Configuring and Managing MACsec Profiles
From the MACsc Profile page of the Network Director UI you can create and manage MACsec profiles that specify MACsec settings for the extended ports in the aggregation device in a Junos Fusion Enterprise device. From the Manage MACsec Profile page, you can:
Create a new MACsec profile by clicking Add.
Modify an existing MACsec profile by selecting the profile and clicking Edit.
Associate a profile to the extended ports by selecting the profile and clicking Assign.
Change current assignments for a profile by selecting the profile and clicking Edit Assignment.
Delete a MACsec profile by selecting the profile and clicking Delete.
Clone an existing MACsec profile by selecting the profile and clicking Clone.
View information about a profile by selecting the profile and clicking Details.
Table 1 describes the information provided about wired MACsec profiles on the Manage MACsec Profiles page. This page lists all the MACsec profiles defined for the Junos Fusion Enterprise device, regardless of the scope you selected in the network view.
Table 1: Managing MACsec Profile Fields
Name of the profile.
Connection Association Name
Name of the MACsec connectivity association.
Description of the profile.
Static secure association key (static-SAK) security mode or static connectivity association key (static-CAK) using which you enabled MACsec on the device.
Profile assignment state. One of the following:
The username of the user who created or modified the profile.
This topic describes:
Creating a MACsec Profile
To create a MACsec profile:
- Under Views, select one of these options: Logical
View, Location View, Device View, or Custom Group View.
Do not select Dashboard View, Datacenter View, or Topology View.
- Click in the Network Director banner.
- In the Tasks pane, expand Wired, expand Profiles, and then select MACsec.
The Manage MACsec Profile page appears, displaying the list of currently configured MACsec profiles.
- Click Add to add a new profile.
The Create MACsec Profile page appears.
- Enter the MACsec settings described in Specifying Settings for a MACSsec Profile.
- Click Done.
Specifying Settings for a MACSsec Profile
Table 2 describes the MACsec Profile settings. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.
Table 2: MACsec Profile Settings
Type the name of the profile.
Type a description of the profile.
Connection Association Name
Type the name for the MACsec connectivity association.
Select the mode using which you can enable MACsec on the device. The available modes are static secure association key (static-SAK) security mode or static connectivity association key (static-CAK) security mode.
If you want to enable MACsec by using the CAK mode, configure the CAK settings specified in Table 3.
If you want to enable MACsec by using the SAK mode, configure the SAK settings specified in Table 4 for the inbound and outbound secure channels.
Table 3: CAK Settings
Connectivity Association Key Name
Type a name for the connectivity association key that you want to use for enabling MACsec.
Connectivity Association Key
Specify the key to exchange with the other end of the link on the secure channel. You must use a hexadecimal string of 32 digits.
Confirm Connectivity Association Key
Specify the connectivity association key again. If there is a mismatch (between the connectivity association keys), an error message is shown.
Enable Include Secure Channel Identifier
Enable Include Secure Channel Identifier tagging on a device that is enabling MACsec on an Ethernet link connecting to an Junos Fusion Enterprise device.
Key Server Priority
Specify the MACsec Key Agreement (MKA) server election priority number. You can specify a value between 0 and 255. The lower the number, the higher the priority.
Transmit Interval (milli sec)
Specify the transmit interval for MACsec Key Agreement (MKA) protocol data units (PDUs). The MKA transmit interval setting sets the frequency for how often the MKA PDU is sent to the directly connected device to maintain MACsec on a point-to-point Ethernet link. A lower interval increases bandwidth overhead on the link; a higher interval optimizes the MKA protocol data unit exchange process.
The default transmit interval is 2000 milliseconds
Select this option if you want to disable the MACsec encryption for a connectivity association that has MACsec already enabled on it.
Specify the offset 0, 30, or 50 for all the packets traversing the link. The default offset is 0. All traffic in the connectivity association is encrypted when encryption is enabled and an offset is not set.
When the offset is set to 30, the IPv4 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic.
When the offset is set to 50, the IPv6 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic.
You would typically forward traffic with the first 30 or 50 octets unencrypted if a feature needed to see the data in the octets to perform a function, but you otherwise prefer to encrypt the remaining data in the frames traversing the link. Load balancing features, in particular, typically need to see the IP and TCP/UDP headers in the first 30 or 50 octets to properly load balance traffic.
Replay Window Size
Specify the size of the replay protection window.
Note: When this variable is set to 0, all packets that arrive out-of-order are dropped.
Specify the name of the protocol that should not be MACsec-secured. Options include:
Table 4: SAK Settings
Secure Channel name
Type a name for the secure channel.
Specify a MAC address on which you want to enable MACsec using static secure association key (SAK) security mode. The mac-address variables must match on the sending and receiving ends of a link to enable MACsec using static SAK security mode.
Specify the port ID number in a secure channel when enabling MACsec using static secure association key (SAK) security mode. The port IDs must match on a sending and receiving secure channel on each side of a link to enable MACsec.
After the port numbers match, MACsec is enabled for all traffic on the connection.
Select this option if you want to Enable MACsec encryption within an outbound secure channel.
Note: You can enable MACsec without enabling encryption. If a connectivity association with an outbound secure channel that has not enabled MACsec encryption is associated with an interface, traffic is forwarded across the Ethernet link in clear text. You are, therefore, able to view this unencrypted traffic when you are monitoring the link.
Specify the number of octets in an Ethernet frame that you want to send in unencrypted plain-text when encryption is enabled for MACsec.
Setting the offset to 30 allows a feature to see the IPv4 header and the TCP/UDP header while encrypting the remaining traffic. Setting the offset to 50 allows a feature to see the IPv6 header and the TCP/UDP header while encrypting the remaining traffic.
Specify the secure association keys corresponding to the secure association number. The key string is a 32-digit hexadecimal number.
Re-enter the secure association key for every secure association number. If there is a mismatch between the connectivity association key and their respective confirmation keys, an error message is shown.
What to Do Next
After you create the MACsec profile, you must assign the profile to the Junos Fusion Enterprise satellite device by using the Manage MacSec Profile page and then deploy the Device profile by using the Deploy mode.
You can assign the MACsec profile to the extended ports on Junos Fusion Enterprise Aggregation Device.
In the CAK mode, if you change the connection association key name of a deployed MACsec profile, you must re-configure the connectivity association key and the confirmation key for that profile. Similarly, in the SAK mode, if you change the inbound or outbound channel names of the deployed MACSec profiles, you must re-configure the key and the confirmation key for that profile.