transport-security

transport-security
+  macsec
   +  interface name string 
      +  admin-state keyword
      +  exclude-mac destination-mac string 
      +  exclude-protocols protocol keyword 
      +  interface-ref
         +  interface reference
      +  mka
         -  ca-key-name string
         -  encryption-offset keyword
         -  hello-interval number
         +  key-chain reference
         -  key-number number
         -  key-server boolean
         -  key-server-priority number
         -  latest-sak-an number
         -  latest-sak-ki binary
         -  latest-sak-lpn number
         -  member-id binary
         -  message-count number
         -  mka-peer member-id binary 
            -  key-server-priority number
            -  lowest-acceptable-pn number
            -  message-number number
            -  mka-peer-mid binary
            -  sci binary
            -  type keyword
         +  mka-policy reference
         -  oper-cipher keyword
         -  oper-state keyword
         -  outbound-sci binary
         -  previous-sak-an number
         -  previous-sak-ki binary
         -  previous-sak-lpn number
         -  statistics
            -  cak-info-missing number
            -  ckn-not-found number
            -  in-cak-mkpdu number
            -  in-mkpdu number
            -  in-mkpdu-errors
               -  bad-peer-errors number
               -  icv-verification-errors number
               -  peer-list-errors number
               -  validation-errors number
            -  in-sak-mkpdu number
            -  invalid-ckn-length number
            -  key-number-invalid number
            -  liveness-check-fail number
            -  max-peers-set-zero number
            -  new-live-peer number
            -  out-cak-mkpdu number
            -  out-mkpdu number
            -  out-mkpdu-errors
               -  pdu-invalid-number number
               -  pdu-not-quad-size number
               -  pdu-too-big number
               -  pdu-too-small number
            -  out-sak-mkpdu number
            -  parameter-not-quad-size number
            -  parameter-size-invalid number
            -  peer-same-mi number
            -  peers-removed number
            -  sak-cipher-mismatch-errors number
            -  sak-decryption-errors number
            -  sak-encryption-errors number
            -  sak-generated number
            -  sak-generation-errors number
            -  sak-hash-errors number
            -  sak-install-fail number
            -  sak-no-key-server number
            -  sak-non-live-peer number
            -  unsupported-algorithm-agility number
      -  oper-state keyword
      +  replay-protection
         +  admin-state keyword
         +  window-size number
      +  rx-must-be-encrypted boolean
      -  scsa-rx sci-rx string 
         -  delayed-packets number
         -  late-packets number
         -  not-using-sa-packets number
         -  sc-invalid number
         -  sc-octets-invalid number
         -  sc-octets-valid number
         -  sc-sak-installed-count number
         -  sc-valid number
         -  sci-rx-identifier string
         -  security-association rx-sa-an number 
            -  discarded-active number
            -  discarded-inactive number
            -  sa-invalid number
            -  sa-sak-installed boolean
            -  sa-valid number
         -  unchecked-packets number
      -  scsa-tx sci-tx string 
         -  sc-auth-only number
         -  sc-encrypted number
         -  sc-octets-auth-only number
         -  sc-octets-encrypted number
         -  sc-sak-installed-count number
         -  sci-tx-identifier string
         -  security-association tx-sa-an number 
            -  sa-auth-only number
            -  sa-encrypted number
            -  sa-sak-installed boolean
      -  statistics
         -  rx-badtag-pkts number
         -  rx-nosci-pkts number
         -  rx-overrun-packets number
         -  rx-unknownsci-pkts number
         -  rx-untagged-pkts number
         -  tx-too-long-packets number
         -  tx-untagged-pkts number
   +  mka
      +  policy name string 
         +  admin-state keyword
         +  clear-tag-mode keyword
         +  confidentiality-offset keyword
         +  eapol-destination-address string
         +  encrypt boolean
         +  hello-interval number
         +  key-server-priority number
         +  macsec-cipher-suite keyword
         +  sak-rekey-on-live-peer-loss boolean
      -  statistics
         -  in-mkpdu-errors
            -  bad-peer-errors number
            -  icv-verification-errors number
            -  peer-list-errors number
            -  validation-errors number
         -  out-mkpdu-errors
            -  pdu-invalid-number number
            -  pdu-not-quad-size number
            -  pdu-too-big number
            -  pdu-too-small number
         -  sak-cipher-mismatch-errors number
         -  sak-decryption-errors number
         -  sak-encryption-errors number
         -  sak-generation-errors number
         -  sak-hash-errors number
         -  sak-install-fail number

transport-security Descriptions

transport-security


	Description	Enclosing container for transport security
	Context	transport-security
	Tree	transport-security
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

macsec


	Description	Enter the macsec context
	Context	transport-security macsec
	Tree	macsec
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

interface name string


	Description	List of interfaces on which MACsec is enabled / available When interface is configured the entire interface is protected via macsec.
	Context	transport-security macsec interface name string
	Tree	interface
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

name string


	Description	Name of the interface being created for the MACSec
	Context	transport-security macsec interface name string
	String Length	1 to 255
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

