This page describes how to view the status of your MACsec for Cloud Interconnect circuits.
Select one of the following options:
Console
In the Google Cloud console, go to the Cloud Interconnect Physical connections tab.
Select the Cloud Interconnect connection that you want to view.
The Link circuit info section displays the following information:
Google circuit ID: the name of the link circuit.
Link state: the link's physical state, one of the following:
Active to indicate that the LACP member link is up.
LACP Detatched to indicate that the LACP member link is down.
MACsec key name: the link's MACsec status and the MACsec key used to secure the connection. The status displays one of the following:
: MACsec is operationally up and the link is encrypted.
: MACsec is operationally down and the link is unencrypted.
Receiving optical power: a status indicator and the optical light level that the physical interface detects from the remote transmitter in dBm.
Transmitting optical power: a status indicator and the optical light level that the physical interface is transmitting to the remote receiver in dBm.
Google demarc ID: the Google-assigned unique ID for the link circuit.
Click the MACsec tab. The MACsec configuration displays one of the following for your MACsec configuration:
Enabled, fail open: MACsec encryption is enabled on the link. If MACsec encryption isn't established between both ends, then the link operates without encryption.
Enabled, fail closed: MACsec encryption is enabled on the link. If MACsec encryption isn't established between both ends, then the link fails.
Disabled: MACsec encryption is disabled on the link.
gcloud
To view the status of your circuits, use the following command:
gcloud compute interconnects get-diagnostics INTERCONNECT_CONNECTION_NAME
Replace INTERCONNECT_CONNECTION_NAME
with the name of your
Cloud Interconnect connection.
The output is similar to the following; look for the bundleOperationalStatus
set to BUNDLE_OPERATIONAL_STATUS_UP
, the circuitId
lacpStatus
state
set to ACTIVE
, and the operationalStatus
set to
LINK_OPERATIONAL_STATUS_UP
:
bundleAggregationType: BUNDLE_AGGREGATION_TYPE_STATIC
bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_UP
links:
- circuitId: LOOP-0
googleDemarc: fake-local-demarc-0
lacpStatus:
googleSystemId: '00:11:22:33:44:55'
neighborSystemId: '55:44:33:22:11:00'
state: ACTIVE
macsec:
ckn: 0101010189abcdef...0123456789abcdef
operational: true
operationalStatus: LINK_OPERATIONAL_STATUS_UP
receivingOpticalPower:
state: OK
value: -2.49
transmittingOpticalPower:
state: OK
value: -0.88
macAddress: 00:11:22:33:44:55
In this example, MACsec is enabled and operational on the circuit.
The following items indicate a circuit's status:
bundleOperationalStatus
: the circuit bundle's status, which is one of the following:BUNDLE_OPERATIONAL_STATUS_UP
: the circuit bundle is up.BUNDLE_OPERATIONAL_STATUS_DOWN
: the circuit bundle is down.
links.lacpStatus.state
: the circuit's link aggregation control protocol (LACP) state, which is one of the following:ACTIVE
: LACP is active.DETACHED
: LACP is inactive.
links.macsec.CKN
: the connectivity association key name (CKN) that MACsec for Cloud Interconnect is actively using for this connection.You can use
gcloud compute interconnects macsec get-config INTERCONNECT_CONNECTION_NAME
to display all the keys configured for your Cloud Interconnect connection. For more information, see Get MACsec keys.If you have more than one key configured, then the key with the latest start time is selected as the active key. Google's edge routers reject any new MACsec sessions that attempt to use the older keys.
links.macsec.operational
: the MACsec status of the circuits, which is one of the following:true
: MACsec is operational on this circuit.false
: MACsec is not operational on this circuit.
links.operationalStatus
: the MACsec status of the link, which is one of the following:LINK_OPERATIONAL_STATUS_UP
: the Cloud Interconnect connection is operationally up.LINK_OPERATIONAL_STATUS_DOWN
: the Cloud Interconnect connection is operationally down.
The following sections demonstrate examples of MACsec for Cloud Interconnect states and how they look in the output for the Google Cloud CLI and the Google Cloud console.
MACsec enabled and operational
Select one of the following options:
Console
In the Google Cloud console, go to the Cloud Interconnect Physical connections tab.
