macsec
Syntax
macsec {
connectivity-association connectivity-association-name {
exclude-protocol protocol-name;
include-sci;
mka {
must-secure;
key-server-priority priority-number;
transmit-interval interval;
}
no-encryption;
offset (0|30|50);
pre-shared-key {
cak hexadecimal-number;
ckn hexadecimal-number;
}
replay-protect{
replay-window-size number-of-packets;
}
secure-channel secure-channel-name {
direction (inbound | outbound);
encryption (MACsec);
id {
mac-address mac-address;
port-id port-id-number;
}
offset (0|30|50);
security-association security-association-number {
key key-string;
}
}
security-mode security-mode;
}
interfaces interface-name {
connectivity-association connectivity-association-name;
}
}
Syntax (MX Series)
macsec {
connectivity-association connectivity-association-name {
cipher-suite encryption-algorithm-name;
exclude-protocol protocol-name;
pre-shared-key-chain macsec-pre-shared-key-chain-name
include-sci;
mka {
key-server-priority priority-number;
must-secure;
should-secure;
transmit-interval interval;
}
no-encryption;
offset (0|30|50);
pre-shared-key {
cak hexadecimal-number;
ckn hexadecimal-number;
}
replay-protect{
replay-window-size number-of-packets;
}
secure-channel secure-channel-name {
direction (inbound | outbound);
encryption ;
id {
mac-address mac-address;
port-id port-id-number;
}
offset (0|30|50);
security-association security-association-number {
key key-string;
}
}
security-mode security-mode;
}
enable-auto-mtu-update;
interfaces interface-name {
connectivity-association connectivity-association-name;
}
}
Syntax (SRX Series Firewalls)
macsec {
cluster-control-port <idx> {
connectivity-association connectivity-association-name;
}
cluster-data-port interface-name {
connectivity-association connectivity-association-name;
}
connectivity-associationconnectivity-association-name {
exclude-protocol protocol-name;
include-sci;
mka {
key-server-priority priority-number;
must-secure;
transmit-interval milliseconds;
}
no-encryption;
offset (0|30|50);
pre-shared-key {
cak hexadecimal-number;
ckn hexadecimal-number;
}
replay-protect {
replay-window-size number-of-packets;
}
security-mode security-mode;
}
traceoptions (Chassis Cluster){
file {
filename;
files number;
match regular-expression;
(world-readable | no-world-readable);
size maximum-file-size;
}
flag flag;
}
}
Hierarchy Level
[edit security]
Description
Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.
Configure Media Access Control Security (MACsec). MACsec is supported on control and fabric ports of SRX340, SRX345, and SRX4600 devices in chassis cluster mode to secure point-to-point Ethernet links between the peer devices in a cluster. Each point-to-point Ethernet link must be configured independently to secure using MACsec. You can enable MACsec encryption on device-to-device links using static connectivity association key (CAK) security mode.
Options
| cluster-control-port <idx> |
Specify chassis cluster control interface on which MACsec is enabled.
|
| cluster-data-port interface-name |
Specify chassis cluster fabric interface on which MACsec is enabled. |
| connectivity-association |
Create or configure a MACsec connectivity association. |
| enable-auto-mtu-update | Enable the device to automatically adjust the MTU on protocols under logical interfaces to include the MACsec header. |
| traceoptions |
Define MACsec configuration tracing operations. |
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 13.2X50-D15.
Statement introduced in SRX Series Firewalls in Junos OS Release 15.1X49-D60.
enable-auto-mtu-update option introduced in Junos OS Release
25.2R1.