Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1229
Views
0
Helpful
1
Replies

MACSEC - statistics

piesio.marcin
Level 1
Level 1

‎12-17-2018 07:56 AM - edited ‎02-20-2020 09:45 PM

hi, 

 

how do i read "show macsec secy statistics" output ? i mean i am trying to understand and see what and how much traffic is send unencrypted between peers, 

 

show macsec secy statistics

Interface Ethernet1/48 MACSEC SecY Statistics:
--------------------------------------------
Interface Rx Statistics:
Unicast Uncontrolled Pkts: 1484174331
Multicast Uncontrolled Pkts: 3394935
Broadcast Uncontrolled Pkts: 18798
Uncontrolled Pkts - Rx Drop: 0
Uncontrolled Pkts - Rx Error: 0
Unicast Controlled Pkts: N/A (N9K-C93180YC-FX not supported)
Multicast Controlled Pkts: N/A (N9K-C93180YC-FX not supported)
Broadcast Controlled Pkts: N/A (N9K-C93180YC-FX not supported)
Controlled Pkts - Rx Drop: N/A (N9K-C93180YC-FX not supported)
Controlled Pkts - Rx Error: N/A (N9K-C93180YC-FX not supported)
In-Octets Uncontrolled: 364101445432 bytes
In-Octets Controlled: 261323465678 bytes
Input rate for Uncontrolled Pkts: 418 pps
Input rate for Uncontrolled Pkts: 565804 bps
Input rate for Controlled Pkts: 418 pps
Input rate for Controlled Pkts: 404678 bps

Interface Tx Statistics:
Unicast Uncontrolled Pkts: 3240957577
Multicast Uncontrolled Pkts: 17808518
Broadcast Uncontrolled Pkts: 18380
Uncontrolled Pkts - Rx Drop: 0
Uncontrolled Pkts - Rx Error: 0
Unicast Controlled Pkts: N/A (N9K-C93180YC-FX not supported)
Multicast Controlled Pkts: N/A (N9K-C93180YC-FX not supported)
Broadcast Controlled Pkts: N/A (N9K-C93180YC-FX not supported)
Controlled Pkts - Rx Drop: N/A (N9K-C93180YC-FX not supported)
Controlled Pkts - Rx Error: N/A (N9K-C93180YC-FX not supported)
Out-Octets Uncontrolled: 4163676223872 bytes
Out-Octets Controlled: 3857770722135 bytes
Out-Octets Common: 4163676223872 bytes
Output rate for Uncontrolled Pkts: 285 pps
Output rate for Uncontrolled Pkts: 1847241 bps
Output rate for Controlled Pkts: 285 pps
Output rate for Controlled Pkts: 1737228 bps

SECY Rx Statistics:
Transform Error Pkts: N/A (N9K-C93180YC-FX not supported)
Control Pkts: 2794082
Untagged Pkts: N/A (N9K-C93180YC-FX not supported)
No Tag Pkts: 7
Bad Tag Pkts: 0
No SCI Pkts: 0
Unknown SCI Pkts: 0
Tagged Control Pkts: N/A (N9K-C93180YC-FX not supported)

SECY Tx Statistics:
Transform Error Pkts: N/A (N9K-C93180YC-FX not supported)
Control Pkts: 2794071
Untagged Pkts: N/A (N9K-C93180YC-FX not supported)

SAK Rx Statistics for AN [0]:
Unchecked Pkts: 0
Delayed Pkts: 0
Late Pkts: 0
OK Pkts: 878572513
Invalid Pkts: 0
Not Valid Pkts: 0
Not-Using-SA Pkts: 0
Unused-SA Pkts: 0
Decrypted In-Octets: 196211408223 bytes
Validated In-Octets: 0 bytes

SAK Tx Statistics for AN [0]:
Encrypted Protected Pkts: 2192534561
Too Long Pkts: N/A (N9K-C93180YC-FX not supported)
SA-not-in-use Pkts: N/A (N9K-C93180YC-FX not supported)
Encrypted Protected Out-Octets: 2874951405169 bytes

 

 

concern is that my policy says "should" not "must" hence my question on how much traffic failed to be encrypted and was send unencrypted, 

 


macsec policy 1
cipher-suite GCM-AES-256
key-server-priority 0
window-size 512
conf-offset CONF-OFFSET-0
security-policy should-secure

 

thanks

M

3 people had this problem
Labels:
0 Helpful
1 Reply 1

piesio.marcin
Level 1
Level 1

‎01-21-2019 05:04 AM

anyone can help pls ? 

0 Helpful
Customers Also Viewed These Support Documents