Media Access Control Security (MACsec) on Chassis Cluster
This topic explains how Media Access Control Security (MACsec), an industry‑standard security technology, that provides secure communication for all traffic on Ethernet links.
Use Feature Explorer to confirm platform and release support for specific features.
Review the Platform-Specific MACsec Behavior section for notes related to your platform.
Understand Media Access Control Security (MACsec)
Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec delivers point-to-point security between directly connected nodes and helps protect against a wide range of threats, including denial-of-service attacks, intrusions, man-in-the-middle attacks, masquerading, passive eavesdropping, and replay attacks.
MACsec secures nearly all Ethernet traffic, including frames generated by protocols such as Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are typically unsecured by traditional Ethernet security mechanisms. MACsec can also be used alongside other security technologies, such as IP Security (IPsec) and Secure Sockets Layer (SSL), to provide comprehensive end-to-end network security.
- How MACsec Works
- Connectivity Associations and Secure Channels
- Static Connectivity Association Key Security Mode
- MACsec Considerations
How MACsec Works
MACsec provides industry-standard security by establishing secure point-to-point Ethernet links. These links are secured after the participating interfaces successfully authenticate using matching security keys. When MACsec is enabled in static connectivity association key (CAK) mode, user-configured pre-shared keys are exchanged and verified between the interfaces at each end of the point-to-point Ethernet link.
Once MACsec is enabled on a point-to-point Ethernet link, all traffic traversing the link is protected using data integrity checks and, if configured, encryption.
MACsec ensures data integrity by appending an 8-byte header and a 16-byte trailer to each Ethernet frame transmitted over the secured link.The receiving interface validates this header and trailer to verify that the data was not altered in transit. If any integrity violation is detected, the affected traffic is dropped.
MACsec can also encrypt all traffic on the Ethernet link, preventing unauthorized parties from viewing frame contents. When MACsec is enabled using static Connectivity Association Key (CAK) mode, encryption is enabled by default for all ingress and egress traffic on the interface.
MACsec is configured on point-to-point Ethernet links between MACsec-capable interfaces. To secure multiple Ethernet links, you must configure MACsec individually on each point-to-point link.
Connectivity Associations and Secure Channels
MACsec is configured using connectivity associations (CAs). MACsec is enabled on an interface when a connectivity association is assigned to that interface.
When MACsec is enabled using either static CAK or dynamic security mode, you must create and configure a connectivity association. Upon assignment, two secure channels are automatically created: one for inbound traffic and one for outbound traffic. These secure channels do not have user-configurable parameters; all configuration is performed within the connectivity association rather than on the secure channels themselves.
Static Connectivity Association Key Security Mode
When MACsec is enabled using static connectivity association key (CAK) security mode, two keys are used to secure the point-to-point Ethernet link:a Connectivity Association Key (CAK), which protects control‑plane traffic, and a Secure Association Key (SAK), which is randomly generated and protects data‑plane traffic. Both keys are periodically exchanged between the devices at each end of the link to maintain link security.
In static CAK mode, a MACsec-secured link is initially established using a user-configured pre-shared key. The pre-shared key consists of a Connectivity Association Name (CKN) and its associated CAK. Both the CKN and CAK must be configured in the connectivity association and must match on both ends of the Ethernet link for MACsec to be successfully enabled.
Once matching pre-shared keys are successfully exchanged, the MACsec Key Agreement (MKA) protocol is activated. MKA is responsible for maintaining MACsec operation on the link and determining which device on the point-to-point Ethernet link becomes the key server.
The key server generates a Secure Association Key (SAK) and securely distributes it only to the peer device at the other end of the link., This SAK is then used to protect all data traffic traversing the link. As long as MACsec remains enabled, the key server periodically generates and shares new, randomly created SAKs to maintain ongoing link security.
You enable MACsec in static CAK security mode by configuring a connectivity association on both ends of the point‑to‑point Ethernet link. All MACsec configuration is performed within the connectivity association and not on the secure channels themselves. When static CAK mode is used, two secure channels—one for inbound traffic and one for outbound traffic—are automatically created. These secure channels have no user-configurable parameters beyond those defined in the connectivity association.
