Understanding Media Access Control Security (MACsec)

 

Understanding Media Access Control Security (MACsec)

Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks.

MACsec allows you to secure an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. MACsec can be used in combination with other security protocols such as IP Security (IPsec) and Secure Sockets Layer (SSL) to provide end-to-end network security.

MACsec is standardized in IEEE 802.1AE. The IEEE 802.1AE standard can be seen on the IEEE organization website at IEEE 802.1: BRIDGING & MANAGEMENT.

Starting in Junos OS Release 18.2R1, MACsec is supported on ACX6360 routers.

How MACsec Works

MACsec provides industry-standard security through the use of secured point-to-point Ethernet links. The point-to-point links are secured after matching security keys— a user-configured pre-shared key when you enable MACsec using static connectivity association key (CAK) security mode, a user-configured static secure association key when you enable MACsec using static secure association key (SAK) security mode, or a dynamic key included as part of the AAA handshake with the RADIUS server when you enable MACsec using dynamic security mode— are exchanged and verified between the interfaces at each end of the point-to-point Ethernet link. Other user-configurable parameters, such as MAC address or port, must also match on the interfaces on each side of the link to enable MACsec. See Configuring Media Access Control Security (MACsec).

Once MACsec is enabled on a point-to-point Ethernet link, all traffic traversing the link is MACsec-secured through the use of data integrity checks and, if configured, encryption.

The data integrity checks verify the integrity of the data. MACsec appends an 8-byte header and a 16-byte tail to all Ethernet frames traversing the MACsec-secured point-to-point Ethernet link, and the header and tail are checked by the receiving interface to ensure that the data was not compromised while traversing the link. If the data integrity check detects anything irregular about the traffic, the traffic is dropped.

MACsec can also be used to encrypt all traffic on the Ethernet link. The encryption used by MACsec ensures that the data in the Ethernet frame cannot be viewed by anybody monitoring traffic on the link. MACsec encryption is optional and user-configurable; you can enable MACsec to ensure the data integrity checks are performed while still sending unencrypted data “ in the clear” over the MACsec-secured link, if desired.

MACsec is configured on point-to-point Ethernet links between MACsec-capable interfaces. If you want to enable MACsec on multiple Ethernet links, you must configure MACsec individually on each point-to-point Ethernet link.

Understanding Connectivity Associations and Secure Channels

MACsec is configured in connectivity associations. MACsec is enabled when a connectivity association is assigned to an interface.

When you are configuring MACsec using static secure association key (SAK) security mode, you must configure secure channels within a connectivity association. The secure channels are responsible for transmitting and receiving data on the MACsec-enabled link, and also responsible for transmitting SAKs across the link to enable and maintain MACsec. A single secure channel is unidirectional— it can be used to apply MACsec only to either inbound or outbound traffic. A typical connectivity association when MACsec is enabled using SAK security mode contains two secure channels— one secure channel for inbound traffic and another secure channel for outbound traffic.

When you enable MACsec using static CAK or dynamic security mode, you have to create and configure a connectivity association. Two secure channels— one secure channel for inbound traffic and another secure channel for outbound traffic— are automatically created. The automatically-created secure channels do not have any user-configurable parameters; all configuration is done in the connectivity association outside of the secure channels.

Understanding Static Connectivity Association Key Security Mode (Security Mode for Router-to-Router Links)

When you enable MACsec using static connectivity association key (CAK) security mode, two security keys—a connectivity association key (CAK) that secures control plane traffic and a randomly-generated secure association key (SAK) that secures data plane traffic—are used to secure the point-to-point Ethernet link.

You initially establish a MACsec-secured link using a preshared key when you are using static CAK security mode to enable MACsec. A preshared key includes a connectivity association name (CKN) and a connectivity association key (CAK). The CKN and CAK are configured by the user in the connectivity association and must match on both ends of the link to initially enable MACsec.

The preshared keys must be configured on the endpoints of the link and the keys must in agreement with each other. The MACsec Key Agreement (MKA) protocol is responsible for maintaining MACsec on the link, and decides which router on the point-to-point link becomes the key server. The key server then creates an SAK that is shared with the router at the other end of the point-to-point link only, and that SAK is used to secure all data traffic traversing the link. The key server continues to periodically create and share a randomly-created SAK over the point-to-point link for as long as MACsec is enabled.

See Configuring Media Access Control Security (MACsec) on MX Series Routers for step-by-step instructions on enabling MACsec by using static CAK security mode.

Understanding MACsec Hardware Requirements for MX Series Routers

You can configure Media Access Control Security (MACsec) on MX Series routers with the enhanced 20-port Gigabit Ethernet MIC (model number MIC-3D-20GE-SFP-E). Starting with Junos OS Release 16.1, you can configure MACsec on MX Series routers with the 40-port 10-Gigabit Ethernet MPC (MPC7E-10G).

Starting with Junos OS Release 17.3R2, you can configure MACsec on MX 10003 routers with the modular MIC (JNP-MIC1-MACSEC).

MACsec can also be configured on supported MX Series router interfaces when those routers are configured in a Virtual Chassis configuration. Encryption and decryption are implemented in the hardware in line-rate mode. An additional overhead of 24 through 32 bytes is required for MACsec if Secure Channel Identifier (SCI) tag is included. On 20-port Gigabit Ethernet MICs, the SCI tag is always included.

For more information regarding MACsec, refer the following IEEE specifications:

  • IEEE 802.1AE-2006. Media Access Control (MAC) Security

  • IEEE 802.1X-2010. Port-Based Network Access Control. Defines MACSec Key Agreement Protocol

Understanding MACsec Software Requirements for MX Series Routers

Following are some of the key software requirements for MACsec on MX Series Routers:

Note

A feature license is not required to configure MACsec on MX Series routers with the enhanced 20-port Gigabit Ethernet MIC (model number MIC-3D-20GE-SFP-E).

MACsec is supported on MX Series routers with MACsec-capable interfaces. The SCI tag is always included on MX Series routers.

MACsec supports 128 and 256-bit cipher-suite with and without extended packet numbering (XPN).

MACsec supports MACsec Key Agreement (MKA) protocol with Static-CAK mode using preshared keys.

MACsec supports a single connectivity-association (CA) per physical port or physical interface.

Starting with Junos OS Release 15.1, MACsec is supported on member links of an aggregated Ethernet (ae-) interface bundle, and also regular interfaces that are not part of an interface bundle.

Starting with Junos OS Release 17.3R2, MACsec supports 256-bit cipher-suite GCM-AES-256 and GCM-AES-XPN-256 on MX10003 routers with the modular MIC (model number-JNP-MIC1-MACSEC).

