MACsec

Support for a custom EAPoL EtherType to improve network tunneling of MACsec packets for Layer 2 and Layer 3 traffic (PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, and PTX10016)—MACsec uses Extensible Authentication Protocol over LAN (EAPoL) as a transport protocol to establish sessions. Some networks filter packets based on their EtherType value. By default, the EtherType for all EAPoL packets is 0x888e. To ensure the network tunnels the MACsec packets properly, you can set a custom EtherType for EAPoL packets.

To configure an EAPoL profile with a custom EtherType, use the ether-type ether-type-value statement at the [edit forwarding-options custom-eapol-ether-type-profiles (EAPOL_ETHERTYPE1 | EAPOL_ETHERTYPE2)] hierarchy level. By default, the EtherType value for the EAPOL_ETHERTYPE1 profile is 0x876f and the EtherType value for the EAPOL_ETHERTYPE2 profile is 0xb860. If you configure a different value, you must use an EtherType that isn't already reserved for another use. To apply the EtherType to MACsec packets, configure the eapol-ethertype-profile eapol-profile-name statement at the [edit security macsec connectivity-association ca-name mka] hierarchy level.

To view the new EtherType profile, use the show security mka sessions detail command.

[See Media Access Control Security (MACsec) over WAN.]