Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

cipher-suite (MACsec)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 16.2R1 for MX240, MX480, MX960, MX2020, and MX2010 routers.

Statement introduced in Junos OS Release 17.2R1 for QFX Series switches.

Statement introduced in Junos OS Release 17.3R1 for JNP-MIC1-MACSEC MIC on MX10003 routers.

Statement introduced in Junos OS Release 18.2R1 for EX Series switches.

Description

Specify the set of ciphers used to encrypt traffic on an Ethernet link that is secured with Media Access Control Security (MACsec). The encryption used by MACsec ensures that the data in the Ethernet frame cannot be viewed by anybody monitoring traffic on the link. MACsec encryption is optional and user-configurable. The configured cipher suites should be the same between MACsec peers.

MACsec utilizes the Galois/Counter Mode Advanced Encryption Standard (GCM-AES). The default cipher suite used for MACsec is GCM-AES-128, with a maximum key length of 128 bits. MACsec also supports GCM-AES-256, with a maximum key length of 256 bits.

GCM– AES– 128 and GCM– AES– 256 use a 32-bit packet number as part of the initial value that has to be unique for every packet sent with a given secure association key (SAK). When the permutations of the 32-bit packet number are exhausted, the SAK much be refreshed. The frequency of SAK refreshes can be reduced by using a cipher suite with Extended Packet Numbering (XPN), which increases the size of the packet number to 64-bits. Both GCM-AES-128 and GCM-AES-256 are available with XPN.

Note

When enabling MACsec on et interfaces, use either the GCM-AES-XPN-128 or GCM-AES-XPN-256 cipher suite.

Note

On EX4300-48MP switches, the XPN cipher suites are not supported on multi-rate ports.

Default

If the cipher-suite statement is not configured, the default cipher suite used for encryption is GCM-AES-128.

Options

gcm-aes-128GCM-AES-128 has a maximum key size of 128 bits.
gcm-aes-xpn-128GCM-AES-XPN-128 has a maximum key size of 128 bits and extended packet number.
gcm-aes-256GCM-AES-256 has a maximum key size of 256 bits.
gcm-aes-xpn-256GCM-AES-XPN-256 has a maximum key size of 256 bits and extended packet number.

Required Privilege Level

admin— To view this statement in the configuration.

admin-control— To add this statement to the configuration.