ON THIS PAGE
Configure MACsec
We can configure MACsec to secure point-to-point Ethernet links connecting your device with MACsec-capable MICs. Each point-to-point Ethernet link that you want to secure using MACsec must be configured independently. We can enable MACsec on device-to-device links using static connectivity association key (CAK) security mode.
MACsec is supported only on the forty-four 10-Gigabit or 1-Gigabit Ethernet ports. In this section, these ports are used for configuring MACSec.
Customizing Time
To customize time, disable NTP and set the date.
Configuring MACsec on a Device Running Junos OS
To configure MACsec on a device running Junos OS:
Configuring Static MACsec with Layer 3 Traffic
To configure Static MACsec using ICMP traffic between device R0 and device R1:
In R0:
In R1:
-
Create the preshared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK)
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key ckn 2345678922334455667788992223334445556667778889992222333344445555 security-administrator@hostname:fips# prompt security macsec connectivity-association CA1 pre-shared-key cak New cak (secret): Retype new cak (secret): security-administrator@hostname:fips# set security macsec connectivity-association CA1 offset 30
-
Set the trace option values.
[edit] security-administrator@hostname:fips# set security macsec traceoptions file MACsec.log security-administrator@hostname:fips# set security macsec traceoptions file size 4000000000 security-administrator@hostname:fips# set security macsec traceoptions flag all
-
Assign the trace to an interface.
[edit] security-administrator@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe size 1g security-administrator@hostname:fips# set security macsec interfaces interface-name traceoptions flag all
-
Configure the MACsec security mode as static-cak for the connectivity association.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
-
Set the MKA transmit interval.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 mka transmit-interval 3000
-
Enable the MKA secure.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 include-sci
-
Assign the connectivity association to an interface.
[edit] security-administrator@hostname:fips# set security macsec interfaces interface-name connectivity-association CA1 security-administrator@hostname:fips# set interfaces interface-name unit 0 family inet address 10.1.1.2/24
Configuring MACsec with keychain using Layer 3 Traffic
Synchronize both macsec endpoint devices to NTP as both device’s time should be the same for key start time triggers. To configure MACsec with keychain using ICMP traffic between device R0 and device R1:
In R0:
To configure MACsec with keychain for Layer 3 Traffic:
In R1:
-
Assign a tolerance value to the authentication key chain.
[edit] security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 tolerance 20
-
Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.
You can configure upto 64 keys. For example, you can refer the following 4 keys:
[edit] security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 0 key-name 2345678922334455667788992223334445556667778889992222333344445551 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 0 start-time 2018-03-20.20:35 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 1 key-name 2345678922334455667788992223334445556667778889992222333344445552 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 1 start-time 2018-03-20.20:37 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 2 key-name 2345678922334455667788992223334445556667778889992222333344445553 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 2 start-time 2018-03-20.20:39 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 3 key-name 2345678922334455667788992223334445556667778889992222333344445554 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 3 start-time 2018-03-20.20:41 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 4 key-name 2345678922334455667788992223334445556667778889992222333344445555 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 4 start-time 2018-03-20.20:43
Use the
prompt
command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.You can configure upto 64 secret keys. For example, you can refer the following 4 secret keys:
[edit] security-administrator@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 0 secret New cak (secret): Retype new cak (secret): security-administrator@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 1 secret New cak (secret): Retype new cak (secret): security-administrator@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 2 secret New cak (secret): Retype new cak (secret): security-administrator@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 3 secret New cak (secret): Retype new cak (secret): security-administrator@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 4 secret New cak (secret): Retype new cak (secret):
-
Associate the preshared keychain name with the connectivity association.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key-chain macsec-kc1 security-administrator@hostname:fips# set security macsec connectivity-association CA1 offset 50 security-administrator@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
Note:- You can use the non-XPN ciphers
AES-GCM-128
andAES-GCM-256
for 10G/xe interfaces macsec configuration only. - You can use the XPN ciphers
AES-GCM-XPN-128
andAES-GCM-XPN-256
for 40G and 100G rates macsec configuration. You can also use the XPN ciphersAES-GCM-XPN-128
andAES-GCM-XPN-256
for 10G/xe interfaces macsec configuration, if it supports.
- You can use the non-XPN ciphers
-
Set the trace option values.
[edit] security-administrator@hostname:fips# set security macsec traceoptions file MACsec.log security-administrator@hostname:fips# set security macsec traceoptions file size 4000000000 security-administrator@hostname:fips# set security macsec traceoptions flag all
-
Assign the trace to an interface.
[edit] security-administrator@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe size 1g security-administrator@hostname:fips# set security macsec interfaces interface-name traceoptions flag all
-
Configure the MACsec security mode as static-cak for the connectivity association.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
-
Set the MKA key server priority.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 mka key-server-priority 1
-
Set the MKA transmit interval.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 mka transmit-interval 3000
-
Enable the MKA secure.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 include-sci
-
Assign the connectivity association to an interface.
[edit] security-administrator@hostname:fips# set security macsec interfaces interface-name connectivity-association CA1 security-administrator@hostname:fips# set interfaces interface-name unit 0 family inet address 10.1.1.2/24
Configuring Static MACsec for Layer 2 Traffic
To configure static MACsec for Layer 2 traffic between device R0 and device R1:
In R0:
In R1:
-
Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.
[edit] security-administrator@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 0 secret New cak (secret): Retype new cak (secret):
For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.