admin-state keyword


	Description	Enable MACsec on an interface
	Context	transport-security macsec interface name string admin-state keyword
	Tree	admin-state
	Default	disable
	Options	enable disable
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

exclude-mac destination-mac string


	Description	list of destination macs to be excluded from the macsec encryption
	Context	transport-security macsec interface name string exclude-mac destination-mac string
	Tree	exclude-mac
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

destination-mac string


	Description	exclude this destination mac from encryption
	Context	transport-security macsec interface name string exclude-mac destination-mac string
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

exclude-protocols protocol keyword


	Description	protocols to be excluded from macsec
	Context	transport-security macsec interface name string exclude-protocols protocol keyword
	Tree	exclude-protocols
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

protocol keyword


	Description	exclude this protocol
	Context	transport-security macsec interface name string exclude-protocols protocol keyword
	Options	lacp LACP protocol lldp LLDP protocol cdp Cisco discovery protocol eapol-start EAP over LAN start packets efm-oam Ethernet in first mile protocol eth-cfm Connectivity fault management protocol ptp Precision Time Protocol ubfd Micro BFD protocol
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

interface-ref


	Description	Enter the interface-ref context
	Context	transport-security macsec interface name string interface-ref
	Tree	interface-ref
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

interface reference


	Description	Reference to a base interface, for example a port or LAG
	Context	transport-security macsec interface name string interface-ref interface reference
	Tree	interface
	Reference	interface name string
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

mka


	Description	Enclosing container for the MKA interface
	Context	transport-security macsec interface name string mka
	Tree	mka
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

ca-key-name string


	Description	MACsec CKN, a hexadecimal name is only valid
	Context	transport-security macsec interface name string mka ca-key-name string
	Tree	ca-key-name
	String Length	2 to 64
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

encryption-offset keyword


	Description	Indicates the operational encryption offset used for the datapath PDUs when all parties in the CA have the SAK. This value is specified by the key server
	Context	transport-security macsec interface name string mka encryption-offset keyword
	Tree	encryption-offset
	Options	0-bytes No octets are sent unencrypted 30-bytes 30 octects are sent unencrypted 50-bytes 50 octects are sent unencrypted
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

hello-interval number


	Description	MKA hello interval, the intervals are 1000 ms up to 6000 ms
	Context	transport-security macsec interface name string mka hello-interval number
	Tree	hello-interval
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

key-chain reference


	Description	Enter the key-chain context
	Context	transport-security macsec interface name string mka key-chain reference
	Tree	key-chain
	Reference	system authentication keychain name string
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

key-number number


	Description	Indicates the number of the currently assigned CAK When a new CAK is generated, this number is incremented.
	Context	transport-security macsec interface name string mka key-number number
	Tree	key-number
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

key-server boolean


	Description	Indicates whether this server is the highest priority server in the peer group
	Context	transport-security macsec interface name string mka key-server boolean
	Tree	key-server
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

key-server-priority number


	Description	Indicates the priority of local server
	Context	transport-security macsec interface name string mka key-server-priority number
	Tree	key-server-priority
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

latest-sak-an number


	Description	Indicates the Association Number (AN) of the latest Secure Association Key (SAK) This number is concatenated with an SCI to identify a Secure Association (SA).
	Context	transport-security macsec interface name string mka latest-sak-an number
	Tree	latest-sak-an
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

latest-sak-ki binary


	Description	Indicates the Key Identifier (KI) of the latest SAK This number is derived from the MI of the key server and the key number.
	Context	transport-security macsec interface name string mka latest-sak-ki binary
	Tree	latest-sak-ki
	String Length	16
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

latest-sak-lpn number


	Description	Indicates Lowest Acceptable Packet Number of the latest Security Association Key (SAK)
	Context	transport-security macsec interface name string mka latest-sak-lpn number
	Tree	latest-sak-lpn
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

member-id binary


	Description	Indicates the Member Identifier (MI) for the MKA instance
	Context	transport-security macsec interface name string mka member-id binary
	Tree	member-id
	String Length	12
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

message-count number


	Description	Indicates the current count of MKA messages that is attached to MKA PDUs
	Context	transport-security macsec interface name string mka message-count number
	Tree	message-count
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

mka-peer member-id binary


	Description	List of MKA peers.
	Context	transport-security macsec interface name string mka mka-peer member-id binary
	Tree	mka-peer
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

member-id binary


	Description	Specifies the MI of the peer entry
	Context	transport-security macsec interface name string mka mka-peer member-id binary
	String Length	12
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

key-server-priority number


	Description	Indicates the priority of this MKA peer
	Context	transport-security macsec interface name string mka mka-peer member-id binary key-server-priority number
	Tree	key-server-priority
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

lowest-acceptable-pn number


	Description	Indicates the lowest acceptable packet number of this MKA peer
	Context	transport-security macsec interface name string mka mka-peer member-id binary lowest-acceptable-pn number
	Tree	lowest-acceptable-pn
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

message-number number


	Description	Indicates the latest message Number of the peer entry
	Context	transport-security macsec interface name string mka mka-peer member-id binary message-number number
	Tree	message-number
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

mka-peer-mid binary


	Description	Specifies the MI of the peer entry
	Context	transport-security macsec interface name string mka mka-peer member-id binary mka-peer-mid binary
	Tree	mka-peer-mid
	String Length	12
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sci binary


