Console

1. In the Google Cloud console, go to the Cloud InterconnectPhysicalconnections tab.

   Go to Physical connections

2. Select the Cloud Interconnect connection that you want to view.

3. TheLink circuit info section displays the following information:

   1. Google circuit ID: the name of the link circuit.

   2. Link state: the link's physical state, one of the following:

      • check_circleActiveto indicate that the LACP member link is up.

      • errorLACPDetatched to indicate that the LACP member link is down.

   3. MACsec key name: the link's MACsec status and the MACsec key usedto secure the connection. The status displays one of the following:

      • check_circle: MACsec isoperationally up and the link is encrypted.

      • warning:MACsec is operationally down and the link is unencrypted.

   4. Receiving optical power: a status indicator and the opticallight level that the physical interface detects from the remotetransmitter indBm.

   5. Transmitting optical power: a status indicator and theoptical light level that the physical interface is transmitting to theremote receiver in dBm.

   6. Google demarc ID: the Google-assigned unique ID for the linkcircuit.

4. Click theMACsec tab. TheMACsec configuration displays oneof the following for your MACsec configuration:

   1. Enabled, fail open: MACsec encryption is enabled on thelink. If MACsec encryption isn't established between both ends, thenthe link operates without encryption.

   2. Enabled, fail closed: MACsec encryption is enabled on thelink. If MACsec encryption isn't established between both ends, thenthe link fails.

   3. Disabled: MACsec encryption is disabled on the link.

gcloud

To view the status of your circuits, use the following command:

gcloud compute interconnects get-diagnosticsINTERCONNECT_CONNECTION_NAME

ReplaceINTERCONNECT_CONNECTION_NAME with the name of yourCloud Interconnect connection.

The output is similar to the following; look for thebundleOperationalStatusset toBUNDLE_OPERATIONAL_STATUS_UP, thecircuitIdlacpStatusstateset toACTIVE, and theoperationalStatus set toLINK_OPERATIONAL_STATUS_UP:

bundleAggregationType:BUNDLE_AGGREGATION_TYPE_STATICbundleOperationalStatus:BUNDLE_OPERATIONAL_STATUS_UPlinks:-circuitId:LOOP-0googleDemarc:fake-local-demarc-0lacpStatus:googleSystemId:'00:11:22:33:44:55'neighborSystemId:'55:44:33:22:11:00'state:ACTIVEmacsec:ckn:0101010189abcdef...0123456789abcdefoperational:trueoperationalStatus:LINK_OPERATIONAL_STATUS_UPreceivingOpticalPower:state:OKvalue:-2.49transmittingOpticalPower:state:OKvalue:-0.88macAddress:00:11:22:33:44:55

In this example, MACsec is enabled and operational on the circuit.

The following items indicate a circuit's status:

• bundleOperationalStatus: the circuit bundle's status, which is one ofthe following:

  • BUNDLE_OPERATIONAL_STATUS_UP: the circuit bundle is up.

  • BUNDLE_OPERATIONAL_STATUS_DOWN: the circuit bundle is down.

• links.lacpStatus.state: the circuit's link aggregation controlprotocol (LACP) state, which is one of the following:

  • ACTIVE: LACP is active.

  • DETACHED: LACP is inactive.

• links.macsec.CKN: the connectivity association key name (CKN) thatMACsec for Cloud Interconnect is actively using for this connection.

  You can usegcloud compute interconnects macsec get-configINTERCONNECT_CONNECTION_NAME to display all the keysconfigured for your Cloud Interconnect connection. For moreinformation, seeGet MACseckeys.

  If you have more than one key configured, then the key with thelatest start time is selected as the active key. Google's edge routersreject any new MACsec sessions that attempt to use the older keys.

• links.macsec.operational: the MACsec status of the circuits, which isone of the following:

  • true: MACsec is operational on this circuit.

  • false: MACsec is not operational on this circuit.

• links.operationalStatus: the MACsec status of the link, which is one ofthe following:

  • LINK_OPERATIONAL_STATUS_UP: the Cloud Interconnectconnection is operationally up.

  • LINK_OPERATIONAL_STATUS_DOWN: the Cloud Interconnectconnection is operationally down.

Console

1. In the Google Cloud console, go to the Cloud InterconnectPhysicalconnections tab.

   Go to Physical connections

2. Select the Cloud Interconnect connection that you want to view.The following items indicate that MACsec is enabled and operational. Thelinks are passing traffic:

   • Link state: displayscheck_circleActivefor all links.

