Viewing IPSec Statistics

Security Association Entries

The ACLI show security ipsec sad command displays the security association database entries which are programmed into the security processor. In the case of manual keying, the entries should match that of the running configuration. Network-interface is entered as a network interface configuration element name, selectors are entered as the selector term, a <space>, and a search term for that selector. You can enter multiple selector in one command. The command's syntax follows:

show security ipsec sad [network-interface] <brief | detail> [selectors]

Entering no selectors returns all entries for that network interface. Valid values for the selectors argument are as follows:

direction—Direction (IN | OUT | BOTH), Default: BOTH
dst-addr-prefix—Destination address prefix, Default: match any
dst-port—Destination port, Default: match any
ipsec-protocol—IPSec protocol (AH | ESP | ALL), Default: ALL
spi—security-policy-index, Default: match any
src-addr-prefix—Source address prefix, Default: match any
src-port—Source port, Default: match any
trans-proto—Transport protocol (UDP | TCP | ICMP | ALL), Default: ALL

Security Policy Entries

The show security ipsec spd command shows the security policy database entries which are programmed into the security processor. Network-interface is entered as a network interface configuration element name. The command's syntax follows:

show security ipsec spd [network-interface]

IPSec Statistics

The ACLI show commands for IPSec statistics are used to display statistical values as reported directly from the IPSec hardware. There are two versions of this command:

The show security ipsec statistics sad command queries a selected IPSec processor for statistics about the SAs configured on it, as located in the security association database (SAD).
The show security ipsec statistics gmac command queries the GMAC side of the security processor for Ethernet statistics.

Viewing Statistics for a Specific SA

The show security ipsec statistics sad command shows statistical values for a particular SA entry on the IPSec security processor. You enter a network interface configuration name, selectors by the selector term, a Space, and a search term for that selector. You can enter multiple selector in one command. The command's syntax follows:

show security ipsec statistics [network-interface] sad <selectors>

Entering no selectors returns all entries for that network interface. Valid values for the selectors argument are as follows:

direction—Direction (IN | OUT | BOTH), Default: BOTH
dst-addr-prefix—Destination address prefix, Default: match any
dst-port—Destination port, Default: match any
ipsec-protocol—IPSec protocol (AH | ESP | ALL), Default: ALL
spi—security-policy-index, Default: match any
src-addr-prefix—Source address prefix, Default: match any
src-port—Source port, Default: match any
trans-proto—Transport protocol (UDP | TCP | ICMP | ALL), Default: ALL

Viewing Statistic for Traffic to from the GMAC Interface and the Security Processor

The show security ipsec statistics gmac command displays statistics on traffic that moves between the GMAC interface and the security processor on a specified network interface. Network-interface is entered as a network interface configuration element name. You can display either errors, transmit statistics, receive statistics, or all statistics per HW accelerator / gmac interface . The command's syntax follows:

show security ipsec statistics [network-interface] gmac <enter | error | rx | tx>

Viewing IPSec Interface Status

The show security ipsec status command displays whether a particular interface on Oracle Communications Session Border Controller is IPSec enabled, and the hardware status of the security processor. Network-interface is entered as a network interface configuration element name. The show security ipsec status command usage is as follows:

show security ipsec status [network-interface]