Starting in Junos OS Release 18.3R1, the MIC-MACSEC-20GE MIC provides 256-bit cipher-suite GCM-AES-256 and GCM-AES-XPN-256. The MIC-MACSEC-20GE MIC supports MACsec on both twenty 1-Gigabit Ethernet SFP ports and on two 10-Gigabit Ethernet SFP+ ports in the following hardware configurations:

  • Installed directly on the MX80 and MX104 routers

  • Installed on MPC1, MPC2, MPC3, MPC2E, MPC3E, MPC2E-NG, and MPC3E-NG line cards on the MX240, MX480, and MX960 routers

Refer Understanding Interface Naming Conventions for MIC-MACSEC-20GE and Understanding Rate Selectability for more information.

Understanding MACsec Security Modes

Understanding Static Connectivity Association Key Security Mode (Recommended Security Mode for Switch-to-Switch Links)

When you enable MACsec using static connectivity association key (CAK) security mode, two security keys— a connectivity association key (CAK) that secures control plane traffic and a randomly-generated secure association key (SAK) that secures data plane traffic— are used to secure the point-to-point Ethernet link. Both keys are regularly exchanged between both devices on each end of the point-to-point Ethernet link to ensure link security.

You initially establish a MACsec-secured link using a pre-shared key when you are using static CAK security mode to enable MACsec. A pre-shared key includes a connectivity association name (CKN) and its own connectivity association key (CAK). The CKN and CAK are configured by the user in the connectivity association and must match on both ends of the link to initially enable MACsec.

Once matching pre-shared keys are successfully exchanged, the MACsec Key Agreement (MKA) protocol is enabled. The MKA protocol is responsible for maintaining MACsec on the link, and decides which switch on the point-to-point link becomes the key server. The key server then creates an SAK that is shared with the switch at the other end of the point-to-point link only, and that SAK is used to secure all data traffic traversing the link. The key server will continue to periodically create and share a randomly-created SAK over the point-to-point link for as long as MACsec is enabled.

Note

If the MACsec session is terminated due to a link failure, when the link is restored, the MKA key server elects a key server and generates a new SAK.

You enable MACsec using static CAK security mode by configuring a connectivity association on both ends of the link. All configuration is done within the connectivity association but outside of the secure channel. Two secure channels— one for inbound traffic and one for outbound traffic— are automatically created when using static CAK security mode. The automatically-created secure channels do not have any user-configurable parameters that cannot already be configured in the connectivity association.

We recommend enabling MACsec on switch-to-switch links using static CAK security mode. Static CAK security mode ensures security by frequently refreshing to a new random security key and by sharing only the security key between the two devices on the MACsec-secured point-to-point link. Additionally, some optional MACsec features— replay protection, SCI tagging, and the ability to exclude traffic from MACsec— are available only when you enable MACsec using static CAK security mode.

Note

The switches on each end of a MACsec-secured switch-to-switch link must either both be using Junos OS Release 14.1X53-D10 or later, or must both be using an earlier version of Junos, in order to establish a MACsec-secured connection when using static CAK security mode.

See Configuring Media Access Control Security (MACsec) for step-by-step instructions on enabling MACsec using static CAK security mode.

Understanding Dynamic Secure Association Key Security Mode (Switch-to-Host Links)

Dynamic secure association key (SAK) security mode is used to enable MACsec on a switch-to-host link.

To enable MACsec on a link connecting an endpoint device— such as a server, phone, or personal computer— to a switch, the endpoint device must support MACsec and must be running software that allows it to enable a MACsec-secured connection. When configuring MACsec on a switch-to-host link, the MACsec Key Agreement (MKA) keys, which are included as part of 802.1X authentication, are retrieved from a RADIUS server as part of the AAA handshake. A master key is passed from the RADIUS server to the switch and from the RADIUS server to the host in independent authentication transactions. The master key is then passed between the switch and the host to create a MACsec-secured connection.

A secure association using dynamic secure association security mode must be configured on the switch’ s Ethernet interface that connects to the host in order for the switch to create a MACsec-secured connection after receiving the MKA keys from the RADIUS server.

The RADIUS server must be using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) in order to support MACsec. The RADIUS servers that support other widely-used authentication frameworks, such as password-only or md5, cannot be used to support MACsec. In order to enable MACsec on a switch to secure a connection to a host, you must be using 802.1X authentication on the RADIUS server. MACsec must be configured into dynamic mode. MACsec is still enabled using connectivity associations when enabled on a switch-to-host link, as it is on a switch-to-switch link.

Understanding Static Secure Association Key Security Mode (Supported for Switch-to-Switch Links)

When you enable MACsec using static secure association key (SAK) security mode, one of up to two manually configured SAKs is used to secure data traffic on the point-to-point Ethernet link. All SAK names and values are configured by the user; there is no key server or other tool that creates SAKs. Security is maintained on the point-to-point Ethernet link by periodically rotating between the two security keys. Each security key name and value must have a corresponding matching value on the interface at the other end of the point-to-point Ethernet link to maintain MACsec on the link.

You configure SAKs within secure channels when you enable MACsec using static SAK security mode. You configure secure channels within connectivity associations. A typical connectivity association for MACsec using static SAK security mode contains two secure channels— one for inbound traffic and one for outbound traffic— that have each been configured with two manually-configured SAKs. You must attach the connectivity association with the secure channel configurations to an interface to enable MACsec using static SAK security mode.

We recommend enabling MACsec using static CAK security mode. Use static SAK security mode only if you have a compelling reason to use it instead of static CAK security mode.

See Configuring Media Access Control Security (MACsec) for step-by-step instructions on enabling MACsec using SAKs.

Understanding the Requirements to Enable MACsec on a Switch-to-Host Link

When configuring MACsec on a switch-to-host link, the MACsec Key Agreement (MKA) keys, which are included as part of 802.1X authentication, are retrieved from a RADIUS server as part of the AAA handshake. A master key is passed from the RADIUS server to the switch and from the RADIUS server to the host in independent authentication transactions. The master key is then passed between the switch and the host to create a MACsec-secured connection.

The following requirements must be met in order to enable MACsec on a link connecting a host device to a switch.

The host device:

  • must support MACsec and must be running software that allows it to enable a MACsec-secured connection with the switch.

The switch:

  • must support MACsec (see Table 1).

  • must be configured into dynamic secure association key security mode.

  • must be using 802.1X authentication to communicate with the RADIUS server.

The RADIUS server:

  • must be using the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication framework.