   • MACsec key name: displayscheck_circlefor all links. The MACsec key name is listed after each connection.

3. Click theMACsec tab. The following items indicate that MACsec isconfigured and operational:

   • MACsec configuration: displays one ofEnabled, fail opened orEnabled, fail closed.

   • Pre-shared keys: displaysActive, in use for at least onekey'sKey status.

gcloud

The output is similar to the following; look for thebundleOperationalStatus set toBUNDLE_OPERATIONAL_STATUS_UP, thecircuitIdlacpStatusstate set toACTIVE, and theoperationalStatus set toLINK_OPERATIONAL_STATUS_UP:

bundleAggregationType:BUNDLE_AGGREGATION_TYPE_STATICbundleOperationalStatus:BUNDLE_OPERATIONAL_STATUS_UPlinks:-circuitId:LOOP-0googleDemarc:fake-local-demarc-0lacpStatus:googleSystemId:'00:11:22:33:44:55'neighborSystemId:'55:44:33:22:11:00'state:ACTIVEmacsec:ckn:0101010189abcdef...0123456789abcdefoperational:trueoperationalStatus:LINK_OPERATIONAL_STATUS_UPreceivingOpticalPower:state:OKvalue:-2.49transmittingOpticalPower:state:OKvalue:-0.88macAddress:00:11:22:33:44:55

In the example, the following items indicate that MACsec is enabled andoperational. The link is passing traffic:

• bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_UP
• links.lacpStatus.state: ACTIVE
• links.macsec.ckn: 0101010189abcdef...0123456789abcdef
• links.macsec.operational: true
• links.operationalStatus: LINK_OPERATIONAL_STATUS_UP

Console

1. In the Google Cloud console, go to the Cloud InterconnectPhysicalconnections tab.

   Go to Physical connections

2. Select the Cloud Interconnect connection that you want to view.The following items indicate that MACsec is disabled and non-operational.The links are not passing traffic:

   • Link state: displayserrorLACP Detached for all links.

   • MACsec key name: displayswarningfor all links. The MACsec key name is listed after each connection.

3. Click theMACsec tab. The following items indicate that MACsec isconfigured and not operational:

   • MACsec configuration: displaysDown.

   • Pre-shared keys: displaysActive, in use for at least onekey'sKey status.

gcloud

The output is similar to the following; look for thebundleOperationalStatusset toBUNDLE_OPERATIONAL_STATUS_DOWN, thecircuitIdlacpStatusstateset toDETACHED, and theoperationalStatus set toLINK_OPERATIONAL_STATUS_UP::

bundleAggregationType:BUNDLE_AGGREGATION_TYPE_LACPbundleOperationalStatus:BUNDLE_OPERATIONAL_STATUS_DOWNlinks:-circuitId:LOOP-0googleDemarc:fake-local-demarc-0lacpStatus:googleSystemId:'00:11:22:33:44:55'neighborSystemId:'55:44:33:22:11:00'state:DETACHEDmacsec:ckn:0101010189abcdef...0123456789abcdefoperational:falseoperationalStatus:LINK_OPERATIONAL_STATUS_UPreceivingOpticalPower:state:OKvalue:-2.49transmittingOpticalPower:state:OKvalue:-0.88macAddress:00:11:22:33:44:55

In the example,links.macsec indicates that MACsec is enabled. Thefollowing items indicate that MACsec is not operational and that the link is notpassing traffic:

• bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_DOWN
• links.lacpStatus.state: DETACHED
• links.macsec.ckn: 0101010189abcdef...0123456789abcdef
• links.macsec.operational: false
• links.operationalStatus: LINK_OPERATIONAL_STATUS_UP

In this case, Google can't establish a MACsec session. Thereforelinks.macsec.operational isfalse. Because MACsec is a lower-level Layer 2security protocol, all packets for higher-level protocols are dropped,including LACP. This results inbundleOperationalStatus being set toBUNDLE_OPERATIONAL_STATUS_DOWN andlinks.lacpStatus.state being set toDETACHED.

However, MACsec doesn't affect the status of the physical link; therefore,links.operationalStatus remainsLINK_OPERATIONAL_STATUS_UP when MACsec isdown as long as the physical layer is operational.

