suspend-for

Syntax

Hierarchy Level

Description

Configure the suspend-for statement to maintain non-stop MACsec service during graceful routing engine switchover (GRES).

The MACsec Key Agreement (MKA) protocol maintains the MACsec session between two nodes on a point-to-point MACsec link. The MKA protocol works at the control plane level between the two nodes. With GRES for MACsec is enabled, when one node initiates an RE switchover, it sends an MKA hello packet with a suspension request to the peer node. The peer node suspends the MACsec session at the control plane. The length of the suspension is 120 seconds.

At the data plane, traffic continues to traverse the point-to-point link during suspension. The secure association key (SAK) that was programmed prior to suspension remains in use until the switchover is complete. After the switchover, the key server generates a new SAK to secure the link. The key server will continue to periodically create and share a SAK over the link for as long as MACsec is enabled.

On a point-to-point MACsec link between two nodes, you must configure the suspend-for statement on the node that initiates GRES. For example, on a link between Node A and Node B, if Node A initiates GRES, the suspend-for statement must be configured on Node A.

In addition to configuring the suspend-for statement, you must also configure GRES and non-stop routing on the node that initiates GRES. Use the following commands:

• set chassis redundancy graceful-switchover

• set routing-options nonstop-routing

Default

You must configure the suspend-for statement to enable this feature. It is not enabled by default. If this statement is not configured, when one node on a MACsec link begins GRES, it terminates the MACsec sessions on both nodes, resulting in traffic loss during the switchover.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 21.2R1.