	Description	Indicates the SCI information of this peer list entry
	Context	transport-security macsec interface name string mka mka-peer member-id binary sci binary
	Tree	sci
	String Length	8
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

type keyword


	Description	Indicates the type of the peer entry
	Context	transport-security macsec interface name string mka mka-peer member-id binary type keyword
	Tree	type
	Options	live-peer-list These peer entry is in the Live Peer List potential-peer-list These peer entry is in the Potential Peer List
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

mka-policy reference


	Description	Apply MKA policy on the interface
	Context	transport-security macsec interface name string mka mka-policy reference
	Tree	mka-policy
	Reference	transport-security macsec mka policy name string
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

oper-cipher keyword


	Description	Indicates the operational encryption algorithm used for datapath PDUs when all parties in the CA have the SAK. This value is specified by the key server
	Context	transport-security macsec interface name string mka oper-cipher keyword
	Tree	oper-cipher
	Options	gcm-aes-128 gcm-aes-128 Cipher Suite gcm-aes-256 gcm-aes-256 Cipher Suite gcm-aes-xpn-128 gcm-aes-xpn-128 Cipher Suite gcm-aes-xpn-256 gcm-aes-xpn-256 Cipher Suite
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

oper-state keyword


	Description	The operational state of the mka instance
	Context	transport-security macsec interface name string mka oper-state keyword
	Tree	oper-state
	Options	up Component or process is operational down Component or process is not operational empty Component slot is empty downloading Component is downloading image into memory booting Component is booting downloaded image starting Component image operational, application processes starting failed Component or process has failed synchronizing Component is currently being synchronized upgrading Component is currently being upgraded low-power Component is offline due to insufficient system power degraded Component or process is in a degraded state warm-reboot Component or process is currently warm rebooting This state is set during a warm reboot immediately following initiation of the reboot, continuing after startup until the system has completed audit. In this state the system will not accept configuration changes. waiting Component or process is currently waiting This state can be set by event handler when the reinvoke-with-delay action is used, and indicates that the event handler is waiting for the provided delay before reinvoking the instance.
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

outbound-sci binary


	Description	Indicates the Secure Channel Identifier (SCI) information for transmitting MACsec frames
	Context	transport-security macsec interface name string mka outbound-sci binary
	Tree	outbound-sci
	String Length	8
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

previous-sak-an number


	Description	Indicates the Association Number (AN) of the previous Security Association key (SAK) This number is concatenated with an SCI to identify an Secure Association SA.
	Context	transport-security macsec interface name string mka previous-sak-an number
	Tree	previous-sak-an
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

previous-sak-ki binary


	Description	Indicates the Key Identifier (KI) of the previous SAK This number is derived from the Member Identifier (MI) of the key server and the key number.
	Context	transport-security macsec interface name string mka previous-sak-ki binary
	Tree	previous-sak-ki
	String Length	16
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

previous-sak-lpn number


	Description	Indicates Lowest Acceptable Packet Number of the previous Security Association Key (SAK)
	Context	transport-security macsec interface name string mka previous-sak-lpn number
	Tree	previous-sak-lpn
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

statistics


	Description	MKA interface counters
	Context	transport-security macsec interface name string mka statistics
	Tree	statistics
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

cak-info-missing number


	Description	Indicates the number of times internal CAK data is not available for the generation of the SAK.
	Context	transport-security macsec interface name string mka statistics cak-info-missing number
	Tree	cak-info-missing
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

ckn-not-found number


	Description	Indicates the number of MKPDUs received with a CKN that does not match the CA configured for the port.
	Context	transport-security macsec interface name string mka statistics ckn-not-found number
	Tree	ckn-not-found
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

in-cak-mkpdu number


	Description	Validated MKPDU received CAK count
	Context	transport-security macsec interface name string mka statistics in-cak-mkpdu number
	Tree	in-cak-mkpdu
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

in-mkpdu number


	Description	Validated MKPDU received count
	Context	transport-security macsec interface name string mka statistics in-mkpdu number
	Tree	in-mkpdu
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

in-mkpdu-errors


	Description	Enter the in-mkpdu-errors context
	Context	transport-security macsec interface name string mka statistics in-mkpdu-errors
	Tree	in-mkpdu-errors
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

bad-peer-errors number


	Description	MKPDU RX bad peer message number error count
	Context	transport-security macsec interface name string mka statistics in-mkpdu-errors bad-peer-errors number
	Tree	bad-peer-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

icv-verification-errors number


	Description	MKPDU RX ICV verification error count
	Context	transport-security macsec interface name string mka statistics in-mkpdu-errors icv-verification-errors number
	Tree	icv-verification-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

peer-list-errors number


	Description	MKPDU RX non-recent peer list Message Number error count
	Context	transport-security macsec interface name string mka statistics in-mkpdu-errors peer-list-errors number
	Tree	peer-list-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