    Note

    RADIUS servers that support other widely-used authentication frameworks, such as password-only or md5, cannot be used to support MACsec.

  • must be using 802.1X authentication.

  • can be multiple hops from the switch and the host device.

MACsec Software Image Requirements for EX Series and QFX Series Switches

Junos OS Release 16.1 and Later

For Junos OS Release 16.1 and later, you must download the standard Junos image to enable MACsec. MACsec is not supported in the limited image. See the MACsec Hardware and Software Support Summary to determine the correct release for your device.

The standard version of Junos OS software contains encryption and is, therefore, not available to customers in all geographies. The export and re-export of this Junos OS software is strictly controlled under United States export laws. The export, import, and use of this Junos OS software is also subject to controls imposed under the laws of other countries. If you have questions about acquiring this version of your Junos OS software, contact Juniper Networks Trade Compliance group at compliance_helpdesk@juniper.net.

Junos OS Releases Prior to 16.1

For releases prior to Junos OS Release 16.1, you must download the controlled version of your Junos OS software to enable MACsec. MACsec support is not available in the domestic version of Junos OS software in releases prior to Junos OS Release 16.1. See the MACsec Hardware and Software Support Summary to determine the correct release for your device.

The controlled version of Junos OS software includes all features and functionality available in the domestic version of Junos OS, while also supporting MACsec. The domestic version of Junos OS software is shipped on all switches that support MACsec, so you must download and install a controlled version of Junos OS software for your switch before you can enable MACsec.

The controlled version of Junos OS software contains encryption and is, therefore, not available to customers in all geographies. The export and re-export of the controlled version of Junos OS software is strictly controlled under United States export laws. The export, import, and use of the controlled version of Junos OS software is also subject to controls imposed under the laws of other countries. If you have questions about acquiring the controlled version of your Junos OS software, contact Juniper Networks Trade Compliance group at compliance_helpdesk@juniper.net.

MACsec Hardware and Software Support Summary

Table 1 summarizes MACsec hardware and software support for EX Series and QFX Series switches.

See Feature Explorer for a full listing of Junos OS releases and platforms that support MACsec.

Table 1: MACsec Hardware and Software Support Summary for EX Series and QFX Series Switches

Switch

MACsec-capable Interfaces

Switch-to-Switch Support Introduction

Switch-to-Host Support Introduction

Encryption

EX3400

10GbE fiber interfaces and 1GbE copper interfaces.

15.1X53-D50

15.1X53-D50

AES-128

Note: MACsec is not available on the limited Junos OS image package.

EX4200

All uplink port connections on the SFP+ MACsec uplink module.

13.2X50-D15

14.1X53-D10

AES-128

EX4300

All access and uplink ports.

13.2X50-D15

14.1X53-D10

AES-128

EX4550

All EX4550 optical interfaces that use the LC connection type. See Pluggable Transceivers Supported on EX4550 Switches.

13.2X50-D15

14.1X53-D10

AES-128

EX4600

All twenty-four fixed 1GbE SFP/10GbE SFP+ interfaces and all interfaces that support the copper Gigabit Interface Converter (GBIC).

All eight SFP+ interfaces on the EX4600-EM-8F expansion module.

14.1X53-D15

Note: MACsec is not supported on EX4600 in Junos OS Release 15.1.

Not supported

AES-128

EX9200

All forty SFP interfaces on the EX9200-40F-M line card.

All twenty SFP interfaces on the EX9200-20F-MIC installed in an EX9200-MPC line card.

Note: You can install up to two EX9200-20F-MIC MICs in an EX9200-MPC line card for a maximum of forty MACsec-capable interfaces.

All forty SFP+ interfaces on the EX9200-40XS.

15.1R1

15.1R1

AES-128

Note: Starting in Junos OS Release 18.2R1, AES-256 is supported on the EX9200-40XS line card.

QFX5100

All eight SFP+ interfaces on the EX4600-EM-8F expansion module installed in a QFX5100-24Q switch.

14.1X53-D15

Note: MACsec is not supported on QFX5100-24Q switches in Junos OS Release 15.1.

Not supported

AES-128

QFX10008 and QFX10016

All six interfaces on the QFX10000-6C-DWDM line card.

17.2R1

Note: Static CAK mode only.

Not supported

AES-128 and AES-256

Note: When enabling MACsec on the QFX10000-6C-DWDM line card, we recommend using a cipher suite with extended packet numbering (XPN). Supported XPN cipher suites are GCM-AES-XPN-128 and GCM-AES-XPN-256.

All 30 interfaces on the QFX10000-30C-M line card.

17.4R1

Note: Static CAK mode only.

Not supported

AES-128 and AES-256

Note: When enabling MACsec on the QFX10000-30C-M line card, we recommend using a cipher suite with extended packet numbering (XPN). Supported XPN cipher suites are GCM-AES-XPN-128 and GCM-AES-XPN-256.

Understanding MACsec in a Virtual Chassis

MACsec can be configured on supported switch interfaces when those switches are configured in a Virtual Chassis or Virtual Chassis Fabric (VCF), including when MACsec-supported interfaces are on member switches in a mixed Virtual Chassis or VCF that includes switch interfaces that do not support MACsec. MACsec, however, cannot be enabled on Virtual Chassis ports (VCPs) to secure traffic travelling between member switches in a Virtual Chassis or VCF.

Understanding the MACsec Feature License Requirement

A feature license is required to configure MACsec on EX Series and QFX series switches, with the exception of the QFX10000-6C-DWDM and QFX10000-30C-M line cards. If the MACsec licence is not installed, MACsec functionality cannot be activated.

To purchase a feature license for MACsec, contact your Juniper Networks sales representative (https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide you with a feature license file and a license key. You will be asked to supply the chassis serial number of your switch; you can obtain the serial number by running the show chassis hardware command.

The MACsec feature license is an independent feature license; the feature licenses that must be purchased to enable other groups of features on your switches cannot be purchased to enable MACsec.

MACsec Limitations

  • All types of Spanning Tree Protocol frames cannot currently be encrypted using MACsec.

  • MACsec traffic drops are expected during GRES switchover.

Configuring Media Access Control Security (MACsec)

Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for almost all types of traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly-connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec is standardized in IEEE 802.1AE.

You can configure MACsec to secure point-to-point Ethernet links connecting EX Series or QFX Series switches, or on Ethernet links connecting a switch to a host device such as a PC, phone, or server. Each point-to-point Ethernet link that you want to secure using MACsec must be configured independently. You can enable MACsec on switch-to-switch links using static secure association key (SAK) security mode or static connectivity association key (CAK) security mode. Both processes are provided in this document.