Select the Cloud Interconnect connection that you want to view. The following items indicate that MACsec is enabled and operational. The links are passing traffic:
Link state: displays
Active for all links.MACsec key name: displays
for all links. The MACsec key name is listed after each connection.
Click the MACsec tab. The following items indicate that MACsec is configured and operational:
MACsec configuration: displays one of Enabled, fail opened or Enabled, fail closed.
Pre-shared keys: displays Active, in use for at least one key's Key status.
gcloud
The output is similar to the following; look for the
bundleOperationalStatus
set to BUNDLE_OPERATIONAL_STATUS_UP
, the
circuitId
lacpStatus
state
set to ACTIVE
, and the
operationalStatus
set to LINK_OPERATIONAL_STATUS_UP
:
bundleAggregationType: BUNDLE_AGGREGATION_TYPE_STATIC
bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_UP
links:
- circuitId: LOOP-0
googleDemarc: fake-local-demarc-0
lacpStatus:
googleSystemId: '00:11:22:33:44:55'
neighborSystemId: '55:44:33:22:11:00'
state: ACTIVE
macsec:
ckn: 0101010189abcdef...0123456789abcdef
operational: true
operationalStatus: LINK_OPERATIONAL_STATUS_UP
receivingOpticalPower:
state: OK
value: -2.49
transmittingOpticalPower:
state: OK
value: -0.88
macAddress: 00:11:22:33:44:55
In the example, the following items indicate that MACsec is enabled and operational. The link is passing traffic:
bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_UP
links.lacpStatus.state: ACTIVE
links.macsec.ckn: 0101010189abcdef...0123456789abcdef
links.macsec.operational: true
links.operationalStatus: LINK_OPERATIONAL_STATUS_UP
MACsec enabled, not operational, and fail-open off
Select one of the following options:
Console
In the Google Cloud console, go to the Cloud Interconnect Physical connections tab.
Select the Cloud Interconnect connection that you want to view. The following items indicate that MACsec is disabled and non-operational. The links are not passing traffic:
Link state: displays
LACP Detached for all links.MACsec key name: displays
for all links. The MACsec key name is listed after each connection.
Click the MACsec tab. The following items indicate that MACsec is configured and not operational:
MACsec configuration: displays Down.
Pre-shared keys: displays Active, in use for at least one key's Key status.
gcloud
The output is similar to the following; look for the bundleOperationalStatus
set to BUNDLE_OPERATIONAL_STATUS_DOWN
, the circuitId
lacpStatus
state
set to DETACHED
, and the operationalStatus
set to
LINK_OPERATIONAL_STATUS_UP
::
bundleAggregationType: BUNDLE_AGGREGATION_TYPE_LACP
bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_DOWN
links:
- circuitId: LOOP-0
googleDemarc: fake-local-demarc-0
lacpStatus:
googleSystemId: '00:11:22:33:44:55'
neighborSystemId: '55:44:33:22:11:00'
state: DETACHED
macsec:
ckn: 0101010189abcdef...0123456789abcdef
operational: false
operationalStatus: LINK_OPERATIONAL_STATUS_UP
receivingOpticalPower:
state: OK
value: -2.49
transmittingOpticalPower:
state: OK
value: -0.88
macAddress: 00:11:22:33:44:55
In the example, links.macsec indicates that MACsec is enabled. The following items indicate that MACsec is not operational and that the link is not passing traffic:
bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_DOWN
links.lacpStatus.state: DETACHED
links.macsec.ckn: 0101010189abcdef...0123456789abcdef
links.macsec.operational: false
links.operationalStatus: LINK_OPERATIONAL_STATUS_UP
In this case, Google can't establish a MACsec session. Therefore
links.macsec.operational
is false
. Because MACsec is a lower-level Layer 2
security protocol, all packets for higher-level protocols are dropped,
including LACP. This results in bundleOperationalStatus
being set to
BUNDLE_OPERATIONAL_STATUS_DOWN
and links.lacpStatus.state
being set to
DETACHED
.
However, MACsec doesn't affect the status of the physical link; therefore,
links.operationalStatus
remains LINK_OPERATIONAL_STATUS_UP
when MACsec is
down as long as the physical layer is operational.
MACsec enabled, not all links operational, and fail-open off
Select one of the following options:
Console
In the Google Cloud console, go to the Cloud Interconnect Physical connections tab.