validation-errors number


	Description	MKPDU RX validation error count
	Context	transport-security macsec interface name string mka statistics in-mkpdu-errors validation-errors number
	Tree	validation-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

in-sak-mkpdu number


	Description	Validated and installed MKPDU received SAK count
	Context	transport-security macsec interface name string mka statistics in-sak-mkpdu number
	Tree	in-sak-mkpdu
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

invalid-ckn-length number


	Description	Indicates the number of MKPDUs received which contain a CAK name that exceeds the maximum CAK name length.
	Context	transport-security macsec interface name string mka statistics invalid-ckn-length number
	Tree	invalid-ckn-length
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

key-number-invalid number


	Description	Indicates the number of SAKs received with an invalid Key Number
	Context	transport-security macsec interface name string mka statistics key-number-invalid number
	Tree	key-number-invalid
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

liveness-check-fail number


	Description	Indicates the number of MKPDUs received which contain an MN that is not acceptably recent.
	Context	transport-security macsec interface name string mka statistics liveness-check-fail number
	Tree	liveness-check-fail
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

max-peers-set-zero number


	Description	Indicates the number of SecY SAK installations that have failed Failed due to the max peer entry being set to 0.
	Context	transport-security macsec interface name string mka statistics max-peers-set-zero number
	Tree	max-peers-set-zero
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

new-live-peer number


	Description	Indicates the number of validated peers that have been added to the live peer list.
	Context	transport-security macsec interface name string mka statistics new-live-peer number
	Tree	new-live-peer
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

out-cak-mkpdu number


	Description	MKPDU CAK sent count
	Context	transport-security macsec interface name string mka statistics out-cak-mkpdu number
	Tree	out-cak-mkpdu
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

out-mkpdu number


	Description	MKPDU sent count
	Context	transport-security macsec interface name string mka statistics out-mkpdu number
	Tree	out-mkpdu
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

out-mkpdu-errors


	Description	Enter the out-mkpdu-errors context
	Context	transport-security macsec interface name string mka statistics out-mkpdu-errors
	Tree	out-mkpdu-errors
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

pdu-invalid-number number


	Description	MKPDU TX error count
	Context	transport-security macsec interface name string mka statistics out-mkpdu-errors pdu-invalid-number number
	Tree	pdu-invalid-number
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

pdu-not-quad-size number


	Description	MKPDU TX error count
	Context	transport-security macsec interface name string mka statistics out-mkpdu-errors pdu-not-quad-size number
	Tree	pdu-not-quad-size
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

pdu-too-big number


	Description	MKPDU TX error count
	Context	transport-security macsec interface name string mka statistics out-mkpdu-errors pdu-too-big number
	Tree	pdu-too-big
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

pdu-too-small number


	Description	MKPDU TX error count
	Context	transport-security macsec interface name string mka statistics out-mkpdu-errors pdu-too-small number
	Tree	pdu-too-small
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

out-sak-mkpdu number


	Description	Validated and installed MKPDU transmit SAK count
	Context	transport-security macsec interface name string mka statistics out-sak-mkpdu number
	Tree	out-sak-mkpdu
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

parameter-not-quad-size number


	Description	Indicates the number of MKPDUs received which contain a parameter set that is not a multiple of 4 octets.
	Context	transport-security macsec interface name string mka statistics parameter-not-quad-size number
	Tree	parameter-not-quad-size
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

parameter-size-invalid number


	Description	Indicates the number of MKPDUs received which contain a parameter set body length that exceeds the remaining length of the MKPDU.
	Context	transport-security macsec interface name string mka statistics parameter-size-invalid number
	Tree	parameter-size-invalid
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

peer-same-mi number


	Description	Indicates the number of MKPDUs received which contain a peerlist with an MI entry which conflicts with the local MI.
	Context	transport-security macsec interface name string mka statistics peer-same-mi number
	Tree	peer-same-mi
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

peers-removed number


	Description	Indicates the number of peers removed from the live/potential peer Peer removed due to not receiving an MKPDU within the MKA Live Time (6.0 sec).
	Context	transport-security macsec interface name string mka statistics peers-removed number
	Tree	peers-removed
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-cipher-mismatch-errors number


	Description	MKA error SAK cipher mismatch count
	Context	transport-security macsec interface name string mka statistics sak-cipher-mismatch-errors number
	Tree	sak-cipher-mismatch-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-decryption-errors number


	Description	MKA error SAK decryption/unwrap count
	Context	transport-security macsec interface name string mka statistics sak-decryption-errors number
	Tree	sak-decryption-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-encryption-errors number


	Description	MKA error SAK encryption/wrap count
	Context	transport-security macsec interface name string mka statistics sak-encryption-errors number
	Tree	sak-encryption-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-generated number


	Description	Indicates the number of SAKs generated by this MKA instance
	Context	transport-security macsec interface name string mka statistics sak-generated number
	Tree	sak-generated
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-generation-errors number


	Description	MKA error SAK generation count
	Context	transport-security macsec interface name string mka statistics sak-generation-errors number
	Tree	sak-generation-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-hash-errors number