Console

1. In the Google Cloud console, go to the Cloud InterconnectPhysicalconnections tab.

   Go to Physical connections

2. Select the Cloud Interconnect connection that you want to view.The following items indicate that MACsec is enabled, not all links areoperational, and that some links are passing traffic:

   • Link state: displayserrorLACP Detached for one or morelinks, andcheck_circleActive for at least onelink.

   • MACsec key name: displayswarningMACsec on this link is down forone or more links, andcheck_circleMACsec on this link is upfor at least one link. The MACsec key name is listed after eachconnection.

3. Click theMACsec tab. The following items indicate that MACsec isconfigured and not operational:

   • MACsec configuration: displaysEnabled, fail closed.

   • Pre-shared keys: displaysActive, in use for at least onekey'sKey status.

gcloud

The output is similar to the following; look forbundleOperationalStatusset toBUNDLE_OPERATIONAL_STATUS_UP,circuitId lacpStatus stateset toACTIVE,operationalStatus set toLINK_OPERATIONAL_STATUS_UP,circuitId lacpStatus state set toDETACHED, andoperationalStatus set toLINK_OPERATIONAL_STATUS_UP:

bundleAggregationType:BUNDLE_AGGREGATION_TYPE_LACPbundleOperationalStatus:BUNDLE_OPERATIONAL_STATUS_UPlinks:-circuitId:LOOP-0googleDemarc:fake-local-demarc-0lacpStatus:googleSystemId:'00:11:22:33:44:55'neighborSystemId:'55:44:33:22:11:00'state:ACTIVEmacsec:ckn:0101010189abcdef...0123456789abcdefoperational:trueoperationalStatus:LINK_OPERATIONAL_STATUS_UPreceivingOpticalPower:state:OKvalue:-2.49transmittingOpticalPower:state:OKvalue:-0.88-circuitId:LOOP-1googleDemarc:fake-local-demarc-1lacpStatus:googleSystemId:'00:11:22:33:44:66'neighborSystemId:'66:44:33:22:11:00'state:DETACHEDmacsec:ckn:0101010189abcdef...0123456789abcdefoperational:falseoperationalStatus:LINK_OPERATIONAL_STATUS_UPreceivingOpticalPower:state:OKvalue:-2.49transmittingOpticalPower:state:OKvalue:-0.88macAddress:00:11:22:33:44:55

In the example, the following items indicate that MACsec is enabled andoperational. The circuit is passing traffic, but only on one of the two linksdisplayed:

• bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_UP
• links.circuitId: LOOP-0:
  • links.lacpStatus.state: ACTIVE
  • links.macsec.ckn: 0101010189abcdef...0123456789abcdef
  • links.macsec.operational: true
  • links.operationalStatus: LINK_OPERATIONAL_STATUS_UP
• links.circuitId: LOOP-1:
  • links.lacpStatus.state: DETACHED
  • links.macsec.ckn: 0101010189abcdef...0123456789abcdef
  • links.macsec.operational: false
  • links.operationalStatus: LINK_OPERATIONAL_STATUS_UP

In this case,bundleOperationalStatus isBUNDLE_OPERATIONAL_STATUS_UP.Notice thatlinks.circuitId: LOOP-0 displays thatlinks.lacpStatus.stateisACTIVE andlinks.macsec.operational istrue. The first link isfunctioning as expected and is passing traffic.

However, notice thatlinks.circuitId: LOOP-1 displays thatlinks.lacpStatus.state isDETACHED andlinks.macsec.operational isfalse. The second link is not functioning as expected and is not passingtraffic.

However, MACsec doesn't affect the status of either physical link; therefore,both links displaylinks.operationalStatus asLINK_OPERATIONAL_STATUS_UP.This state remains even when MACsec is down for one of the links, as long asthe physical layer is operational.

Console

1. In the Google Cloud console, go to the Cloud InterconnectPhysicalconnections tab.

   Go to Physical connections

2. Select the Cloud Interconnect connection that you want to view.The following items indicate that MACsec is enabled and non-operational.The links are passing traffic:

   • Link state: displayscheck_circleActive for all links.

   • MACsec key name: displays awarningWarning for all links. TheMACsec key name is listed after each connection.

3. Click theMACsec tab. The following items indicate that MACsec isconfigured and not operational:

   • MACsec configuration: displaysEnabled, fail opened.

