Media Access Control Security Overview
Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication on Ethernet links. MACsec enables you to secure Ethernet links between two MACsec-capable devices.You can enable MACsec on point-to-point Ethernet links using static secure association key (SAK) security mode or static connectivity association key (CAK) security mode.
When you enable MACsec using the static CAK security mode, a connectivity association key and a randomly generated secure association key are exchanged between the devices on each point-to-point Ethernet link. After the matching pre-shared keys are successfully exchanged, MACsec enables MKA protocol on the devices. The MKA protocol maintains MACsec on the link, and decides which switch on the point-to-point link becomes the key server. The key server then creates an SAK that is shared with the switch at the other end of the point-to-point link only, and that SAK is used to secure all data traffic traversing the link. The key server will continue to periodically create and share a randomly-created SAK over the point-to-point link for as long as MACsec is enabled. A pre-shared key includes a connectivity association name (CKN) and its own connectivity association key (CAK). The CKN and CAK are configured by the user in the connectivity association and must match on both ends of the link to initially enable MACsec.
A pre-shared key includes a connectivity association name (CKN) and its own connectivity association key (CAK). You can configure the CKN and CAK in the connectivity association and these values must match on both ends.
When you enable MACsec using static SAK security mode, you must configure the secure channels between the point-to-point Ethernet link. The secure channels are responsible for transmitting and receiving data on the MACsec-enabled link, and also responsible for transmitting SAKs across the link to enable and maintain MACsec. A typical connectivity association when MACsec is enabled using SAK security mode contains two secure channels—one secure channel for inbound traffic and another secure channel for outbound traffic. You must configure the SAK settings manually, there is no key server or other tool that creates SAKs. Security is maintained on the point-to-point Ethernet link by periodically rotating between the two security keys. Each security key name and value must have a corresponding matching value on the interface at the other end of the point-to-point Ethernet link to maintain MACsec on the link.
MACsec is widely used in campus deployments to secure network traffic between endpoints and access switches. You can enable MACsec on extended ports in a Junos Fusion Enterprise topology to provide secure communication between the satellite device and connected hosts. Network Director supports MACsec configuration for a Junos Fusion Enterprise setup. You can create a profile for the MACsec configuration and assign the profiles to the extended ports of the satellite devices in a Junos Fusion Enterprise setup.
For more information about MACsec, see Understanding Media Access Control Security (MACsec).