Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

MACsec

  • Automatic adjustment of MTU for MACsec overhead (ACX7100-32C, ACX7100-48L, ACX7332, ACX7348, ACX7509, ACX7024, ACX7024X, PTX10001-36MR, PTX10002-36QDD, PTX10003, PTX10004, PTX10008, and PTX10016)—Use this feature to automatically adjust the maximum transmission unit (MTU) for the Media Access Control Security (MACsec) overhead. Without this feature, you must adjust the interface MTU and the protocol MTU manually.

    Use this feature to ensure the interface or protocol MTU is adjusted properly to account for the MACsec overhead. This feature is disabled by default. To enable this feature, first enable MACsec. Then configure the enable-auto-mtu-update statement at the [edit security macsec] hierarchy level. This feature applies to physical interfaces, logical interfaces, and physical interfaces that are members of aggregated Ethernet interfaces.

    [See Media MTU and Protocol MTU.]

  • MACsec support during GRES and NSR (PTX10004, PTX10008, and PTX10016)—The GRES feature enables a switch or router with redundant routing engines to continue forwarding packets, even if one Routing Engine fails. Nonstop active routing (NSR) is an enhancement on GRES that does not rely on helper routers (or switches) to assist the routing platform in restoring routing protocol information. You can configure MACsec to provide uninterrupted MACsec service and secure your traffic during a Routing Engine switchover.

    [See Configuring Advanced MACsec Features.]

  • Support for a custom EAPoL EtherType to improve network tunneling of MACsec packets for Layer 2 traffic (PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, and PTX10016)—MACsec uses Extensible Authentication Protocol over LAN (EAPoL) as a transport protocol to establish sessions. Some networks filter packets based on their EtherType value. By default, the EtherType for all EAPoL packets is 0x888e. To ensure the network tunnels the MACsec packets properly, you can set a custom EtherType for EAPoL packets.

    To configure an EAPoL profile with a custom EtherType, use the ether-type ether-type-value statement at the [edit forwarding-options custom-eapol-ether-type-profiles (EAPOL_ETHERTYPE1 | EAPOL_ETHERTYPE2)] hierarchy level. By default, the EtherType value for the EAPOL_ETHERTYPE1 profile is 0x876f and the EtherType value for the EAPOL_ETHERTYPE2 profile is 0xb860. If you configure a different value, you must use an EtherType that isn't already reserved for another use. To apply the EtherType to MACsec packets, configure the eapol-ethertype-profile eapol-profile-name statement at the [edit security macsec connectivity-association ca-name mka] hierarchy level.

    [See Media Access Control Security (MACsec) over WAN, custom-eapol-ethertype-profiles, and mka.]