	Description	MKA error Hash Key generation count
	Context	transport-security macsec interface name string mka statistics sak-hash-errors number
	Tree	sak-hash-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-install-fail number


	Description	MKA error SAK cipher mismatch count
	Context	transport-security macsec interface name string mka statistics sak-install-fail number
	Tree	sak-install-fail
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-no-key-server number


	Description	Indicates the number of SAKs received from a none key server MKA participant
	Context	transport-security macsec interface name string mka statistics sak-no-key-server number
	Tree	sak-no-key-server
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-non-live-peer number


	Description	Indicates the number of SAKs received from a peer that is not a member of the Live Peers List.
	Context	transport-security macsec interface name string mka statistics sak-non-live-peer number
	Tree	sak-non-live-peer
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

unsupported-algorithm-agility number


	Description	Indicates the number of MKPDUs received which contain an unsupported Algorithm Agility value.
	Context	transport-security macsec interface name string mka statistics unsupported-algorithm-agility number
	Tree	unsupported-algorithm-agility
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

oper-state keyword


	Description	Indicates the operational state of macsec on this subinterface
	Context	transport-security macsec interface name string oper-state keyword
	Tree	oper-state
	Options	up Component or process is operational down Component or process is not operational empty Component slot is empty downloading Component is downloading image into memory booting Component is booting downloaded image starting Component image operational, application processes starting failed Component or process has failed synchronizing Component is currently being synchronized upgrading Component is currently being upgraded low-power Component is offline due to insufficient system power degraded Component or process is in a degraded state warm-reboot Component or process is currently warm rebooting This state is set during a warm reboot immediately following initiation of the reboot, continuing after startup until the system has completed audit. In this state the system will not accept configuration changes. waiting Component or process is currently waiting This state can be set by event handler when the reinvoke-with-delay action is used, and indicates that the event handler is waiting for the provided delay before reinvoking the instance.
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

replay-protection


	Description	Enter the replay-protection context
	Context	transport-security macsec interface name string replay-protection
	Tree	replay-protection
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

admin-state keyword


	Description	Enable MACsec on an interface
	Context	transport-security macsec interface name string replay-protection admin-state keyword
	Tree	admin-state
	Default	disable
	Options	enable disable
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

window-size number


	Description	MACsec window size, as defined by the number of out-of-order frames that are accepted. A value of 0 means that frames are accepted only in the correct order.
	Context	transport-security macsec interface name string replay-protection window-size number
	Tree	window-size
	Default	0
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

rx-must-be-encrypted boolean


	Description	when true; only accept encrypted packets, If false accept a mix of encrypted and clear text packets
	Context	transport-security macsec interface name string rx-must-be-encrypted boolean
	Tree	rx-must-be-encrypted
	Default	true
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

scsa-rx sci-rx string


	Description	RX Secure Channel and Secure Association Statistics
	Context	transport-security macsec interface name string scsa-rx sci-rx string
	Tree	scsa-rx
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sci-rx string


	Description	RX Secure Channel and Secure Association Statistics
	Context	transport-security macsec interface name string scsa-rx sci-rx string
	String Length	16
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

delayed-packets number


	Description	Indicates the number of received packets with the condition that the PN of the packets is lower than the lower bound of the replay protection PN
	Context	transport-security macsec interface name string scsa-rx sci-rx string delayed-packets number
	Tree	delayed-packets
	Default	0
	Units	packets
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

late-packets number


	Description	Indicates the number of received packets that have been discarded due to replay window protection on this SC
	Context	transport-security macsec interface name string scsa-rx sci-rx string late-packets number
	Tree	late-packets
	Default	0
	Units	packets
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

not-using-sa-packets number


	Description	Indicates the summation of counter /macsec/rx-sa/not-using-sa-packets Information for all the SAs which belong to this SC.
	Context	transport-security macsec interface name string scsa-rx sci-rx string not-using-sa-packets number
	Tree	not-using-sa-packets
	Default	0
	Units	packets
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sc-invalid number


	Description	Invalid Secure Channel RX Packets counter This counter reflects the number of invalid received packets in a secure channel. Indicates the summation of counter /macsec/rx-sa/not-valid-packets information for all the SAs which belong to this SC.
	Context	transport-security macsec interface name string scsa-rx sci-rx string sc-invalid number
	Tree	sc-invalid
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sc-octets-invalid number


	Description	Invalid Secure Channel RX Packets counter This counter reflects the number of invalid received packets in a secure channel.
	Context	transport-security macsec interface name string scsa-rx sci-rx string sc-octets-invalid number
	Tree	sc-octets-invalid
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sc-octets-valid number


	Description	Valid Secure Channel RX Packets counter This counter reflects the number of valid received packets in a secure channel. Indicates the number of octets of plain text recovered from received packets that were integrity protected and encrypted.
	Context	transport-security macsec interface name string scsa-rx sci-rx string sc-octets-valid number
	Tree	sc-octets-valid
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sc-sak-installed-count number