We recommend enabling MACsec using static CAK security mode. Static CAK mode enhances security by periodically refreshing randomly generated security keys and by restricting key sharing exclusively to the two devices on the MACsec-secured point-to-point link. In addition, certain optional MACsec features—such as replay protection, Secure Channel Identifier (SCI) tagging, and the ability to exclude specific traffic from MACsec protection—are available only when MACsec is enabled in static CAK mode.
Firewalls support MACsec on HA control and fabric links. However, if the restart 802.1x-protocol-daemon command is executed on the primary node, the chassis cluster control and fabric links will flap, potentially causing the cluster nodes to enter a split-brain condition.
MACsec Considerations
All types of Spanning Tree Protocol (STP) frames are not currently supported for encryption using MACsec.
A connectivity association can be defined globally, at the node level, or within any configuration group, provided it is visible to the MACsec interface configuration.
For MACsecto operate correctly, identical configurations must be present on both ends of the link. Each node must have the same MACsec configuration.If MACsec is not configured, or is configured incorrectly, on the peer node, the interface is disabled and traffic forwarding stops.
Configure Media Access Control Security (MACsec)
This topic shows how to configure MACsec on control and fabric ports of supported Firewalls operating in a chassis cluster to secure point-to-point Ethernet links between peer devices. Each point-to-point Ethernet link that requires MACsec protection must be configured independently. MACsec encryption on device-to-device links is enabled using static connectivity association key (CAK) security mode.
This document provides the configuration steps for both processes.
- Configuration Considerations When Configuring MACsec on Chassis Cluster Setup
- Configure MACsec Using Static Connectivity Association Key Security Mode
- Configure Static CAK on the Chassis Cluster Control Port
- Configure Static CAK on the Chassis Cluster Fabric Port
- Configure Static CAK on the Control Port
- Configure Static CAK on the Control Port on SRX4600
- Verify MACSEC Configuration
Configuration Considerations When Configuring MACsec on Chassis Cluster Setup
Before you begin, follow these steps to configure MACsec on control ports:
Control port states are critical to the stability and integrity of a chassis cluster. Consider the following when configuring MACsec on control ports:
Any new MACsec configuration for chassis cluster ports, or any modification to an existing MACsec configuration, requires the chassis cluster to be disabled. When you attempt such a change, a warning message
Modifying cluster control port CA will break chassis clusteris displayed indicating that modifying the control port connectivity association (CA) will disrupt the chassis cluster. After disabling the cluster, you can apply the required MACsec configuration and then reenable the chassis cluster.By default, a chassis cluster synchronizes all configurations between nodes. You must ensure that configuration synchronization does not result in the loss of any MACsec settings. For node-specific or nonsymmetric MACsec configurations, identical MACsec configurations must exist on both nodes. If the configurations differ, the chassis clsuter can break.
Any change to MACsec configuration on control ports requires repeating the previously described steps.
When configuring MACsec on fabric ports, consider the following:
Configuring MACsec can cause link state changes that affect traffic forwarding. When configuring fabric ports, always account for the effective link state.
An incorrect MACsec configuration on either end of a fabric link can cause the link to transition to an ineligible state.
Both ends of the fabric links must be configured simultaneously when the chassis cluster is formed.
Incorrect configuration can lead to fabric link failures and errors in fabric recovery logic.
Due to the potential for link failure scenarios, it is recommend to configure fabric links during the initial formation of the chassis cluster.
Configure MACsec Using Static Connectivity Association Key Security Mode
You can enable MACsec encryption on a point-to-point Ethernet link by using static connectivity association key (CAK) security mode. This procedure explains how to configure MACsec using static CAK mode.
In a chassis cluster with dual control links, MACsec is configured on control port 0 [em0] and control port 1 [em1]. MACsec configured on revenue interfaces is used to establish fabric links, which are configured on fabric ports mge-0/0/1 and mge-7/0/1.
To configure MACsec by using static CAK security mode to secure a device-to-device Ethernet link:
MACsec using static CAK security mode is not enabled until a connectivity association on the opposite end of the link is also configured, and contains preshared keys that match on both ends of the link.
Configure Static CAK on the Chassis Cluster Control Port
To establish a CA over a chassis cluster control link on two SRX345 devices.
Configure Static CAK on the Chassis Cluster Fabric Port
To establish a connectivity association over a chassis cluster fabric link on two SRX345 devices:
Configure Static CAK on the Control Port
Configure a connectivity association over a chassis cluster control link. Use two SRX1600 Firewalls, two SRX2300 Firewalls, two SRX4120 Firewalls or two SRX4300 Firewalls.
