Statement introduced in Junos OS Release 16.2R1.
Specify the set of ciphers used to encrypt traffic on an Ethernet link that is secured with Media Access Control Security (MACsec). The encryption used by MACsec ensures that the data in the Ethernet frame cannot be viewed by anybody monitoring traffic on the link. MACsec encryption is optional and user-configurable. The configured cipher suites should be the same between MACsec peers.
MACsec utilizes the Galois/Counter Mode Advanced Encryption Standard (GCM-AES). The default cipher suite used for MACsec is GCM-AES-128, with a maximum key length of 128 bits. MACsec also supports GCM-AES-256, with a maximum key length of 256 bits.
GCM– AES– 128 and GCM– AES– 256 use a 32-bit packet number as part of the initial value that has to be unique for every packet sent with a given secure association key (SAK). When the permutations of the 32-bit packet number are exhausted, the SAK much be refreshed. The frequency of SAK refreshes can be reduced by using a cipher suite with Extended Packet Numbering (XPN), which increases the size of the packet number to 64-bits. Both GCM-AES-128 and GCM-AES-256 are available with XPN.
When enabling MACsec on et interfaces, use either the GCM-AES-XPN-128 or GCM-AES-XPN-256 cipher suite.
On EX4300-48MP switches, the XPN cipher suites are not supported on multi-rate ports.
If the cipher-suite statement is not configured, the default cipher suite used for encryption is GCM-AES-128.
Required Privilege Level
admin— To view this statement in the configuration.
admin-control— To add this statement to the configuration.