	Description	Secure Channel installed RX SAKs count This counter reflects the number of SAKs that are installed in RX security channel.
	Context	transport-security macsec interface name string scsa-rx sci-rx string sc-sak-installed-count number
	Tree	sc-sak-installed-count
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sc-valid number


	Description	Valid Secure Channel RX Packets counter This counter reflects the number of valid received packets in a secure channel. Indicates the summation of counter /macsec/rx-sa/ok-packets information for all the SAs which belong to this SC.
	Context	transport-security macsec interface name string scsa-rx sci-rx string sc-valid number
	Tree	sc-valid
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sci-rx-identifier string


	Description	Secure Channel Identifier Every Receive Channel is uniquely identified using this field.
	Context	transport-security macsec interface name string scsa-rx sci-rx string sci-rx-identifier string
	Tree	sci-rx-identifier
	String Length	16
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

security-association rx-sa-an number


	Description	Enter the receiving-sa list instance
	Context	transport-security macsec interface name string scsa-rx sci-rx string security-association rx-sa-an number
	Tree	security-association
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

rx-sa-an number


	Description	Indicates the AN for identifying the receiving SA
	Context	transport-security macsec interface name string scsa-rx sci-rx string security-association rx-sa-an number
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

discarded-active number


	Description	Indicates the number of not valid packets that have been discarded on this active SA.
	Context	transport-security macsec interface name string scsa-rx sci-rx string security-association rx-sa-an number discarded-active number
	Tree	discarded-active
	Default	0
	Units	packets
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

discarded-inactive number


	Description	Indicates the number of received packets that have been discarded on this SA which is not currently in use.
	Context	transport-security macsec interface name string scsa-rx sci-rx string security-association rx-sa-an number discarded-inactive number
	Tree	discarded-inactive
	Default	0
	Units	packets
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sa-invalid number


	Description	Invalid Secure Association RX Packets counter This counter reflects the number of integrity check fails for received packets in a secure association.
	Context	transport-security macsec interface name string scsa-rx sci-rx string security-association rx-sa-an number sa-invalid number
	Tree	sa-invalid
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sa-sak-installed boolean


	Description	Secure Association (SA) RX sak installed This counter reflects if the RX SAK is installed for this SA.
	Context	transport-security macsec interface name string scsa-rx sci-rx string security-association rx-sa-an number sa-sak-installed boolean
	Tree	sa-sak-installed
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sa-valid number


	Description	Secure Association Valid RX Packets counter This counter reflects the number of packets in a secure association that passed integrity check.
	Context	transport-security macsec interface name string scsa-rx sci-rx string security-association rx-sa-an number sa-valid number
	Tree	sa-valid
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

unchecked-packets number


	Description	Indicates the number of packets that have failed the integrity check on this SC
	Context	transport-security macsec interface name string scsa-rx sci-rx string unchecked-packets number
	Tree	unchecked-packets
	Default	0
	Units	packets
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

scsa-tx sci-tx string


	Description	TX Secure Channel and Secure Association Statistics
	Context	transport-security macsec interface name string scsa-tx sci-tx string
	Tree	scsa-tx
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sci-tx string


	Description	TX Secure Channel and Secure Association Statistics
	Context	transport-security macsec interface name string scsa-tx sci-tx string
	String Length	16
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sc-auth-only number


	Description	Secure Channel Authenticated only TX Packets counter This counter reflects the number of authenticated only transmitted packets in a secure channel.
	Context	transport-security macsec interface name string scsa-tx sci-tx string sc-auth-only number
	Tree	sc-auth-only
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sc-encrypted number


	Description	Secure Channel Encrypted TX Packets counter This counter reflects the number of encrypted and authenticated transmitted packets in a secure channel.
	Context	transport-security macsec interface name string scsa-tx sci-tx string sc-encrypted number
	Tree	sc-encrypted
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sc-octets-auth-only number


	Description	Secure Channel Authenticated only TX octets counter This counter reflects the number of authenticated only transmitted octets in a secure channel.
	Context	transport-security macsec interface name string scsa-tx sci-tx string sc-octets-auth-only number
	Tree	sc-octets-auth-only
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sc-octets-encrypted number


	Description	Secure Channel Encrypted TX octets counter This counter reflects the number of encrypted and authenticated transmitted octets in a secure channel.
	Context	transport-security macsec interface name string scsa-tx sci-tx string sc-octets-encrypted number
	Tree	sc-octets-encrypted
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sc-sak-installed-count number


	Description	Secure Channel installed TX SAKs count This counter reflects the number of SAKs that are installed in TX security channel.
	Context	transport-security macsec interface name string scsa-tx sci-tx string sc-sak-installed-count number
	Tree	sc-sak-installed-count
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sci-tx-identifier string


	Description	Secure Channel Identifier Every Transmit Channel is uniquely identified using this field.
	Context	transport-security macsec interface name string scsa-tx sci-tx string sci-tx-identifier string
	Tree	sci-tx-identifier
	String Length	16
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

security-association tx-sa-an number


	Description	Enter the transmitting-sa list instance
	Context	transport-security macsec interface name string scsa-tx sci-tx string security-association tx-sa-an number
	Tree	security-association
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

tx-sa-an number


	Description	Indicates the AN for identifying the transmitting SA
	Context	transport-security macsec interface name string scsa-tx sci-tx string security-association tx-sa-an number
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sa-auth-only number