Best Practice

We recommend enabling MACsec using static CAK security mode on switch-to-switch links. Static CAK security mode ensures security by frequently refreshing to a new random secure association key (SAK) and by only sharing the SAK between the two devices on the MACsec-secured point-to-point link. Additionally, some optional MACsec features—replay protection, SCI tagging, and the ability to exclude traffic from MACsec—are only available for MACsec-secured switch-to-switch connections that are enabled using static CAK security mode.

The configuration steps for both processes are provided in this document.

Best Practice

When enabling MACsec, we recommend that when you examine your interface MTU, adjusting it for MACsec overhead, which is 32 bytes.

Note

This topic pertains to switches that support MACsec. Any specifics about a particular switch are identified as such.

Acquiring and Downloading the Junos OS Software

For Junos OS Release 16.1 and later, you must download the standard Junos image to enable MACsec. MACsec is not supported in the limited image.

For releases prior to Junos OS Release 16.1, you must download the controlled version of your Junos OS software to enable MACsec. MACsec support is not available in the domestic version of Junos OS software in releases prior to Junos OS Release 15.1.

You can identify whether a software package is the standard or controlled version of Junos OS by viewing the package name. A software package for a controlled version of Junos OS is named using the following format:

A software package for a standard version of Junos OS is named using the following format:

If you are unsure which version of Junos OS is running on your switch, enter the show version command. If the JUNOS Crypto Software Suite description appears in the output, you are running the controlled version of Junos OS. If you are running a controlled version of Junos OS, enter the show system software command to display the version. The output also shows the version of all loaded software packages.

The controlled version of Junos OS software for EX Series or QFX Series switches contains encryption and is, therefore, not available to customers in all geographies. The export and re-export of the controlled version of Junos OS software is strictly controlled under United States export laws. The export, import, and use of the controlled version of Junos OS software is also subject to controls imposed under the laws of other countries. If you have questions about acquiring the controlled version of your Junos OS software, contact Juniper Networks Trade Compliance group at compliance_helpdesk@juniper.net.

The standard version of Junos OS software for EX Series and QFX Series switches contains encryption and is, therefore, not available to customers in all geographies. The export and re-export of this Junos OS software is strictly controlled under United States export laws. The export, import, and use of this Junos OS software is also subject to controls imposed under the laws of other countries. If you have questions about acquiring this version of your Junos OS software, contact Juniper Networks Trade Compliance group at compliance_helpdesk@juniper.net.

The process for installing the controlled or standard version of Junos OS software onto your switch is identical to installing any other version of Junos OS software. You must enter the request system software add statement to download the Junos OS image, and the request system reboot statement to reboot the switch to complete the upgrade procedure.

See Understanding Media Access Control Security (MACsec) for additional information on the versions of Junos OS software that are required for MACsec.

Acquiring and Downloading the MACsec Feature License

A feature license is required to configure MACsec on an EX Series or a QFX Series switch, with the exception of the QFX10000-6C-DWDM and QFX10000-30C-M line cards. If the MACsec licence is not installed, MACsec functionality cannot be activated.

The MACsec feature license is an independent feature license; the enhanced feature licenses (EFLs) or advanced feature licenses (AFLs) that must be purchased to enable some features on EX Series or QFX Series switches cannot be purchased to enable MACsec.

To purchase a software license for MACsec, contact your Juniper Networks sales representative (https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide you with a feature license file and a license key. You will be asked to supply the chassis serial number of your switch; you can obtain the serial number by running the show chassis hardware command.

For a Virtual Chassis deployment, two MACsec license keys are recommended for redundancy—one for the device in the master role and the other for the device in the backup role

To add one or more new MACsec license keys on the switch, follow this procedure:

  1. Add the license key or keys:
    • To add one or more license keys from a file or URL, specify the filename of the file or the URL where the key is located:

      user@switch> request system license add filename |url
    • To add a license key from the terminal:

      user@switch> request system license add terminal
  2. When prompted, enter the license key, separating multiple license keys with a blank line.

    If the license key you enter is invalid, an error appears in the CLI output when you press Ctrl+d to exit the license entry mode.

A MACsec feature license is installed and maintained like any other switch license. See Managing Licenses for the EX Series Switch (CLI Procedure) or Adding New Licenses (CLI Procedure) for more detailed information on configuring and managing your MACsec software license.

Configuring the PIC Mode of the MACsec-capable Interfaces (EX4200 switches only)

To configure MACsec on an EX4200 switch, you must install the SFP+ MACsec uplink module. The interfaces on the SFP+ MACsec uplink module are the only MACsec-capable interfaces available for EX4200 switches. All four ports on the uplink module are MACsec-capable.

The SFP+ MACsec uplink module provides two ports for 10-gigabit small form-factor pluggable (SFP+) transceivers when configured to operate in 10-gigabit mode or four ports for 1-gigabit small form-factor pluggable (SFP) transceivers when configured to operate in 1-gigabit mode.

The PIC mode is set to 10g, by default. You only need to perform this procedure if you want to operate your uplink in 1-gigabit mode, or if you previously set the uplink module to 1-gigabit mode and would like to return it to 10-gigabit mode.

To configure the PIC mode:

[edit chassis]

user@switch# set fpc fpc-slot-number pic 1 sfpplus pic-mode (1g | 10g)

where fpc-slot-number is the FPC slot number, pic-slot-number is the PIC slot number, and the [1g | 10g] option configures the MACsec capability of the four SFP+ ports on the MACsec uplink module.

The fpc-slot-number is always 0 on standalone EX4200 switches, and is the member ID of the member switch in an EX4200 Virtual Chassis.

The PIC slot number is always 1 for the uplink module port slot on an EX4200 switch, so pic 1 is always the specified PIC slot number.

The PIC mode is set to 10g by default. When the PIC mode is set to 10g, uplink ports 0 and 2 on the MACsec uplink module support MACsec at 10-Gbps speeds. Ports 1 and 3 cannot be used to send any traffic.

When the PIC mode is set to 1g, all four SFP+ ports on the MACsec uplink module support MACsec at 1-Gbps speeds.

You can enable MACsec using static connectivity association key (CAK) security mode or static secure association keys (SAK) security mode on a point-to-point Ethernet link connecting switches. This procedure shows you how to configure MACsec using static CAK security mode.

