encryption (MACsec for MX Series)
Syntax
encryption;
Hierarchy Level
[edit security macsec connectivity-association connectivity-association-name secure-channel secure-channel-name]
Description
Enable MACsec encryption within a secure channel.
You can enable MACsec without enabling encryption. If a connectivity association with a secure channel that has not enabled MACsec encryption is associated with an interface, traffic is forwarded across the Ethernet link in clear text. You are, therefore, able to view this unencrypted traffic when you are monitoring the link. The MACsec header is still applied to the frame, however, and all MACsec data integrity checks are run on both ends of the link to ensure the traffic has not been tampered with and does not represent a security threat.
Traffic traversing a MAC-enabled point-to-point Ethernet link traverses the link at the same speed regardless of whether encryption is enabled or disabled. You cannot increase the speed of traffic traversing a MACsec-enabled Ethernet link by disabling encryption.
This command is used to enable encryption when MACsec is configured using secure association
key (SAK) security mode only. When MACsec is configuring using static connectivity association
key (CAK) security mode, the encryption setting is configured outside of the secure channel
using the no-encryption configuration statement.
Default
MACsec encryption is disabled when MACsec is configured using static SAK security mode, by default.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 15.1.