Select the Cloud Interconnect connection that you want to view. The following items indicate that MACsec is enabled, not all links are operational, and that some links are passing traffic:
Link state: displays
LACP Detached for one or more links, and Active for at least one link.MACsec key name: displays
MACsec on this link is down for one or more links, and MACsec on this link is up for at least one link. The MACsec key name is listed after each connection.
Click the MACsec tab. The following items indicate that MACsec is configured and not operational:
MACsec configuration: displays Enabled, fail closed.
Pre-shared keys: displays Active, in use for at least one key's Key status.
gcloud
The output is similar to the following; look for bundleOperationalStatus
set to BUNDLE_OPERATIONAL_STATUS_UP
, circuitId lacpStatus state
set to ACTIVE
, operationalStatus
set to LINK_OPERATIONAL_STATUS_UP
,
circuitId lacpStatus state
set to DETACHED
, and
operationalStatus
set to LINK_OPERATIONAL_STATUS_UP
:
bundleAggregationType: BUNDLE_AGGREGATION_TYPE_LACP
bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_UP
links:
- circuitId: LOOP-0
googleDemarc: fake-local-demarc-0
lacpStatus:
googleSystemId: '00:11:22:33:44:55'
neighborSystemId: '55:44:33:22:11:00'
state: ACTIVE
macsec:
ckn: 0101010189abcdef...0123456789abcdef
operational: true
operationalStatus: LINK_OPERATIONAL_STATUS_UP
receivingOpticalPower:
state: OK
value: -2.49
transmittingOpticalPower:
state: OK
value: -0.88
- circuitId: LOOP-1
googleDemarc: fake-local-demarc-1
lacpStatus:
googleSystemId: '00:11:22:33:44:66'
neighborSystemId: '66:44:33:22:11:00'
state: DETACHED
macsec:
ckn: 0101010189abcdef...0123456789abcdef
operational: false
operationalStatus: LINK_OPERATIONAL_STATUS_UP
receivingOpticalPower:
state: OK
value: -2.49
transmittingOpticalPower:
state: OK
value: -0.88
macAddress: 00:11:22:33:44:55
In the example, the following items indicate that MACsec is enabled and operational. The circuit is passing traffic, but only on one of the two links displayed:
bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_UP
links.circuitId: LOOP-0:
links.lacpStatus.state: ACTIVE
links.macsec.ckn: 0101010189abcdef...0123456789abcdef
links.macsec.operational: true
links.operationalStatus: LINK_OPERATIONAL_STATUS_UP
links.circuitId: LOOP-1:
links.lacpStatus.state: DETACHED
links.macsec.ckn: 0101010189abcdef...0123456789abcdef
links.macsec.operational: false
links.operationalStatus: LINK_OPERATIONAL_STATUS_UP
In this case, bundleOperationalStatus
is BUNDLE_OPERATIONAL_STATUS_UP
.
Notice that links.circuitId: LOOP-0
displays that links.lacpStatus.state
is ACTIVE
and links.macsec.operational
is true
. The first link is
functioning as expected and is passing traffic.
However, notice that links.circuitId: LOOP-1
displays that
links.lacpStatus.state
is DETACHED
and links.macsec.operational
is
false
. The second link is not functioning as expected and is not passing
traffic.
However, MACsec doesn't affect the status of either physical link; therefore,
both links display links.operationalStatus
as LINK_OPERATIONAL_STATUS_UP
.
This state remains even when MACsec is down for one of the links, as long as
the physical layer is operational.
MACsec enabled, not operational, and fail-open on
Select one of the following options:
Console
In the Google Cloud console, go to the Cloud Interconnect Physical connections tab.
Select the Cloud Interconnect connection that you want to view. The following items indicate that MACsec is enabled and non-operational. The links are passing traffic:
Link state: displays
Active for all links.MACsec key name: displays a
Warning for all links. The MACsec key name is listed after each connection.
Click the MACsec tab. The following items indicate that MACsec is configured and not operational:
MACsec configuration: displays Enabled, fail opened.