To view the status of the active MACsec connections, run the show security macsec connections command.
user@host> show security macsec connections
Interface name: em0
CA name: ca1
Cipher suite: GCM-AES-128 Encryption: on
Key server offset: 0 Include SCI: no
Replay protect: off Replay window: 0
Outbound secure channels
SC Id: 02:00:00:01:01:04/1
Outgoing packet number: 1914287
Secure associations
AN: 0 Status: inuse Create time: 07:33:26
Inbound secure channels
SC Id: 02:00:00:02:01:04/1
Secure associations
AN: 0 Status: inuse Create time: 07:33:26
Interface name: em1
CA name: ca1
Cipher suite: GCM-AES-128 Encryption: on
Key server offset: 0 Include SCI: no
Replay protect: off Replay window: 0
Outbound secure channels
SC Id: 02:00:01:01:01:04/1
Outgoing packet number: 108885
Secure associations
AN: 0 Status: inuse Create time: 07:33:26
Inbound secure channels
SC Id: 02:00:01:02:01:04/1
Secure associations
AN: 0 Status: inuse Create time: 07:33:26To view the MACsec key agreement session information, run the show security mka sessions command.
user@host> show security mka sessions
Interface name: em0
Interface State: Secured - Primary
Member identifier: 7A3FC14B77F5296124A8D22A
CAK name: 12345678
CAK type: primary
Security mode: static
MKA suspended: 0(s)
Transmit interval: 10000(ms)
SAK rekey interval: 0(s)
Preceding Key: enabled
Bounded Delay: disabled
Outbound SCI: 02:00:00:01:01:04/1
Message number: 2713 Key number: 1
MKA ICV Indicator: enabled
Key server: yes Key server priority: 16
Latest SAK AN: 0 Latest SAK KI: 7A3FC14B77F5296124A8D22A/1
MKA Suspend For: disabled MKA Suspend On Request: disabled
Previous SAK AN: 0 Previous SAK KI: 000000000000000000000000/0
Peer list
1. Member identifier: 6A9B3CC75376160D74AAA1E7 (live)
Message number: 2711 Hold time: 57000 (ms)
SCI: 02:00:00:02:01:04/1 Uptime: 07:31:39
Lowest acceptable PN: 1674733
Interface name: em1
Interface State: Secured - Primary
Member identifier: 989CB809BF3759C9EAC10F5A
CAK name: 12345678
CAK type: primary
Security mode: static
MKA suspended: 0(s)
Transmit interval: 10000(ms)
SAK rekey interval: 0(s)
Preceding Key: enabled
Bounded Delay: disabled
Outbound SCI: 02:00:01:01:01:04/1
Message number: 2713 Key number: 1
MKA ICV Indicator: enabled
Key server: yes Key server priority: 16
Latest SAK AN: 0 Latest SAK KI: 989CB809BF3759C9EAC10F5A/1
MKA Suspend For: disabled MKA Suspend On Request: disabled
Previous SAK AN: 0 Previous SAK KI: 000000000000000000000000/0
Peer list
1. Member identifier: 16015BCD3844F12DFA89AB7F (live)
Message number: 2711 Hold time: 57000 (ms)
SCI: 02:00:01:02:01:04/1 Uptime: 07:31:39
Lowest acceptable PN: 111017To view the security status of control and fabric ports. MACsec is enabled for both control port 0 and control port 1, run the show chassis cluster interfaces command.
user@host> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Monitored-Status Internal-SA Security
0 em0 Up Disabled Enabled
1 em1 Up Disabled Enabled
Fabric link status: Up
Fabric interfaces:
Name Child-interface Status Security
(Physical/Monitored)
fab0 et-0/3/0 Up / Up Disabled
fab0 et-0/3/1 Up / Up Disabled
fab1 et-7/3/0 Up / Up Disabled
fab1 et-7/3/1 Up / Up Disabled
Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0Configure Static CAK on the Control Port on SRX4600
To configure a CA over a chassis cluster control link on two SRX4600 Firewalls.
Verify MACSEC Configuration
To confirm that the configuration provided in Configure Static CAK on the Control Port on SRX4600 is working properly, perform these tasks:
- Display the Status of Active MACsec Connections on the Device
- Display MACsec Key Agreement (MKA) Session Information
- Verify the MACsec-Secured Traffic Is Traversing Through the Interface
- Verify Chassis Cluster Ports Are Secured with MACsec Configuration
Display the Status of Active MACsec Connections on the Device
Purpose
Verify that MACsec is operational on the chassis cluster setup.
