Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

cipher-suite (MACsec)

Syntax

Hierarchy Level

Description

Specify the set of ciphers used to encrypt traffic on an Ethernet link that is secured with Media Access Control Security (MACsec). The encryption used by MACsec ensures that the data in the Ethernet frame cannot be viewed by anybody monitoring traffic on the link. MACsec encryption is optional and user-configurable. The configured cipher suites should be the same between MACsec peers.

MACsec utilizes the Galois/Counter Mode Advanced Encryption Standard (GCM-AES). The default cipher suite used for MACsec is GCM-AES-128, with a maximum key length of 128 bits. MACsec also supports GCM-AES-256, with a maximum key length of 256 bits.

GCM– AES– 128 and GCM– AES– 256 use a 32-bit packet number as part of the initial value that has to be unique for every packet sent with a given secure association key (SAK). When the permutations of the 32-bit packet number are exhausted, the SAK much be refreshed. The frequency of SAK refreshes can be reduced by using a cipher suite with Extended Packet Numbering (XPN), which increases the size of the packet number to 64-bits. Both GCM-AES-128 and GCM-AES-256 are available with XPN.

Note:

When enabling MACsec on et interfaces, use either the GCM-AES-XPN-128 or GCM-AES-XPN-256 cipher suite.

Note:

EX4300-48MP switches support GCM-AES-256 and GCM-AES-XPN-256 cipher suites on the 2-port QSFP+/1-port QSFP28 uplink module.

Default

If the cipher-suite statement is not configured, the default cipher suite used for encryption is GCM-AES-128.

Options

gcm-aes-128

GCM-AES-128 has a maximum key size of 128 bits.

gcm-aes-xpn-128

GCM-AES-XPN-128 has a maximum key size of 128 bits and extended packet number.

gcm-aes-256

GCM-AES-256 has a maximum key size of 256 bits.

gcm-aes-xpn-256

GCM-AES-XPN-256 has a maximum key size of 256 bits and extended packet number.

Required Privilege Level

admin— To view this statement in the configuration.

admin-control— To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 16.2R1.