Pre-shared keys: displays Active for at least one key's Key status.
gcloud
The output is similar to the following:
bundleAggregationType: BUNDLE_AGGREGATION_TYPE_LACP
bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_UP
links:
- circuitId: LOOP-0
googleDemarc: fake-local-demarc-0
lacpStatus:
googleSystemId: '00:11:22:33:44:55'
neighborSystemId: '55:44:33:22:11:00'
state: ACTIVE
macsec:
ckn: 0101010189abcdef...0123456789abcdef
operational: false
operationalStatus: LINK_OPERATIONAL_STATUS_UP
receivingOpticalPower:
state: OK
value: -2.49
transmittingOpticalPower:
state: OK
value: -0.88
macAddress: 00:11:22:33:44:55
In this example:
links.macsec
values indicate that MACsec is enabled.bundleOperationalStatus
displaysBUNDLE_OPERATIONAL_STATUS_UP
, which indicates that the Cloud Interconnect connection is operational.macsec.operational
displaysfalse
, which indicates that MACsec isn't operational.
To verify that the Cloud Interconnect connection is set to fail-open, run the following command:
gcloud compute interconnects describe INTERCONNECT_CONNECTION_NAME
The output is similar to the following for a link set to fail-open; look for
the macsec
section where macsecEnabled
is set to true
:
adminEnabled: true
availableFeatures:
- IF_MACSEC
circuitInfos:
- customerDemarcId: fake-peer-demarc-0
googleCircuitId: LOOP-0
googleDemarcId: fake-local-demarc-0
creationTimestamp: '2021-10-05T03:39:33.888-07:00'
customerName: Fake Company
description: something important
googleReferenceId: '123456789'
id: '12345678987654321'
interconnectAttachments:
- https://www.googleapis.com/compute/v1/projects/my-project1/regions/us-central1/interconnectAttachments/interconnect-123456-987654321-0
interconnectType: IT_PRIVATE
kind: compute#interconnect
labelFingerprint: 12H17262736_
linkType: LINK_TYPE_ETHERNET_10G_LR
location: https://www.googleapis.com/compute/v1/projects/my-project1/global/interconnectLocations/cbf-zone2-65012
macsec:
failOpen: true
preSharedKeys:
- name: key1
startTime: 2023-07-01T21:00:01.000Z
macsecEnabled: true
name: INTERCONNECT_CONNECTION_NAME
operationalStatus: OS_ACTIVE
provisionedLinkCount: 1
requestedFeatures:
- IF_MACSEC
requestedLinkCount: 1
selfLink: https://www.googleapis.com/compute/v1/projects/my-project1/global/interconnects/INTERCONNECT_CONNECTION_NAME
selfLinkWithId: https://www.googleapis.com/compute/v1/projects/my-project1/global/interconnects/12345678987654321
state: ACTIVE
MACsec disabled
Select one of the following options:
Console
- In the Google Cloud console, go to the Cloud Interconnect Physical connections tab.
Select the Cloud Interconnect connection that you want to view. The following items indicate that MACsec is disabled. The links aren't passing traffic:
Link state: displays
Active for all links.MACsec key name: displays a empty text and no status for all links.
Click the MACsec tab. The following items indicate that MACsec is configured and not operational:
MACsec configuration: displays Disabled.
Pre-shared keys: displays Active for at least one key's Key status.
gcloud
The output is similar to the following; look for the bundleOperationalStatus
set to BUNDLE_OPERATIONAL_STATUS_UP
, the circuitId
lacpStatus
state
set to ACTIVE
, and the operationalStatus
set to
LINK_OPERATIONAL_STATUS_UP
:
bundleAggregationType: BUNDLE_AGGREGATION_TYPE_STATIC
bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_UP
links:
- circuitId: LOOP-0
googleDemarc: fake-local-demarc-0
lacpStatus:
googleSystemId: '00:11:22:33:44:55'
neighborSystemId: '55:44:33:22:11:00'
state: ACTIVE
operationalStatus: LINK_OPERATIONAL_STATUS_UP
receivingOpticalPower:
state: OK
value: -2.49
transmittingOpticalPower:
state: OK
value: -0.88
macAddress: 00:11:22:33:44:55
In the example, the fact that links.macsec
is missing from the output
indicates that MACsec is disabled and not operational. The link is
passing unencrypted traffic.
Because MACsec is disabled, both links.macsec.ckn
and
links.macsec.operational
don't display a value.