must-secure (MX Series)
Statement introduced in Junos OS Release 15.1.
Specifies that all traffic travelling on the MACsec-secured link must be MACsec-secured to be forwarded onward.
When the must-secure option is enabled, all traffic that is not MACsec-secured that is received on the interface is dropped.
When the must-secure option is disabled, all traffic from devices that support MACsec is MACsec-secured while traffic received from devices that do no support MACsec is forwarded through the network.
The must-secure option is particularly useful in scenarios where multiple devices, such as a phone and a PC, are accessing the network through the same Ethernet interface. If one of the devices supports MACsec while the other device does not support MACsec, the device that doesn’t support MACsec can continue to send and receive traffic over the network—provided the must-secure option is disabled—while traffic to and from the device that supports MACsec is MACsec-secured. In this scenario, traffic to the device that is not MACsec-secured must be VLAN-tagged.
The must-secure option is disabled.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.