-
Associate the preshared keychain name with the connectivity association.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key-chain macsec-kc1 security-administrator@hostname:fips# set security macsec connectivity-association CA1 offset 50 security-administrator@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
-
Set the trace option values.
[edit] security-administrator@hostname:fips# set security macsec traceoptions file MACsec.log security-administrator@hostname:fips# set security macsec traceoptions file size 4000000000 security-administrator@hostname:fips# set security macsec traceoptions flag all
-
Assign the trace to an interface.
[edit] security-administrator@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe size 1g security-administrator@hostname:fips# set security macsec interfaces interface-name traceoptions flag all
-
Configure the MACsec security mode as static-cak for the connectivity association.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
-
Set the MKA key server priority.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 mka key-server-priority 1
-
Set the MKA transmit interval.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 mka transmit-interval 3000
-
Enable the MKA secure.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 include-sci
-
Assign the connectivity association to an interface.
[edit] security-administrator@hostname:fips# set security macsec interfaces interface-name connectivity-association CA1
-
Configure VLAN tagging.
[edit] security-administrator@hostname:fips# set interfaces interface-name1 flexible-vlan-tagging security-administrator@hostname:fips# set interfaces interface-name1 encapsulation flexible-ethernet-services security-administrator@hostname:fips# set interfaces interface-name1 unit 100 encapsulation vlan-bridge security-administrator@hostname:fips# set interfaces interface-name1 unit 100 vlan-id 100 security-administrator@hostname:fips# set interfaces interface-name2 flexible-vlan-tagging security-administrator@hostname:fips# set interfaces interface-name2 encapsulation flexible-ethernet-services security-administrator@hostname:fips# set interfaces interface-name2 unit 100 encapsulation vlan-bridge security-administrator@hostname:fips# set interfaces interface-name2 unit 100 vlan-id 100
Configuring MACsec with keychain for Layer 2 Traffic
Synchronize both macsec endpoint devices to NTP as both device’s time should be the same for key start time triggers. To configure MACsec with keychain for ICMP traffic between device R0 and device R1:
In R0:
In R1:
-
Assign a tolerance value to the authentication key chain.
[edit] security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 tolerance 20
-
Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.
You can configure upto 64 keys. For example, you can refer the following 4 keys:
[edit] security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 0 key-name 2345678922334455667788992223334445556667778889992222333344445551 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 0 start-time 2018-03-20.20:35 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 1 key-name 2345678922334455667788992223334445556667778889992222333344445552 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 1 start-time 2018-03-20.20:37 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 2 key-name 2345678922334455667788992223334445556667778889992222333344445553 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 2 start-time 2018-03-20.20:39 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 3 key-name 2345678922334455667788992223334445556667778889992222333344445554 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 3 start-time 2018-03-20.20:41 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 4 key-name 2345678922334455667788992223334445556667778889992222333344445555 security-administrator@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 4 start-time 2018-03-20.20:43
Use the
prompt
command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.You can configure upto 64 secret keys. For example, you can refer the following 4 secret keys:
[edit] security-administrator@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 0 secret New cak (secret): Retype new cak (secret): security-administrator@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 1 secret New cak (secret): Retype new cak (secret): security-administrator@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 2 secret New cak (secret): Retype new cak (secret): security-administrator@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 3 secret New cak (secret): Retype new cak (secret): security-administrator@hostname:fips# prompt security authentication-key-chains key-chain macsec-kc1 key 4 secret New cak (secret): Retype new cak (secret):
-
Associate the preshared keychain name with the connectivity association.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 pre-shared-key-chain macsec-kc1 security-administrator@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
-
Set the trace option values.
[edit] security-administrator@hostname:fips# set security macsec traceoptions file MACsec.log security-administrator@hostname:fips# set security macsec traceoptions file size 4000000000 security-administrator@hostname:fips# set security macsec traceoptions flag all
-
Assign the trace to an interface.
[edit] security-administrator@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe size 1g security-administrator@hostname:fips# set security macsec interfaces interface-name traceoptions flag all
-
Configure the MACsec security mode as static-cak for the connectivity association.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
-
Set the MKA key server priority.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 mka key-server-priority 1
-
Set the MKA transmit interval.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 mka transmit-interval 3000
-
Enable the MKA secure.
[edit] security-administrator@hostname:fips# set security macsec connectivity-association CA1 include-sci
-
Assign the connectivity association to an interface.
[edit] security-administrator@hostname:fips# set security macsec interfaces interface-name connectivity-association CA1
-
Configure VLAN tagging.
[edit] security-administrator@hostname:fips# set interfaces interface-name1 flexible-vlan-tagging security-administrator@hostname:fips# set interfaces interface-name1 encapsulation flexible-ethernet-services security-administrator@hostname:fips# set interfaces interface-name1 unit 100 encapsulation vlan-bridge security-administrator@hostname:fips# set interfaces interface-name1 unit 100 vlan-id 100 security-administrator@hostname:fips# set interfaces interface-name2 flexible-vlan-tagging security-administrator@hostname:fips# set interfaces interface-name2 encapsulation flexible-ethernet-services security-administrator@hostname:fips# set interfaces interface-name2 unit 100 encapsulation vlan-bridge security-administrator@hostname:fips# set interfaces interface-name2 unit 100 vlan-id 100
Disable and Restart MACsec Sessions
To disable and restart the MACsec sessions use the following configurations:
-
To disable the MACsec session:
user@host# deactivate security macsec
-
To restart the MACsec session:
user@host# run restart dot1x-protocol
or
user@host# activate security macsec