Action
From the operational mode, enter the show security macsec connections interface interface-name command on one or both of the nodes of chassis cluster setup.
{primary:node0}[edit]user@host# show security macsec connectionsInterface name: em0 CA name: ca1 Cipher suite: GCM-AES-128 Encryption: on Key server offset: 0 Include SCI: no Replay protect: off Replay window: 0 Outbound secure channels SC Id: 02:00:00:01:01:04/1 Outgoing packet number: 1 Secure associations AN: 3 Status: inuse Create time: 00:01:43 Inbound secure channels SC Id: 02:00:00:02:01:04/1 Secure associations AN: 3 Status: inuse Create time: 00:01:43
Meaning
The Interface name and CA name outputs show that the MACsec connectivity association is operational on the interface em0. The output does not appear when the connectivity association is not operational on the interface.
Display MACsec Key Agreement (MKA) Session Information
Purpose
Display MACsec Key Agreement (MKA) session information for all interfaces.
Action
From the operational mode, enter the show security mka sessions command.
user@host> show security mka sessions
Interface name: em0
Member identifier: B51CXXXX2678A7F5F6C12345
CAK name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Transmit interval: 10000(ms)
Outbound SCI: 02:00:00:01:01:04/1
Message number: 270 Key number: 8
Key server: yes Key server priority: 16
Latest SAK AN: 3 Latest SAK KI: B51C8XXX2678A7A5B6C54321/8
Previous SAK AN: 0 Previous SAK KI: 000000000000000000000000/0
Peer list
1. Member identifier: 0413427B38817XXXXF054321 (live)
Message number: 8 Hold time: 59000 (ms)
SCI: 02:00:00:02:01:04/1
Lowest acceptable PN: 0
Meaning
The outputs show the status of MKA sessions.
Verify the MACsec-Secured Traffic Is Traversing Through the Interface
Purpose
Verify that traffic traversing through the interface is MACsec-secured.
Action
From the operational mode, enter the show security macsec statistics command.
user@host> show security macsec statistics interface em0 detail
Interface name: em0
Secure Channel transmitted
Encrypted packets: 2397305
Encrypted bytes: 129922480
Protected packets: 0
Protected bytes: 0
Secure Association transmitted
Encrypted packets: 2397305
Protected packets: 0
Secure Channel received
Accepted packets: 2395850
Validated bytes: 0
Decrypted bytes: 131715088
Secure Association received
Accepted packets: 2395850
Validated bytes: 0
Decrypted bytes: 0
Meaning
The Encrypted packets line under the Secure Channel transmitted field are the values incremented each time a packet is sent from the interface that is secured and encrypted by MACsec.
The Accepted packets line under the Secure Association received field are the values incremented each time a packet that has passed the MACsec integrity check is received on the interface. The Decrypted bytes line under the Secure Association received output is incremented each time an encrypted packet is received and decrypted.
Verify Chassis Cluster Ports Are Secured with MACsec Configuration
Purpose
Verify that MACsec is configured on chassis cluster ports.
Action
From operational mode, enter the show chassis cluster interfaces command.
user@host> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Monitored-Status Internal-SA Security
0 em0 Up Disabled Enabled
Fabric link status: Up
Fabric interfaces:
Name Child-interface Status Security
(Physical/Monitored)
fab0 xe-1/1/6 Up / Up Enabled
fab0
fab1 xe-8/1/6 Up / Up Enabled
fab1
Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Up 1
reth1 Up 2
reth2 Down Not configured
reth3 Down Not configured
reth4 Down Not configured
reth5 Down Not configured
reth6 Down Not configured
reth7 Down Not configured
Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0
Meaning
The Security line under the Control interfaces output for em0 interface shown as Secured means that the traffic sent from the em0 interface is secured and encrypted by MACsec.
You can also use the show chassis cluster status command to display the current status of the chassis cluster.
Platform-Specific MACsec Behavior
Use Feature Explorer to confirm platform and release support for specific features.
Use the following table to review platform-specific behaviors for your platform.
|
Platform |
Difference |
|---|---|
|
SRX Series |
|
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.