Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Configure a timer-based refresh of the secure association key (SAK) on a MACsec-secured link. This ensures that the SAK is frequently updated, making it less vulnerable to attack.

In static CAK mode, the SAK is generated by the key server and is periodically refreshed. The refresh interval is based on packet counter movement by default. Depending on the amount of traffic and the speed of the interface, it might take a long time for the new SAK to be generated. This can provide enough time for a successful attack on the key. You can enhance security of the SAK by configuring a shorter timer-based refresh interval.

When the MACsec session is live with a primary, preceding, or fallback PSK, or with a key from a key-chain, the SAK refresh will occur based on the configured interval independent of key type in a hitless way. No traffic drop will occur at the time of the SAK rollover. Refresh of the PSK will occur periodically after every configured SAK refresh interval.

When an XPN cipher suite is configured, the refresh interval configured in the key server takes precedence over the refresh interval configured in the non-key server, even if the interval configured in the non-key server is lower.


The SAK refresh interval is not enabled by default.



The length of the SAK refresh interval in seconds.

  • Range: 60 through 86,400 seconds

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 20.3R1.