Best Practice

We recommend enabling MACsec using static CAK security mode on switch-to-switch links. Static CAK security mode ensures security by frequently refreshing to a new random secure association key (SAK) and by only sharing the SAK between the two devices on the MACsec-secured point-to-point link. Additionally, some optional MACsec features—replay protection, SCI tagging, and the ability to exclude traffic from MACsec—are only available for MACsec-secured switch-to-switch connections that are enabled using static CAK security mode.

When you enable MACsec using static CAK security mode, a pre-shared key is exchanged between the switches on each end of the point-to-point Ethernet link. The pre-shared key includes a connectivity association name (CKN) and a connectivity association key (CAK). The CKN and CAK are configured by the user in the connectivity association and must match on both ends of the link to initially enable MACsec.

After the pre-shared keys are exchanged and verified, the MACsec Key Agreement (MKA) protocol, which enables and maintains MACsec on the link, is enabled. The MKA is responsible for selecting one of the two switches on the point-to-point link as the key server. The key server then creates a randomized security key that is shared only with the other device over the MACsec-secured link. The randomized security key enables and maintains MACsec on the point-to-point link. The key server will continue to periodically create and share a randomly-created security key over the point-to-point link for as long as MACsec is enabled.

Note

If the MACsec session is terminated due to a link failure, when the link is restored, the MKA key server elects a key server and generates a new SAK.

You enable MACsec using static CAK security mode by configuring a connectivity association on both ends of the link. All configuration is done within the connectivity association but outside of the secure channel. Two secure channels—one for inbound traffic and one for outbound traffic—are automatically created when using static CAK security mode. The automatically-created secure channels do not have any user-configurable parameters that cannot already be configured in the connectivity association.

To configure MACsec using static CAK security mode to secure a switch-to-switch Ethernet link:

  1. Create a connectivity association. You can skip this step if you are configuring an existing connectivity association.
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name

    For instance, to create a connectivity association named ca1, enter:

    [edit security macsec]

    user@switch# set connectivity-association ca1
  2. Configure the MACsec security mode as static-cak for the connectivity association:
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name security-mode static-cak

    For instance, to configure the MACsec security mode to static-cak on connectivity association ca1:

    [edit security macsec]

    user@switch# set connectivity-association ca1 security-mode static-cak
  3. Create the pre-shared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK):
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name pre-shared-key ckn hexadecimal-number

    user@switch# set connectivity-association connectivity-association-name pre-shared-key cak hexadecimal-number

    A pre-shared key is exchanged between directly-connected links to establish a MACsec-secure link. The pre-shared-key includes the CKN and the CAK. The CKN is a 64-digit hexadecimal number and the CAK is a 32-digit hexadecimal number. The CKN and the CAK must match on both ends of a link to create a MACsec-secured link.

    Note

    To maximize security, we recommend configuring all 64 digits of a CKN and all 32 digits of a CAK.

    If you do not configure all 64 digits of a CKN or all 32 digits of a CAK, all remaining digits will be auto-configured to 0. However, you will receive a warning message when you commit the configuration.

    After the pre-shared keys are successfully exchanged and verified by both ends of the link, the MACsec Key Agreement (MKA) protocol is enabled and manages the secure link. The MKA protocol then elects one of the two directly-connected switches as the key server. The key server then shares a random security with the other device over the MACsec-secure point-to-point link. The key server will continue to periodically create and share a random security key with the other device over the MACsec-secured point-to-point link as long as MACsec is enabled.

    To configure a CKN of 37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311 and CAK of 228ef255aa23ff6729ee664acb66e91f on connectivity association ca1:

    [edit security macsec]

    user@switch# set connectivity-association ca1 pre-shared-key ckn 37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311

    user@switch# set connectivity-association ca1 pre-shared-key cak 228ef255aa23ff6729ee664acb66e91f
    Note

    MACsec is not enabled until a connectivity association is attached to an interface. See the final step of this procedure to attach a connectivity association to an interface.

  4. (Required on non-EX4300 switches when connecting to EX4300 switches only) Enable SCI tagging:
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set include-sci

    You must enable SCI tagging on a switch that is enabling MACsec on an Ethernet link connecting to an EX4300 switch.

    SCI tags are automatically appended to packets leaving a MACsec-enabled interface on an EX4300 switch. This option is, therefore, not available on EX4300 switches.

    You should only use this option when enabling MACsec on a link a to an EX4300 switch. SCI tags are eight octets long, so appending an SCI tag to all traffic on the link adds a significant amount of unneeded overhead.

  5. (Optional) Set the MKA key server priority:
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set mka key-server-priority priority-number

    Specifies the key server priority used by the MKA protocol to select the key server. The switch with the lower priority-number is selected as the key server.

    The default priority-number is 16.

    If the key-server-priority is identical on both sides of the point-to-point link, the MKA protocol selects the interface with the lower MAC address as the key server. Therefore, if this statement is not configured in the connectivity associations at each end of a MACsec-secured point-to-point link, the interface with the lower MAC address becomes the key server.

    To change the key server priority to 0 to increase the likelihood that the current device is selected as the key server when MACsec is enabled on the interface using connectivity association ca1:

    [edit security macsec connectivity-association ca1]

    user@switch# set mka key-server-priority 0

    To change the key server priority to 255 to decrease the likelihood that the current device is selected as the key server in connectivity association ca1:

    [edit security macsec connectivity-association ca1]

    user@switch# set mka key-server-priority 255
  6. (Optional) Set the MKA transmit interval:
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set mka transmit-interval interval

    The MKA transmit interval setting sets the frequency for how often the MKA protocol data unit (PDU) is sent to the directly connected device to maintain MACsec connectivity on the link. A lower interval increases bandwidth overhead on the link; a higher interval optimizes MKA protocol communication.

    The default interval is 2000ms. We recommend increasing the interval to 6000 ms in high-traffic load environments. The transmit interval settings must be identical on both ends of the link when MACsec using static CAK security mode is enabled.

    For instance, if you wanted to increase the MKA transmit interval to 6000 milliseconds when connectivity association ca1 is attached to an interface:

    [edit security macsec connectivity-association ca1]

    user@switch# set mka transmit-interval 6000
  7. (Optional) Disable MACsec encryption:
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set no-encryption

    Encryption is enabled for all traffic entering or leaving the interface when MACsec is enabled using static CAK security mode, by default.

    When encryption is disabled, traffic is forwarded across the Ethernet link in clear text. You are able to view unencrypted data in the Ethernet frame traversing the link when you are monitoring it. The MACsec header is still applied to the frame, however, and all MACsec data integrity checks are run on both ends of the link to ensure the traffic sent or received on the link has not been tampered with and does not represent a security threat.

