Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring MACsec

We can configure MACsec to secure point-to-point Ethernet links connecting your device with MACsec-capable MICs. Each point-to-point Ethernet link that you want to secure using MACsec must be configured independently. We can enable MACsec on device-to-device links using static connectivity association key (CAK) security mode.

MACsec is supported only on the forty-four 10-Gigabit or 1-Gigabit Ethernet ports. In this section, these ports are used for configuring MACSec.

Customizing Time

To customize time, disable NTP and set the date.

  1. Disable NTP.
  2. Setting date and time. Date and time format is YYYYMMDDHHMM.ss

Configuring MACsec on a Device Running Junos OS

To configure MACsec on a device running Junos OS:

  1. Configure the MACsec security mode as for the connectivity association.
    Note:

    Based on your requirement you can configure the offset offset-number value at the set security macsec connectivity-association connectivity-association-name hierarchy level to 0, 30, or 50.
  2. Create the pre-shared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK).
    Note:

    Based on your requirement you can configure the number-of-packets value at the set security macsec connectivity-association connectivity-association-name replay-protect replay-window-size hierarchy level from 0 through 65535.
    Note:

    The ICK is automatically derived from the CAK using AES_CMAC and this requires no separate configuration.
  3. Set the MACsec Key Agreement (MKA) secure channel details.
  4. Set the MKA to security mode.
    Note:

    CA1 is an example of connectivity-association-name configured.
  5. Assign the configured connectivity association with a specified MACsec interface.

Configuring Static MACsec with Layer 3 Traffic

To configure Static MACsec using Layer 3 traffic between device R0 and device R1:

In R0:

  1. Create the preshared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK)
  2. Set the trace option values.
  3. Assign the trace to an interface.
  4. Configure the MACsec security mode as static-cak for the connectivity association.
  5. Set the MKA key server priority.
  6. Set the MKA transmit interval.
  7. Enable Secure Channel Identifier.
  8. Assign the connectivity association to an interface.

In R1:

  1. Create the preshared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK)

  2. Set the trace option values.

  3. Assign the trace to an interface.

  4. Configure the MACsec security mode as static-cak for the connectivity association.

  5. Set the MKA transmit interval.

  6. Enable Secure Channel Identifier.

  7. Assign the connectivity association to an interface.

Configuring MACsec with keychain using Layer 3 Traffic

Synchronize both MACsec endpoint devices, as the time for both devices to trigger the key start time should be the same. To configure MACsec with keychain using Layer 3 traffic between device R0 and device R1:

In R0:

  1. Assign a tolerance value to the authentication key chain.
  2. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain’s secret-data is used as the Connectivity Association Key (CAK).

    You can configure upto 64 keys within a keychain. In addition to specifying the key material, you can also configure start-time based on TOE's current time to precisely control the key’s lifetime.

    The keys can be configured with a start-time in YYYY-MM-DD.HH:MM format to define when the corresponding key becomes active.

    When multiple keys are configured with sequential start times, new keys keep becoming active when their start time is reached, effectively configuring the lifetime for each key.

    Use the prompt command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

    You can configure upto 64 secret keys. For example, you can refer the following secret keys:

  3. To delete an existing key from a keychain, use the following command:
  4. Associate the preshared keychain name with the connectivity association.
    Note:

    The cipher value can also be set as cipher-suite gcm-aes-128.
  5. Set the trace option values.
  6. Assign the trace to an interface.
  7. Configure the MACsec security mode as static-cak for the connectivity association.
  8. Set the MKA key server priority.
  9. Set the MKA transmit interval.
  10. Enable Secure Channel Identifier.
  11. Assign the connectivity association to an interface.

To configure MACsec with keychain for Layer 3 traffic:

In R1:

  1. Assign a tolerance value to the authentication key chain.

  2. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    You can configure upto 64 keys. For example, you can refer the following keys:

    Use the prompt command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

    You can configure upto 64 secret keys. For example, you can refer the following secret keys:

  3. Associate the preshared keychain name with the connectivity association.

    Note:

    You can use the non-XPN ciphers AES-GCM-128 and AES-GCM-256 for 10G/xe interfaces macsec configuration only.

  4. Set the trace option values.

  5. Assign the trace to an interface.

  6. Configure the MACsec security mode as static-cak for the connectivity association.

  7. Set the MKA key server priority.

  8. Set the MKA transmit interval.

  9. Enable Secure Channel Identifier.

  10. Assign the connectivity association to an interface.

Configuring Static MACsec for Layer 2 Traffic

To configure static MACsec for Layer 2 traffic between device R0 and device R1:

In R0:

  1. Set the MKA key server priority.
    Note:

    The configurable range for the key server priority values is 0-255 with 0 meaning highest priority. Also, the TOE must be configured with the lowest priority number to configure it to act as a key server.
  2. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

  3. Associate the preshared keychain name with the connectivity association.
  4. Set the trace option values.
  5. Assign the trace to an interface.
  6. Configure the MACsec security mode as static-cak for the connectivity association.
  7. Set the MKA key server priority.
  8. Set the MKA transmit interval.
  9. Enable Secure Channel Identifier.
  10. Assign the connectivity association to an interface.
  11. Configure VLAN tagging.
  12. Configure bridge domain.
    Note:

    The interface-name1 and interface-name2 options at the set bridge-domains BD-110 interface hierarchy level are user defined interfaces which are part of the bridge domain.

In R1:

  1. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

  2. Associate the preshared keychain name with the connectivity association.

  3. Set the trace option values.

  4. Assign the trace to an interface.

  5. Configure the MACsec security mode as static-cak for the connectivity association.

  6. Set the MKA key server priority.

  7. Set the MKA transmit interval.

  8. Enable Secure Channel Identifier.

  9. Assign the connectivity association to an interface.

  10. Configure VLAN tagging.

  11. Configure bridge domain.

Configuring MACsec with keychain for Layer 2 Traffic

Synchronize both MACsec endpoint devices, as the time for both devices to trigger the key start time should be the same. To configure MACsec with keychain for Layer 3 traffic between device R0 and device R1:

In R0:

  1. Assign a tolerance value to the authentication key chain.
  2. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    You can configure upto 64 keys. For example, you can refer the following keys:

    Use the prompt command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

    You can configure upto 64 secret keys. For example, you can refer the following secret keys:

  3. Associate the preshared keychain name with the connectivity association.
  4. Set the trace option values.
  5. Assign the trace to an interface.
  6. Configure the MACsec security mode as static-cak for the connectivity association.
  7. Set the MKA key server priority.
  8. Set the MKA transmit interval.
  9. Enable Secure Channel Identifier.
  10. Assign the connectivity association to an interface.
  11. Configure VLAN tagging.
  12. Configure bridge domain.

In R1:

  1. Assign a tolerance value to the authentication key chain.

  2. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    Use the prompt command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

    You can configure upto 64 secret keys. For example, you can refer the following secret keys:

  3. Associate the preshared keychain name with the connectivity association.

  4. Set the trace option values.

  5. Assign the trace to an interface.

  6. Configure the MACsec security mode as static-cak for the connectivity association.

  7. Set the MKA key server priority.

  8. Set the MKA transmit interval.

  9. Enable Secure Channel Identifier.

  10. Assign the connectivity association to an interface.

  11. Configure VLAN tagging.

  12. Configure bridge domain.

Disable and Restart MACsec Sessions

To disable and restart the MACsec sessions use the following configurations:

  • To disable the MACsec session:

  • To restart the MACsec session:

    or