MACsec

Support for MACsec features over WAN (SRX1600, SRX4120, and SRX2300)—Configure Media Access Control Security (MACsec) on logical interfaces to extend the benefits of hop-to-hop MACsec security to point-to-point security. Use MACsec features on logical interfaces to establish more secure VLAN-level MACsec connections in enterprise WAN and service provider networks. When these devices are in routing mode, they support:

• Custom EAPoL destination MAC address for unicast MAC multicast, PAE, provider bridge, and LLDP multicast

• MACsec on logical interfaces for Layer 2 or Layer 3 with VLAN tagging

• Single-tagged VLAN IDs in clear text to support VLAN-level MACsec

• GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, GCM-AES-XPN-256 cipher suites

• Unencrypted MACsec

• Static CAK security mode

• MACsec using pre-shared key (PSK) hitless rollover keychain

• Boundary delay

• 802.1X authentication (dot1x protocol) for improved security

• Fail open mode (should-secure) and must secure mode (default). The configurations for must-secure and should-secure are mutually exclusive. Only configure one option on a given physical interface for MACsec logical interface sessions. However, you can configure different options on different physical interfaces.

Before configuring these features, ensure there is Layer 2 adjacency between the customer edge devices. Then, enable MACsec on a logical interface using the unit unit-number option at the [edit security macsec interface interface-name] hierarchy level.

[See Configuring MACsec, Media Access Control Security (MACsec) over WAN, and Configuring Advanced MACsec Features.]