  8. (Optional) Set an offset for all packets traversing the link:
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set offset (0 | 30 | 50)

    For instance, if you wanted to set the offset to 30 in the connectivity association named ca1:

    [edit security macsec connectivity-association ca1]

    user@switch# set offset 30

    The default offset is 0. All traffic in the connectivity association is encrypted when encryption is enabled and an offset is not set.

    When the offset is set to 30, the IPv4 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic. When the offset is set to 50, the IPv6 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic.

    You would typically forward traffic with the first 30 or 50 octets unencrypted if a feature needed to see the data in the octets to perform a function, but you otherwise prefer to encrypt the remaining data in the frames traversing the link. Load balancing features, in particular, typically need to see the IP and TCP/UDP headers in the first 30 or 50 octets to properly load balance traffic.

  9. (Optional) Enable replay protection.
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set replay-protect replay-window-size number-of-packets

    When MACsec is enabled on a link, an ID number is assigned to each packet on the MACsec-secured link.

    When replay protection is enabled, the receiving interface checks the ID number of all packets that have traversed the MACsec-secured link. If a packet arrives out of sequence and the difference between the packet numbers exceeds the replay protection window size, the packet is dropped by the receiving interface. For instance, if the replay protection window size is set to five and a packet assigned the ID of 1006 arrives on the receiving link immediately after the packet assigned the ID of 1000, the packet that is assigned the ID of 1006 is dropped because it falls outside the parameters of the replay protection window.

    Replay protection is especially useful for fighting man-in-the-middle attacks. A packet that is replayed by a man-in-the-middle attacker on the Ethernet link will arrive on the receiving link out of sequence, so replay protection helps ensure the replayed packet is dropped instead of forwarded through the network.

    Replay protection should not be enabled in cases where packets are expected to arrive out of order.

    You can require that all packets arrive in order by setting the replay window size to 0.

    To enable replay protection with a window size of five on connectivity association ca1:

    [edit security macsec connectivity-association ca1]

    user@switch# set replay-protect replay-window-size 5
  10. (Optional) Exclude a protocol from MACsec:
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set exclude-protocol protocol-name

    For instance, if you did not want Link Level Discovery Protocol (LLDP) to be secured using MACsec:

    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set exclude-protocol lldp

    When this option is enabled, MACsec is disabled for all packets of the specified protocol—in this case, LLDP—that are sent or received on the link.

  11. Assign the connectivity association to an interface:
    [edit security macsec]

    user@switch# set interfaces interface-names connectivity-association connectivity-association-name

    Assigning the connectivity association to an interface is the final configuration step to enabling MACsec on an interface.

    For instance, to assign connectivity association ca1 to interface xe-0/0/1:

    [edit security macsec]

    user@switch# set interfaces xe-0/1/0 connectivity-association ca1
    Note

    On an EX4300 uplink module, the first transceiver plugged into the uplink module determines the PIC mode, as the PIC recognizes the SFP type and programs all of the ports to be either ge- or xe-. Make sure the MACsec configuration on the interface matches the link speed for the uplink module ports.

MACsec using static CAK security mode is not enabled until a connectivity association on the opposite end of the link is also configured, and contains pre-shared keys that match on both ends of the link.

Configuring MACsec on the Switch Using Dynamic Secure Association Key Security Mode to Secure a Switch-to-Host Link

Before you begin to enable MACsec on a switch-to-host link:

  • Confirm that MACsec on switch-to-host links is supported on your switch. See Understanding Media Access Control Security (MACsec).

  • Configure a RADIUS server. The RADIUS server:

    • must be configured as the user database for 802.1X authentication.

    • Starting in Junos OS Release 15.1, the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication framework is required for MACsec on a switch-to-host link.

    • must have connectivity to the switch and to the host. The RADIUS server can be multiple hops from the switch or the host.

    See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.

  • Enable MACsec on the host device.

    The procedures for enabling MACsec on the host device varies by host device, and is beyond the scope of this document.

To configure MACsec using dynamic security mode to secure a switch-to-host Ethernet link:

  1. Create a connectivity association. You can skip this step if you are configuring an existing connectivity association.
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name

    For instance, to create a connectivity association named ca-dynamic1, enter:

    [edit security macsec]

    user@switch# set connectivity-association ca-dynamic1
  2. Configure the MACsec security mode as dynamic for the connectivity association:
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name security-mode dynamic

    For instance, to configure the MACsec security mode to dynamic on connectivity association ca-dynamic1:

    [edit security macsec]

    user@switch# set connectivity-association ca-dynamic1 security-mode dynamic
  3. (Optional) Configure the must-secure option:
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name mka must-secure

    When the must-secure option is enabled, all traffic that is not MACsec-secured that is received on the interface is dropped.

    When the must-secure option is disabled, all traffic from devices that support MACsec is MACsec-secured while traffic received from devices that do no support MACsec is forwarded through the network.

    The must-secure option is particularly useful in scenarios where multiple devices, such as a phone and a PC, are accessing the network through the same Ethernet interface. If one of the devices supports MACsec while the other device does not support MACsec, the device that doesn’t support MACsec can continue to send and receive traffic over the network—provided the must-secure option is disabled—while traffic to and from the device that supports MACsec is MACsec-secured. In this scenario, traffic to the device that is not MACsec-secured must be VLAN-tagged.

    The must-secure option is disabled, by default.

  4. (Required only if the host device requires SCI tagging) Enable SCI tagging:
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set include-sci

    You should only use this option when connecting a switch to a host that requires SCI tags. SCI tags are eight octets long, so appending an SCI tag to all traffic on the link adds a significant amount of unneeded overhead.

  5. (Optional) Set the MKA key server priority:
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set mka key-server-priority priority-number

    Specifies the key server priority used by the MKA protocol to select the key server. The switch with the lower priority-number is selected as the key server.

    The default priority-number is 16. If the key-server-priority is identical on both sides of the point-to-point link, the MKA protocol selects the interface with the lower MAC address as the key server. Therefore, if this statement is not configured in the connectivity associations at each end of a MACsec-secured point-to-point link, the interface with the lower MAC address becomes the key server.

    To change the key server priority to 0 to increase the likelihood that the current device is selected as the key server when MACsec is enabled on the interface using connectivity association ca1:

    [edit security macsec connectivity-association ca-dynamic1]

    user@switch# set mka key-server-priority 0

    To change the key server priority to 255 to decrease the likelihood that the current device is selected as the key server in connectivity association ca-dynamic1:

    [edit security macsec connectivity-association ca-dynamic1]

    user@switch# set mka key-server-priority 255
  6. (Optional) Set the MKA transmit interval:
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set mka transmit-interval interval

    The MKA transmit interval setting sets the frequency for how often the MKA protocol data unit (PDU) is sent to the directly connected device to maintain MACsec connectivity on the link. A lower interval increases bandwidth overhead on the link; a higher interval optimizes MKA protocol communication.

