Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring MACsec

 

We can configure MACsec to secure point-to-point Ethernet links connecting MX10003 with MACsec-capable MICs, or on Ethernet links connecting EX9253 to a host device such as a PC, phone, or server. Each point-to-point Ethernet link that you want to secure using MACsec must be configured independently. We can enable MACsec on device-to-device links using static connectivity association key (CAK) security mode.

You must download a MACsec feature license to use MACsec feature on EX9253 Switches. To purchase a feature license for MACsec, contact your Juniper Networks sales representative (https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide you with a feature license file and a license key. To add new license, see Managing Licenses for EX Series Switches (CLI Procedure).

In this section, MX10003 with JNP-MIC1-MACSEC or EX9253 with EX9253-6Q12C-M line card is used for Media Access Control Security (MACsec) configurations. The line card includes 12 built-in-QSFP ports. These ports can operate at 40 Gbps and 100 Gbps speeds. You can configure 10 Gbps interface in port-mode and pic-mode.

Customizing Time

To customize time, disable NTP and set the date.

  1. Disable NTP.
  2. Setting date and time. Date and time format is YYYYMMDDHHMM.ss

Configuring MACsec on a Device Running Junos OS

To configure MACsec on a device running Junos OS:

  1. Configure the MACsec security mode as for the connectivity association.
  2. Create the pre-shared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK).
  3. Set the MACsec Key Agreement (MKA) secure channel details.
  4. Set the MKA to security mode.
  5. Assign the configured connectivity association with a specified MACsec interface.

Configuring Static MACsec with ICMP Traffic

To configure Static MACsec using ICMP traffic between device R0 and device R1:

In R0:

  1. Create the preshared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK)
  2. Set the trace option values.
  3. Assign the trace to an interface.
  4. Configure the MACsec security mode as static-cak for the connectivity association.
  5. Set the MKA key server priority.
  6. Set the MKA transmit interval.
  7. Enable the MKA secure.
  8. Assign the connectivity association to an interface.

In R1:

  1. Create the preshared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK)
  2. Set the trace option values.
  3. Assign the trace to an interface.
  4. Configure the MACsec security mode as static-cak for the connectivity association.
  5. Set the MKA transmit interval.
  6. Enable the MKA secure.
  7. Assign the connectivity association to an interface.

Configuring MACsec with keychain using ICMP Traffic

To configure MACsec with keychain using ICMP traffic between device R0 and device R1:

In R0:

  1. Assign a tolerance value to the authentication key chain.
  2. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    Use the prompt command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

  3. Associate the preshared keychain name with the connectivity association.
    Note

    The cipher value can also be set as cipher-suite gcm-aes-128.

  4. Set the trace option values.
  5. Assign the trace to an interface.
  6. Configure the MACsec security mode as static-cak for the connectivity association.
  7. Set the MKA key server priority.
  8. Set the MKA transmit interval.
  9. Enable the MKA secure.
  10. Assign the connectivity association to an interface.

To configure MACsec with keychain for ICMP traffic:

In R1:

  1. Assign a tolerance value to the authentication key chain.
  2. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    Use the prompt command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

  3. Associate the preshared keychain name with the connectivity association.
  4. Set the trace option values.
  5. Assign the trace to an interface.
  6. Configure the MACsec security mode as static-cak for the connectivity association.
  7. Set the MKA key server priority.
  8. Set the MKA transmit interval.
  9. Enable the MKA secure.
  10. Assign the connectivity association to an interface.

Configuring Static MACsec for Layer 2 Traffic

To configure static MACsec for Layer 2 traffic between device R0 and device R1:

In R0:

  1. Set the MKA key server priority.
  2. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

  3. Associate the preshared keychain name with the connectivity association.
  4. Set the trace option values.
  5. Assign the trace to an interface.
  6. Configure the MACsec security mode as static-cak for the connectivity association.
  7. Set the MKA key server priority.
  8. Set the MKA transmit interval.
  9. Enable the MKA secure.
  10. Assign the connectivity association to an interface.
  11. Configure VLAN tagging.
  12. Configure bridge domain.

In R1:

  1. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

  2. Associate the preshared keychain name with the connectivity association.
  3. Set the trace option values.
  4. Assign the trace to an interface.
  5. Configure the MACsec security mode as static-cak for the connectivity association.
  6. Set the MKA key server priority.
  7. Set the MKA transmit interval.
  8. Enable the MKA secure.
  9. Assign the connectivity association to an interface.
  10. Configure VLAN tagging.
  11. Configure bridge domain.

Configuring MACsec with keychain for Layer 2 Traffic

To configure MACsec with keychain for ICMP traffic between device R0 and device R1:

In R0:

  1. Assign a tolerance value to the authentication key chain.
  2. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    Use the prompt command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

  3. Associate the preshared keychain name with the connectivity association.
  4. Set the trace option values.
  5. Assign the trace to an interface.
  6. Configure the MACsec security mode as static-cak for the connectivity association.
  7. Set the MKA key server priority.
  8. Set the MKA transmit interval.
  9. Enable the MKA secure.
  10. Assign the connectivity association to an interface.
  11. Configure VLAN tagging.
  12. Configure bridge domain.

In R1:

  1. Assign a tolerance value to the authentication key chain.
  2. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    Use the prompt command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

  3. Associate the preshared keychain name with the connectivity association.
  4. Set the trace option values.
  5. Assign the trace to an interface.
  6. Configure the MACsec security mode as static-cak for the connectivity association.
  7. Set the MKA key server priority.
  8. Set the MKA transmit interval.
  9. Enable the MKA secure.
  10. Assign the connectivity association to an interface.
  11. Configure VLAN tagging.
  12. Configure bridge domain.