Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Understanding Media Access Control Security on a Junos Fusion Enterprise

Media Access Control Security (MACsec) is widely used in campus deployments to secure network traffic between endpoints and access switches. You can enable MACsec on extended ports in a Junos Fusion Enterprise topology to provide secure communication between the satellite device and connected hosts.

MacSec Overview

MACsec is an 802.1AE IEEE industry-standard security technology that provides secure communication on Ethernet links between directly-connected nodes. MACsec is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec provides point-to-point integrity and can be used in combination with other security solutions, such as IP Security (IPsec) and Secure Sockets Layer (SSL), to provide end-to-end network security.

See Understanding Media Access Control Security (MACsec) for a detailed overview of MACsec.

Enabling MACsec in a Junos Fusion Enterprise

To enable MACsec on a link connecting an endpoint device—such as a server, phone, or personal computer—to an extended port in a Junos Fusion Enterprise, the endpoint device must support MACsec and must be running client software that allows it to enable a MACsec-secured connection. A secure association using dynamic secure association security mode (dynamic SAK) must be configured on the extended port that connects to the host. The secure association keys are retrieved from the RADIUS server as part of the 802.1X authentication process. The keys are exchanged between the MACsec peers to create a secure connection.

MacSec configuration in Junos Fusion is done on the aggregated device and is identical for a standalone EX Series switch. See Configuring MACsec on EX, QFX and SRX Devices.


When MACsec is enabled in a Junos Fusion with dual aggregation devices, the exchange of EAPoL packets that takes place during the 802.1X authentication session is limited to one aggregation device (AD). The MKA protocol is triggered only on that (AD), and the keys generated by MKA are not synced across the ADs. If the AD on which the keys are generated fails, then the MACsec sessions must be re-authenticated using the other AD.