    The default interval is 2000ms. We recommend increasing the interval to 6000 ms in high-traffic load environments. The transmit interval settings must be identical on both ends of the link.

    For instance, if you wanted to increase the MKA transmit interval to 6000 milliseconds when connectivity association ca-dynamic1 is attached to an interface:

    [edit security macsec connectivity-association ca-dynamic1]

    user@switch# set mka transmit-interval 6000
  7. (Optional) Disable MACsec encryption:
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set no-encryption

    Encryption is enabled for all traffic entering or leaving the interface when MACsec is enabled using dynamic security mode, by default. When encryption is disabled, traffic is forwarded across the Ethernet link in clear text. You are able to view unencrypted data in the Ethernet frame traversing the link when you are monitoring it. The MACsec header is still applied to the frame, however, and all MACsec data integrity checks are run on both ends of the link to ensure the traffic sent or received on the link has not been tampered with and does not represent a security threat.

  8. (Optional) Set an offset for all packets traversing the link:
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set offset (0 | 30 | 50)

    For instance, if you wanted to set the offset to 30 in the connectivity association named ca-dynamic1:

    [edit security macsec connectivity-association ca-dynamic1]

    user@switch# set offset 30

    The default offset is 0. All traffic in the connectivity association is encrypted when encryption is enabled and an offset is not set.

    When the offset is set to 30, the IPv4 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic. When the offset is set to 50, the IPv6 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic.

    You would typically forward traffic with the first 30 or 50 octets unencrypted if a feature needed to see the data in the octets to perform a function, but you otherwise prefer to encrypt the remaining data in the frames traversing the link. Load balancing features, in particular, typically need to see the IP and TCP/UDP headers in the first 30 or 50 octets to properly load balance traffic.

  9. (Optional) Enable replay protection.
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set replay-protect replay-window-size number-of-packets

    When MACsec is enabled on a link, an ID number is assigned to each packet on the MACsec-secured link. When replay protection is enabled, the receiving interface checks the ID number of all packets that have traversed the MACsec-secured link. If a packet arrives out of sequence and the difference between the packet numbers exceeds the replay protection window size, the packet is dropped by the receiving interface. For instance, if the replay protection window size is set to five and a packet assigned the ID of 1006 arrives on the receiving link immediately after the packet assigned the ID of 1000, the packet that is assigned the ID of 1006 is dropped because it falls outside the parameters of the replay protection window.

    Replay protection is especially useful for fighting man-in-the-middle attacks. A packet that is replayed by a man-in-the-middle attacker on the Ethernet link will arrive on the receiving link out of sequence, so replay protection helps ensure the replayed packet is dropped instead of forwarded through the network.

    Replay protection should not be enabled in cases where packets are expected to arrive out of order.

    You can require that all packets arrive in order by setting the replay window size to 0.

    To enable replay protection with a window size of five on connectivity association ca-dynamic1:

    [edit security macsec connectivity-association ca-dynamic1]

    user@switch# set replay-protect replay-window-size 5
  10. (Optional) Exclude a protocol from MACsec:
    [edit security macsec connectivity-association connectivity-association-name]

    user@switch# set exclude-protocol protocol-name

    For instance, if you did not want Link Level Discovery Protocol (LLDP) to be secured using MACsec:

    [edit security macsec connectivity-association ca-dynamic1]

    user@switch# set exclude-protocol lldp

    When this option is enabled, MACsec is disabled for all packets of the specified protocol—in this case, LLDP—that are sent or received on the link.

    Best Practice

    We recommend that any protocol other than MACsec being used on the MACsec connection, such as LLDP, LACP, STP, or layer 3 routing protocols, should be excluded and moved outside of the MACsec tunnel.

  11. Assign the connectivity association to an interface:
    [edit security macsec]

    user@switch# set interfaces interface-names connectivity-association connectivity-association-name

    Assigning the connectivity association to an interface is the final configuration step to enabling MACsec on an interface. For instance, to assign connectivity association ca-dynamic1 to interface xe-0/0/1:

    [edit security macsec]

    user@switch# set interfaces xe-0/1/0 connectivity-association ca-dynamic1
    Note

    On an EX4300 uplink module, the first transceiver plugged into the uplink module determines the PIC mode, as the PIC recognizes the SFP type and programs all of the ports to be either ge- or xe-. Make sure the MACsec configuration on the interface matches the link speed for the uplink module ports.

Configuring MACsec Using Static Secure Association Key Security Mode to Secure a Switch-to-Switch Link

When you enable MACsec using static secure association key (SAK) security mode, one of up to two manually configured security keys is used to secure the point-to-point Ethernet link between the switches. All security key names and values are configured by the user; there is no key server or other tool that creates security keys. Security is maintained on the point-to-point Ethernet link by periodically rotating the security keys. Each security key name and value must have a corresponding matching value on the interface at the other end of the point-to-point Ethernet link to maintain MACsec on the link.

You configure static SAKs within secure channels when you are enabling MACsec using static SAK security mode. You configure secure channels within connectivity associations. A typical connectivity association for MACsec using static SAK security mode contains two secure channels—one for inbound traffic and one for outbound traffic—that have each been configured with two static SAKs. You must attach the connectivity association with the secure channel configurations to an interface to enable MACsec using static SAK security mode.

To configure MACsec on a switch-to-switch Ethernet link using static SAK security mode:

  1. Create a connectivity association. You can skip this step if you are configuring an existing connectivity association.
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name

    For instance, to create a connectivity association named ca1, enter:

    [edit security macsec]

    user@switch# set connectivity-association ca1
  2. Configure the MACsec security mode as static-sak for the connectivity association:
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name security-mode static-sak

    For instance, to configure the MACsec security mode to static-sak on connectivity association ca1:

    [edit security macsec]

    user@switch# set connectivity-association ca1 security-mode static-sak
  3. Create a secure channel within the connectivity association. You can skip this step if you are configuring an existing secure channel.
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name secure-channel secure-channel-name

    For instance, to create secure channel sc1 in connectivity association ca1, enter:

    [edit security macsec]

    user@switch# set connectivity-association ca1 secure-channel sc1
  4. Define the security associations and the static SAKs for the secure channel:
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name secure-channel secure-channel-name security-association number key key-string

    where the security-association number is a number between 0 and 3, and the key-string is a 32-digit key defined statically by the network administrator.

