__XML__OPT_Cmd_some_macsec_secy_statistics___readonly__>
</__XML__INTF_ifname>
</interface>
</statistics>
</secy>
</macsec>
</show>
</nf:data>
</nf:rpc-reply>
]]>]]>
例 7:MACsec の実行コンフィギュレーション情報を表示します。
switch# show running-config macsec | xml
!Command: show running-config macsec
!Time: Fri Jan 20 07:12:34 2017
version 7.0(3)I4(6)
******************************************
This may take time. Please be patient.
******************************************
<?xml version="1.0"?>
<nf:rpc xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://www.cis
co.com/nxos:7.0.3.I4.6.:configure_" xmlns:m="http://www.cisco.com/nxos:7.0.3.I4.
6.:_exec" xmlns:m1="http://www.cisco.com/nxos:7.0.3.I4.6.:configure__macsec-poli
cy" xmlns:m2="http://www.cisco.com/nxos:7.0.3.I4.6.:configure__if-eth-non-member
" message-id="1">
<nf:get-config>
<nf:source>
<nf:running/>
</nf:source>
<nf:filter>
<m:configure>
<m:terminal>
<feature>
<macsec/>
</feature>
<macsec>
<policy>
<__XML__PARAM__policy_name>
<__XML__value>am2</__XML__value>
<m1:cipher-suite>
<m1:__XML__PARAM__suite>
<m1:__XML__value>GCM-AES-XPN-256</m1:__XML__value>
</m1:__XML__PARAM__suite>
</m1:cipher-suite>
<m1:key-server-priority>
<m1:__XML__PARAM__pri>
<m1:__XML__value>0</m1:__XML__value>
</m1:__XML__PARAM__pri>
</m1:key-server-priority>
<m1:window-size>
<m1:__XML__PARAM__size>
<m1:__XML__value>512</m1:__XML__value>
</m1:__XML__PARAM__size>
</m1:window-size>
<m1:conf-offset>
<m1:__XML__PARAM__offset>
<m1:__XML__value>CONF-OFFSET-0</m1:__XML__value>
</m1:__XML__PARAM__offset>
</m1:conf-offset>
<m1:security-policy>
<m1:__XML__PARAM__policy>
<m1:__XML__value>must-secure</m1:__XML__value>
</m1:__XML__PARAM__policy>
</m1:security-policy>
<m1:sak-expiry-time>
<m1:__XML__PARAM__ts>
<m1:__XML__value>60</m1:__XML__value>
</m1:__XML__PARAM__ts>
</m1:sak-expiry-time>
</__XML__PARAM__policy_name>
</policy>
</macsec>
<interface>
<__XML__PARAM__interface>
<__XML__value>Ethernet2/1</__XML__value>
<m2:macsec>
<m2:keychain>
<m2:__XML__PARAM__keychain_name>
<m2:__XML__value>kc2</m2:__XML__value>
<m2:policy>
<m2:__XML__PARAM__policy_name>
<m2:__XML__value>am2</m2:__XML__value>
</m2:__XML__PARAM__policy_name>
</m2:policy>
</m2:__XML__PARAM__keychain_name>
</m2:keychain>
</m2:macsec>
</__XML__PARAM__interface>
</interface>
[TRUNCATED FOR READABILITY]
<interface>
<__XML__PARAM__interface>
<__XML__value>Ethernet4/31</__XML__value>
<m2:macsec>
<m2:keychain>
<m2:__XML__PARAM__keychain_name>
<m2:__XML__value>kc2</m2:__XML__value>
<m2:policy>
<m2:__XML__PARAM__policy_name>
<m2:__XML__value>am2</m2:__XML__value>
</m2:__XML__PARAM__policy_name>
</m2:policy>
</m2:__XML__PARAM__keychain_name>
</m2:keychain>
</m2:macsec>
</__XML__PARAM__interface>
</interface>
</m:terminal>
</m:configure>
</nf:filter>
</nf:get-config>
</nf:rpc>
]]>]]>