	Description	Secure Association Authenticated only TX Packets counter This counter reflects the number of authenticated only, transmitted packets in a secure association.
	Context	transport-security macsec interface name string scsa-tx sci-tx string security-association tx-sa-an number sa-auth-only number
	Tree	sa-auth-only
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sa-encrypted number


	Description	Secure Association (SA) encrypted Packets counter This counter reflects the number of encrypted and authenticated transmitted packets in a secure association.
	Context	transport-security macsec interface name string scsa-tx sci-tx string security-association tx-sa-an number sa-encrypted number
	Tree	sa-encrypted
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sa-sak-installed boolean


	Description	Secure Association (SA) TX sak installed This counter reflects if the TX SAK is installed for this SA.
	Context	transport-security macsec interface name string scsa-tx sci-tx string security-association tx-sa-an number sa-sak-installed boolean
	Tree	sa-sak-installed
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

statistics


	Description	MACsec interface counters
	Context	transport-security macsec interface name string statistics
	Tree	statistics
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

rx-badtag-pkts number


	Description	MACsec interface level Receive Bad Tag Packets counter This counter will increment if MACsec is enabled on interface and incoming packet has incorrect MACsec tag.
	Context	transport-security macsec interface name string statistics rx-badtag-pkts number
	Tree	rx-badtag-pkts
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

rx-nosci-pkts number


	Description	MACsec interface level Receive No SCI Packets counter This counter will increment if MACsec is enabled on interface and incoming packet does not have SCI field in MACsec tag.
	Context	transport-security macsec interface name string statistics rx-nosci-pkts number
	Tree	rx-nosci-pkts
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

rx-overrun-packets number


	Description	Indicates the number of packets discarded because the number of received packets exceeded the cryptographic performance capabilities
	Context	transport-security macsec interface name string statistics rx-overrun-packets number
	Tree	rx-overrun-packets
	Default	0
	Units	packets
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

rx-unknownsci-pkts number


	Description	MACsec interface level Receive Unknown SCI Packets counter This counter will increment if MACsec is enabled on the interface and SCI present in the MACsec tag of the incoming packet does not match any SCI present in ingress SCI table.
	Context	transport-security macsec interface name string statistics rx-unknownsci-pkts number
	Tree	rx-unknownsci-pkts
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

rx-untagged-pkts number


	Description	MACsec interface level Receive untagged Packets counter This counter will increment if MACsec is enabled on interface and the incoming packet does not have MACsec tag.
	Context	transport-security macsec interface name string statistics rx-untagged-pkts number
	Tree	rx-untagged-pkts
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

tx-too-long-packets number


	Description	Indicates the number of transmitted packets discarded because of long lenght The packet length is greater than the Maximum Transmission Unit (MTU) of the Ethernet physical interface.
	Context	transport-security macsec interface name string statistics tx-too-long-packets number
	Tree	tx-too-long-packets
	Default	0
	Units	packets
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

tx-untagged-pkts number


	Description	MACsec interface level Transmit untagged Packets counter This counter will increment if MACsec is enabled on interface and the outgoing packet is not tagged with MACsec header.
	Context	transport-security macsec interface name string statistics tx-untagged-pkts number
	Tree	tx-untagged-pkts
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

mka


	Description	The MKA
	Context	transport-security macsec mka
	Tree	mka
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

policy name string


	Description	List of MKA policies
	Context	transport-security macsec mka policy name string
	Tree	policy
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

name string


	Description	Name of the MKA policy
	Context	transport-security macsec mka policy name string
	String Length	1 to 255
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

admin-state keyword


	Description	Enable mka policy While MKA policy is enabled no policy parameters can be configured or modified.
	Context	transport-security macsec mka policy name string admin-state keyword
	Tree	admin-state
	Default	disable
	Options	enable disable
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

clear-tag-mode keyword


	Description	Specifies the number of tags that will be in clear infront of the sectag
	Context	transport-security macsec mka policy name string clear-tag-mode keyword
	Tree	clear-tag-mode
	Default	no-tag
	Options	no-tag Do not put any tags into clear single-tag Put 4 bytes after the MAC header into clear double-tag Put 8 bytes after the MAC header into clear
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

confidentiality-offset keyword


	Description	The confidentiality offset specifies a number of octets in an Ethernet frame that are sent in unencrypted and in plain-text
	Context	transport-security macsec mka policy name string confidentiality-offset keyword
	Tree	confidentiality-offset
	Default	0-bytes
	Options	0-bytes No octets are sent unencrypted 30-bytes 30 octects are sent unencrypted 50-bytes 50 octects are sent unencrypted
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

eapol-destination-address string


	Description	This command can be used to set eap over lan destination mac to a unicast mac for L2 multiple hop networks
	Context	transport-security macsec mka policy name string eapol-destination-address string
	Tree	eapol-destination-address
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

