mka
Syntax (Junos OS)
Syntax
mka {
disable-icv-indicator;
key-server-priority priority-number;
must-secure;
transmit-interval interval;
}
Syntax (MX Series)
mka {
bounded-delay;
disable-icv-indicator;
key-server-priority priority-number;
must-secure;
should-secure;
transmit-interval interval;
eapol-address (pae | provider-bridge | lldp-multicast | destination unicast-address);}
Syntax (SRX Series Firewalls)
mka {
bounded-delay;
disable-icv-indicator;
eapol-address (lldp-multicast | pae | provider-bridge | unicast-address);
key-server-priority key-server-priority;
sak-rekey-interval <varname>seconds</varname>;
should-secure;
suspend-for;
suspend-on-request;
transmit-interval milliseconds;
}
Syntax (Junos OS Evolved)
mka {
disable-icv-indicator;
eapol-ethertype-profile eapol-profile-name;
key-server-priority priority-number;
must-secure;
transmit-interval interval;
}
Hierarchy Level
[edit security macsec connectivity-association connectivity-association-name]
Description
Specify parameters for the MACsec Key Agreement (MKA) protocol. Two devices initially establish a MACsec-secured link using a pre-shared key when you are using static CAK security mode to enable MACsec. Once matching pre-shared keys are successfully exchanged, the MACsec Key Agreement (MKA) protocol is enabled. The MKA protocol is responsible for maintaining MACsec on the link, and it decides which switch on the point-to-point link becomes the key server. The key server then creates an SAK that is shared with the switch at the other end of the point-to-point link only, and that SAK is used to secure all data traffic traversing the link.
Options
| eapol-ethertype-profile eapol-profile-name | Apply the profile that sets a custom EtherType for Extensible Authentication Protocol over LAN (EAPoL) to MACsec packets. |
| disable-icv-indicator | Disable the integrity check value (ICV) indicator type, length, and value (TLV) on the MKA protocol. By default, the ICV indicator is enabled. In most networks, devices ignore the ICV TLV when MACsec is configured and establish a MACsec session instead. In networks that do not establish a MACsec session when the ICV TLV is enabled, use this option to disable it and allow the network to establish the MACsec session. |
The remaining statements are explained separately. Click the linked statements in the Syntax section or search CLI Explorer.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 13.2X50-D15.
Statement introduced for MX Series routers in Junos OS Release 15.1.
Statement introduced for SRX Series Firewalls in Junos OS Release 15.1X49-D60.
Option eapol-address introduced in Junos OS Release 18.3R1.
Option bounded-delay introduced in Junos OS Release 21.1R1.
Option disable-icv-indicator
introduced in Junos OS and Junos OS Evolved Release 23.4R1.
Option eapol-ethertype-profile introduced in Junos OS Evolved
Release 25.4R1.