Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

suspend-for

Syntax

Hierarchy Level

Description

Configure the suspend-for statement to maintain non-stop MACsec service during graceful routing engine switchover (GRES).

The MACsec Key Agreement (MKA) protocol maintains the MACsec session between two nodes on a point-to-point MACsec link. The MKA protocol works at the control plane level between the two nodes. When you configure the suspend-for statement on the local node, in the event of an RE switchover, it sends a request to the remote peer node to suspend the MACsec session at the control plane. The suspension lasts for 120 seconds.

At the data plane, traffic continues to traverse the point-to-point link during suspension. The secure association key (SAK) that was programmed prior to suspension remains in use until the switchover is complete. After the switchover, the key server generates a new SAK to secure the link. The key server will continue to periodically create and share a SAK over the link for as long as MACsec is enabled.

Default

You must configure the suspend-for statement to enable this feature. It is not enabled by default. If this statement is not configured, in the event of an RE switchover, the MACsec session is terminated, resulting in traffic loss during the switchover.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 21.2R1.

Related Documentation