   • Pre-shared keys: displaysActive for at least one key'sKey status.

gcloud

The output is similar to the following:

bundleAggregationType:BUNDLE_AGGREGATION_TYPE_LACPbundleOperationalStatus:BUNDLE_OPERATIONAL_STATUS_UPlinks:-circuitId:LOOP-0googleDemarc:fake-local-demarc-0lacpStatus:googleSystemId:'00:11:22:33:44:55'neighborSystemId:'55:44:33:22:11:00'state:ACTIVEmacsec:ckn:0101010189abcdef...0123456789abcdefoperational:falseoperationalStatus:LINK_OPERATIONAL_STATUS_UPreceivingOpticalPower:state:OKvalue:-2.49transmittingOpticalPower:state:OKvalue:-0.88macAddress:00:11:22:33:44:55

In this example:

• links.macsec values indicate that MACsec is enabled.
• bundleOperationalStatus displaysBUNDLE_OPERATIONAL_STATUS_UP, whichindicates that the Cloud Interconnect connection is operational.
• macsec.operational displaysfalse, which indicates that MACsec isn'toperational.

To verify that the Cloud Interconnect connection is set to fail-open,run the following command:

gcloud compute interconnects describeINTERCONNECT_CONNECTION_NAME

The output is similar to the following for a link set to fail-open; look forthemacsec section wheremacsecEnabled is set totrue:

adminEnabled:trueavailableFeatures:-IF_MACSECcircuitInfos:-customerDemarcId:fake-peer-demarc-0googleCircuitId:LOOP-0googleDemarcId:fake-local-demarc-0creationTimestamp:'2021-10-05T03:39:33.888-07:00'customerName:Fake Companydescription:something importantgoogleReferenceId:'123456789'id:'12345678987654321'interconnectAttachments:-https://www.googleapis.com/compute/v1/projects/my-project1/regions/us-central1/interconnectAttachments/interconnect-123456-987654321-0interconnectType:IT_PRIVATEkind:compute#interconnectlabelFingerprint:12H17262736_linkType:LINK_TYPE_ETHERNET_10G_LRlocation:https://www.googleapis.com/compute/v1/projects/my-project1/global/interconnectLocations/cbf-zone2-65012macsec:failOpen:truepreSharedKeys:-name:key1startTime:2023-07-01T21:00:01.000ZmacsecEnabled:truename:INTERCONNECT_CONNECTION_NAMEoperationalStatus:OS_ACTIVEprovisionedLinkCount:1requestedFeatures:-IF_MACSECrequestedLinkCount:1selfLink:https://www.googleapis.com/compute/v1/projects/my-project1/global/interconnects/INTERCONNECT_CONNECTION_NAMEselfLinkWithId:https://www.googleapis.com/compute/v1/projects/my-project1/global/interconnects/12345678987654321state:ACTIVE

Console

1. In the Google Cloud console, go to the Cloud InterconnectPhysical connections tab.

Go to Physical connections

1. Select the Cloud Interconnect connection that you want to view.The following items indicate that MACsec is disabled. The links aren'tpassing traffic:

   • Link state: displayscheck_circleActive for all links.

   • MACsec key name: displays a empty text and no status for alllinks.

2. Click theMACsec tab. The following items indicate that MACsec isconfigured and not operational:

   • MACsec configuration: displaysDisabled.

   • Pre-shared keys: displaysActive for at least one key'sKeystatus.

gcloud

The output is similar to the following; look for thebundleOperationalStatusset toBUNDLE_OPERATIONAL_STATUS_UP, thecircuitIdlacpStatusstateset toACTIVE, and theoperationalStatus set toLINK_OPERATIONAL_STATUS_UP:

bundleAggregationType:BUNDLE_AGGREGATION_TYPE_STATICbundleOperationalStatus:BUNDLE_OPERATIONAL_STATUS_UPlinks:-circuitId:LOOP-0googleDemarc:fake-local-demarc-0lacpStatus:googleSystemId:'00:11:22:33:44:55'neighborSystemId:'55:44:33:22:11:00'state:ACTIVEoperationalStatus:LINK_OPERATIONAL_STATUS_UPreceivingOpticalPower:state:OKvalue:-2.49transmittingOpticalPower:state:OKvalue:-0.88macAddress:00:11:22:33:44:55

In the example, the fact thatlinks.macsec is missing from the outputindicates that MACsec is disabled and not operational. The link ispassing unencrypted traffic.

Because MACsec is disabled, bothlinks.macsec.ckn andlinks.macsec.operational don't display a value.