    The key string is a 32-digit hexadecimal number. The key string and the security association must match on both sides of an Ethernet connection to secure traffic using MACsec.

    A secure channel must have at least two security associations with unique key strings. MACsec uses a security associations to establish a secure communications link, and periodically rotates to a new security association to keep the link secure. MACsec, therefore, must have at least one backup security association and key at all times.

    To create one secure channel with two security associations and keys, for example:

    [edit security macsec]

    user@switch# set connectivity-association ca1 secure-channel sc1 security-association 0 key d183c4002fa6fe3d2d9a852c20ab8412

    user@switch# set connectivity-association ca1 secure-channel sc1 security-association 1 key b976c7494ab6fe2f2d4c432a90fd90a8

  5. Specify whether the secure channel should be applied to traffic entering or leaving the switch:
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name secure-channel secure-channel-name direction [inbound | outbound]

    where inbound applies the secure channel to traffic entering the switch, and outbound applies the secure channel to traffic leaving the switch.

    Note

    A secure channel can only be applied to traffic entering (inbound) or leaving (outbound) an interface on the switch.

    If you need to configure MACsec using SAKs on inbound and outbound traffic on the same interface, you must configure a connectivity association with one secure channel for inbound traffic and a second secure channel for outbound traffic. The connectivity association is assigned to an interface later in this process.

    For instance, to configure secure channel sc1 to apply MACsec to incoming traffic:

    [edit security macsec]

    user@switch# set connectivity-association ca1 secure-channel sc1 direction inbound

    To configure secure channel sc2 to apply MACsec to outgoing traffic:

    [edit security macsec]

    user@switch# set connectivity-association ca1 secure-channel sc2 direction outbound
  6. Specify a MAC address:
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name secure-channel secure-channel-name id mac-address mac-address

    If you are configuring a MAC address on a secure channel in the outbound direction, you should specify the MAC address of the interface as the mac-address.

    If you are configuring a MAC address on a secure channel in the inbound direction, you should specify the MAC address of the interface at the other end of the link as the mac-address.

    The mac-address variables must match on the sending and receiving secure channel on each side of a link to enable MACsec using static SAK security mode.

    Note

    You can see the MAC address of an interface in the show interfaces output.

    To configure MACsec to accept frames from MAC address 12:34:56:ab:cd:ef on secure channel sc1:

    [edit security macsec]

    user@switch# set connectivity-association ca1 secure-channel sc1 id mac-address 12:34:56:ab:cd:ef
  7. Specify a port:
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name secure-channel secure-channel-name id port-id port-id-number

    The port-id-number variables must match on a sending and receiving secure channel on each side of a link to enable MACsec.

    Note

    The only requirement for port numbers in this implementation of MACsec is that they match on the sending and receiving ends of an Ethernet link. When the port numbers match, MACsec is enabled for all traffic on the connection.

    To specify port ID 4 on secure channel sc1:

    [edit security macsec]

    user@switch# set connectivity-association ca1 secure-channel sc1 id port-id 4
  8. (Optional) Enable encryption:
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name secure-channel secure-channel-name encryption

    You can enable MACsec without enabling encryption. If a secure channel is configured on an interface without encryption, traffic is forwarded across the Ethernet link in clear text, and you will be able to view unencrypted data in the Ethernet frame traversing the link when you are monitoring it. The MACsec header is still applied to the frame, however, and all MACsec data integrity checks are run on both ends of the link to ensure the traffic on the link does not represent a security threat.

    Encryption is disabled by default when you are enabling MACsec using static SAK security mode. To ensure all traffic traversing secure-channel sc1 is encrypted:

    [edit security macsec]

    user@switch# set connectivity-association ca1 secure-channel sc1 encryption
  9. (Optional) Set an offset to send the first 30 or 50 octets in unencrypted plain text when encryption is enabled.
    [edit security macsec]

    user@switch# set connectivity-association connectivity-association-name secure-channel secure-channel-name offset [0 | 30 | 50]

    When the offset is set to 30, the IPv4 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic. When the offset is set to 50, the IPv6 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic.

    You would typically forward traffic with the first 30 or 50 octets unencrypted if a feature needed to see the data in the octets to perform a function, but you otherwise prefer to encrypt the remaining data in the frames traversing the link. Load balancing features, in particular, typically need to see the IP and TCP/UDP headers in the first 30 or 50 octets to properly load balance traffic.

    The default offset is 0, so all traffic on the link is encrypted when the encryption option is enabled and an offset is not set.

    To change the offset to 30 for secure channel sc1:

    [edit security macsec]

    user@switch# set connectivity-association ca1 secure-channel sc1 offset 30
  10. Assign the connectivity association to an interface:
    [edit security macsec]

    user@switch# set interfaces interface-names connectivity-association connectivity-association-name

    Assigning the connectivity association to an interface is the final configuration step to enabling MACsec on an interface.

    For instance, to assign connectivity association ca1 to interface xe-0/0/1:

    [edit security macsec]

    user@switch# set interfaces xe-0/1/0 connectivity-association ca1
    Note

    On an EX4300 uplink module, the first transceiver plugged into the uplink module determines the PIC mode, as the PIC recognizes the SFP type and programs all of the ports to be either ge- or xe-. Make sure the MACsec configuration on the interface matches the link speed for the uplink module ports.

MACsec using static SAK security mode is not enabled until a connectivity association on the opposite end of the link is also configured, and the configuration match on both ends of the link.

Release History Table
Release
Description
Starting in Junos OS Release 18.3R1, the MIC-MACSEC-20GE MIC provides 256-bit cipher-suite GCM-AES-256 and GCM-AES-XPN-256.
Starting in Junos OS Release 18.2R1, MACsec is supported on ACX6360 routers.
Starting in Junos OS Release 18.2R1, AES-256 is supported on the EX9200-40XS line card.
Starting with Junos OS Release 17.3R2, you can configure MACsec on MX 10003 routers with the modular MIC (JNP-MIC1-MACSEC).
Starting with Junos OS Release 16.1, you can configure MACsec on MX Series routers with the 40-port 10-Gigabit Ethernet MPC (MPC7E-10G).
Starting with Junos OS Release 15.1, MACsec is supported on member links of an aggregated Ethernet (ae-) interface bundle, and also regular interfaces that are not part of an interface bundle.
Starting in Junos OS Release 15.1, the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication framework is required for MACsec on a switch-to-host link.