show security mka sessions
Syntax
show security mka sessions <interface interface-name> <summary | brief | detail>
Description
Display MACsec Key Agreement (MKA) session information for all interfaces. The MKA protocol is responsible for maintaining MACsec on the link, and decides which router on the point-to-point link becomes the key server.
Options
-
interface interface-name—Display the MKA session information for the specified interface only. -
summary | brief | detail—Display the specified level of output. -
none (same as
brief)—Display the MKA session information for all interfaces.
Required Privilege Level
view
Output Fields
Table 1 lists
the output fields for the show security mka sessions command. Output
fields are listed in the approximate order in which they appear.
|
Field Name |
Field Description |
|---|---|
|
|
Name of the interface. |
|
|
Shows whether the interface is secured or not. If it is secured, the CAK type is also displayed. |
|
|
Name of the member identifier. |
|
|
Name of the connectivity association key (CAK). The CAK is configured
using the |
|
|
The CAK type: primary, fallback, or preceding. |
|
|
The transmit interval. Both ends of the point-to-point link should be configured to the same value. Default value is 2000 seconds. Possible values: 2000 through 6000 milliseconds. |
|
|
Name of the outbound secure channel identifier. |
|
|
Number of the last data message. |
|
|
Key number. |
|
|
Key server status. The router is the key server when this output is |
|
|
Displays the priority of the key server. Lower value indicates higher
priority. Use the |
|
|
Name of the latest secure association key (SAK) association number. |
|
|
Name of the latest secure association key (SAK) key identifier. |
|
Field Name |
Field Description |
|---|---|
|
|
Name of the member identifier. |
|
|
Hold time, in seconds. |
|
|
Number of the last data message |
|
|
Name of the secure channel identifier. |
|
|
Number of the lowest acceptable packet number (PN). |
|
Field Name |
Field Description |
|---|---|
|
|
Name of the connectivity association key (CAK). |
|
|
The CAK type: primary, fallback, or preceding. |
|
|
The CAK status: live, active, or in-progress. |
|
|
Name of the member identifier. |
|
|
Number of the last data message |
|
|
Whether the ICV
TLV is included in the MKA hello packet. If this field reads
disabled, the user has configured the
disable-icv-indicator option and the ICV TLV is not sent
as part of the MKA hello packet. |
Sample Output
show security mka sessions
user@host> show security mka sessions Member identifier: ABC09234C234245345 CAK Name: EF00132234324ABCDE2342352345DC Send period : 2000 (ms) Key server priority: 16 Message number: 132 Outbound SCI: 01:01:02:02:03:04/1968 Key Server: Yes Key Server priority: 16 Latest SAK AN : 2 Latest SAK KI: ABC09090EFAA1212 Previous SAK AN: 1 Pervious SAK KI: CEE090A07FAA3223 Peer list 1. MI: ABC09234C234245345 (Live/Potential) MN: 2345 SCI: 01:02:02:02:04:04/1990 Hold time: 6 sec Lowest Acceptable PN: 243235 2. MI: ACC0926C334245341 (Potential) MN: 2784 SCI: 04:02:02:02:05:04/1340 Hold time: 6 sec Lowest Acceptable PN: 645236
show security mka sessions detail
user@host> show security mka sessions detail Interface name: ge-0/0/1 Interface state: Unsecured - Init Member identifier: A3A1CC9B7D79E89A877875FE CAK name: 3333 CAK type: primary Security mode: static MKA suspended: 0(s) Transmit interval: 2000(ms) SAK rekey interval: 60(s) Preceding Key: enabled Bounded Delay: disabled Outbound SCI: F8:C1:16:C3:52:04/1 Message number: 3 Key number: 0 MKA ICV Indicator: disabled Key server: yes Key server priority: 16 Latest SAK AN: 0 Latest SAK KI: 000000000000000000000000/0 Previous SAK AN: 0 Previous SAK KI: 000000000000000000000000/0 MKA Suspend For: disabled MKA Suspend On Request: disabled CAK list: (1) 1. CAK name: 3333 CAK type: primary Status: in-progress Member identifier: A3A1CC9B7D79E89A877875FE Message number: 3 Peer list: (1) 1. Member identifier: E46D53B7FBF72D36F71D83F9 (potential) Message number: 31633 Hold time: 5000 (ms) SCI: - Lowest acceptable PN: 0
Release Information
Command introduced in Junos OS Release 13.2X50-D15.