encrypt boolean


	Description	Enable or disable PDU encryption, if enabled the PDUs are encrypted and authenticated if disabled the PDU is only authenticated and not encrypted
	Context	transport-security macsec mka policy name string encrypt boolean
	Tree	encrypt
	Default	true
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

hello-interval number


	Description	MKA hello interval, the intervals are 1000 ms up to 6000 ms
	Context	transport-security macsec mka policy name string hello-interval number
	Tree	hello-interval
	Range	1000 \| 2000 \| 3000 \| 4000 \| 5000 \| 6000
	Default	2000
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

key-server-priority number


	Description	Specifies the key server priority used by the macsec Macsec Key Agreement (MKA) advertises and selects a key server. The node with the lower priority-number is selected as the key server. If the priority-number is identical on both sides of a point-to-point link, the MKA protocol selects the device with the lower MAC address as the key server
	Context	transport-security macsec mka policy name string key-server-priority number
	Tree	key-server-priority
	Default	16
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

macsec-cipher-suite keyword


	Description	Set cipher suite(s) for security association key (SAK) derivation
	Context	transport-security macsec mka policy name string macsec-cipher-suite keyword
	Tree	macsec-cipher-suite
	Options	gcm-aes-128 gcm-aes-128 Cipher Suite gcm-aes-256 gcm-aes-256 Cipher Suite gcm-aes-xpn-128 gcm-aes-xpn-128 Cipher Suite gcm-aes-xpn-256 gcm-aes-xpn-256 Cipher Suite
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-rekey-on-live-peer-loss boolean


	Description	Security association key, re-key on peer loss
	Context	transport-security macsec mka policy name string sak-rekey-on-live-peer-loss boolean
	Tree	sak-rekey-on-live-peer-loss
	Default	false
	Configurable	True
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

statistics


	Description	Operational state data for MKA
	Context	transport-security macsec mka statistics
	Tree	statistics
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

in-mkpdu-errors


	Description	Enter the in-mkpdu-errors context
	Context	transport-security macsec mka statistics in-mkpdu-errors
	Tree	in-mkpdu-errors
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

bad-peer-errors number


	Description	MKPDU RX bad peer message number error count
	Context	transport-security macsec mka statistics in-mkpdu-errors bad-peer-errors number
	Tree	bad-peer-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

icv-verification-errors number


	Description	MKPDU RX ICV verification error count
	Context	transport-security macsec mka statistics in-mkpdu-errors icv-verification-errors number
	Tree	icv-verification-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

peer-list-errors number


	Description	MKPDU RX non-recent peer list Message Number error count
	Context	transport-security macsec mka statistics in-mkpdu-errors peer-list-errors number
	Tree	peer-list-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

validation-errors number


	Description	MKPDU RX validation error count
	Context	transport-security macsec mka statistics in-mkpdu-errors validation-errors number
	Tree	validation-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

out-mkpdu-errors


	Description	Enter the out-mkpdu-errors context
	Context	transport-security macsec mka statistics out-mkpdu-errors
	Tree	out-mkpdu-errors
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

pdu-invalid-number number


	Description	MKPDU TX error count
	Context	transport-security macsec mka statistics out-mkpdu-errors pdu-invalid-number number
	Tree	pdu-invalid-number
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

pdu-not-quad-size number


	Description	MKPDU TX error count
	Context	transport-security macsec mka statistics out-mkpdu-errors pdu-not-quad-size number
	Tree	pdu-not-quad-size
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

pdu-too-big number


	Description	MKPDU TX error count
	Context	transport-security macsec mka statistics out-mkpdu-errors pdu-too-big number
	Tree	pdu-too-big
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

pdu-too-small number


	Description	MKPDU TX error count
	Context	transport-security macsec mka statistics out-mkpdu-errors pdu-too-small number
	Tree	pdu-too-small
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-cipher-mismatch-errors number


	Description	MKA error SAK cipher mismatch count
	Context	transport-security macsec mka statistics sak-cipher-mismatch-errors number
	Tree	sak-cipher-mismatch-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-decryption-errors number


	Description	MKA error SAK decryption/unwrap count
	Context	transport-security macsec mka statistics sak-decryption-errors number
	Tree	sak-decryption-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-encryption-errors number


	Description	MKA error SAK encryption/wrap count
	Context	transport-security macsec mka statistics sak-encryption-errors number
	Tree	sak-encryption-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-generation-errors number


	Description	MKA error SAK generation count
	Context	transport-security macsec mka statistics sak-generation-errors number
	Tree	sak-generation-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-hash-errors number


	Description	MKA error Hash Key generation count
	Context	transport-security macsec mka statistics sak-hash-errors number
	Tree	sak-hash-errors
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b

sak-install-fail number


	Description	MKA error SAK cipher mismatch count
	Context	transport-security macsec mka statistics sak-install-fail number
	Tree	sak-install-fail
	Default	0
	Configurable	False
	Platforms	7250 IXR-10e, 7250 IXR-6e, 7250 IXR-X1b, 7250 IXR-X3b