Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring and Managing MACsec Profiles

From the MACsc Profile page of the Network Director UI you can create and manage MACsec profiles that specify MACsec settings for the extended ports in the aggregation device in a Junos Fusion Enterprise device. From the Manage MACsec Profile page, you can:

  • Create a new MACsec profile by clicking Add.

  • Modify an existing MACsec profile by selecting the profile and clicking Edit.

  • Associate a profile to the extended ports by selecting the profile and clicking Assign.

  • Change current assignments for a profile by selecting the profile and clicking Edit Assignment.

  • Delete a MACsec profile by selecting the profile and clicking Delete.

  • Clone an existing MACsec profile by selecting the profile and clicking Clone.

  • View information about a profile by selecting the profile and clicking Details.

Table 1 describes the information provided about wired MACsec profiles on the Manage MACsec Profiles page. This page lists all the MACsec profiles defined for the Junos Fusion Enterprise device, regardless of the scope you selected in the network view.

Table 1: Managing MACsec Profile Fields

Field

Description

Profile Name

Name of the profile.

Connection Association Name

Name of the MACsec connectivity association.

Description

Description of the profile.

MACsec Mode

Static secure association key (static-SAK) security mode or static connectivity association key (static-CAK) using which you enabled MACsec on the device.

Assignment State

Profile assignment state. One of the following:

  • Deployed—The profile has been assigned and the configuration has been deployed on the devices.

  • Pending Deployment—The profile has been assigned or its previous assignments have been changed, but the new or modified configuration has not yet been deployed on the devices.

  • Unassigned—The profile has not yet been assigned.

User Name

The username of the user who created or modified the profile.

This topic describes:

Creating a MACsec Profile

To create a MACsec profile:

  1. Under Views, select one of these options: Logical View, Location View, Device View, or Custom Group View.
    Tip:

    Do not select Dashboard View or Topology View.

  2. Click in the Network Director banner.
  3. In the Tasks pane, expand Wired, expand Profiles, and then select MACsec.

    The Manage MACsec Profile page appears, displaying the list of currently configured MACsec profiles.

  4. Click Add to add a new profile.

    The Create MACsec Profile page appears.

  5. Enter the MACsec settings described in Specifying Settings for a MACSsec Profile.
  6. Click Done.

Specifying Settings for a MACSsec Profile

Table 2 describes the MACsec Profile settings. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.

Table 2: MACsec Profile Settings

Field

Action

Profile Name

Type the name of the profile.

Description

Type a description of the profile.

Family type

The device family on which the profile was created: Campus Switching ELS or Data Center Switching ELS.

Connection Association Name

Type the name for the MACsec connectivity association.

MACsec Mode

Select the mode using which you can enable MACsec on the device. The available modes are static secure association key (static-SAK) security mode or static connectivity association key (static-CAK) security mode.

CAK Settings

If you want to enable MACsec by using the CAK mode, configure the CAK settings specified in Table 3.

SAK Settings

If you want to enable MACsec by using the SAK mode, configure the SAK settings specified in Table 4 for the inbound and outbound secure channels.

Table 3: CAK Settings

Field

Description

Connectivity Association Key Name

Type a name for the connectivity association key that you want to use for enabling MACsec.

Connectivity Association Key

Specify the key to exchange with the other end of the link on the secure channel. You must use a hexadecimal string of 32 digits.

Confirm Connectivity Association Key

Specify the connectivity association key again. If there is a mismatch (between the connectivity association keys), an error message is shown.

Enable Include Secure Channel Identifier

Enable Include Secure Channel Identifier tagging on a device that is enabling MACsec on an Ethernet link connecting to an Junos Fusion Enterprise device.

Key Server Priority

Specify the MACsec Key Agreement (MKA) server election priority number. You can specify a value between 0 and 255. The lower the number, the higher the priority.

Transmit Interval (milli sec)

Specify the transmit interval for MACsec Key Agreement (MKA) protocol data units (PDUs). The MKA transmit interval setting sets the frequency for how often the MKA PDU is sent to the directly connected device to maintain MACsec on a point-to-point Ethernet link. A lower interval increases bandwidth overhead on the link; a higher interval optimizes the MKA protocol data unit exchange process.

The default transmit interval is 2000 milliseconds

Disable Encryption

Select this option if you want to disable the MACsec encryption for a connectivity association that has MACsec already enabled on it.

Offset

Specify the offset 0, 30, or 50 for all the packets traversing the link. The default offset is 0. All traffic in the connectivity association is encrypted when encryption is enabled and an offset is not set.

When the offset is set to 30, the IPv4 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic.

When the offset is set to 50, the IPv6 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic.

You would typically forward traffic with the first 30 or 50 octets unencrypted if a feature needed to see the data in the octets to perform a function, but you otherwise prefer to encrypt the remaining data in the frames traversing the link. Load balancing features, in particular, typically need to see the IP and TCP/UDP headers in the first 30 or 50 octets to properly load balance traffic.

Replay Window Size

Specify the size of the replay protection window.

Note:

When this variable is set to 0, all packets that arrive out-of-order are dropped.

Exclude Protocols

Specify the name of the protocol that should not be MACsec-secured. Options include:

  • cdp—Cisco Discovery Protocol.

  • lacp—Link Aggregation Control Protocol.

  • lldp—Link Level Discovery Protocol.

Cipher Suite

Specify the cipher suite for creating the MACsec profile.

Table 4: SAK Settings

Field

Description

Secure Channel name

Type a name for the secure channel.

MAC address

Specify a MAC address on which you want to enable MACsec using static secure association key (SAK) security mode. The mac-address variables must match on the sending and receiving ends of a link to enable MACsec using static SAK security mode.

Port

Specify the port ID number in a secure channel when enabling MACsec using static secure association key (SAK) security mode. The port IDs must match on a sending and receiving secure channel on each side of a link to enable MACsec.

After the port numbers match, MACsec is enabled for all traffic on the connection.

Enable Encryption

Select this option if you want to Enable MACsec encryption within an outbound secure channel.

Note:

You can enable MACsec without enabling encryption. If a connectivity association with an outbound secure channel that has not enabled MACsec encryption is associated with an interface, traffic is forwarded across the Ethernet link in clear text. You are, therefore, able to view this unencrypted traffic when you are monitoring the link.

Offset

Specify the number of octets in an Ethernet frame that you want to send in unencrypted plain-text when encryption is enabled for MACsec.

Setting the offset to 30 allows a feature to see the IPv4 header and the TCP/UDP header while encrypting the remaining traffic. Setting the offset to 50 allows a feature to see the IPv6 header and the TCP/UDP header while encrypting the remaining traffic.

Secure Association

Specify the secure association keys corresponding to the secure association number. The key string is a 32-digit hexadecimal number.

Re-enter the secure association key for every secure association number. If there is a mismatch between the connectivity association key and their respective confirmation keys, an error message is shown.

What to Do Next

After you create the MACsec profile, you must assign the profile to the Junos Fusion Enterprise satellite device by using the Manage MacSec Profile page and then deploy the Device profile by using the Deploy mode.

To assign a MACsec Settings profile to a device, see Assigning the MACsec Profiles. For information about deploying the configurations, see Deploying Configuration to Devices.

Note:

You can assign the MACsec profile to the extended ports on Junos Fusion Enterprise Aggregation Device.

In the CAK mode, if you change the connection association key name of a deployed MACsec profile, you must re-configure the connectivity association key and the confirmation key for that profile. Similarly, in the SAK mode, if you change the inbound or outbound channel names of the deployed MACSec profiles, you must re-configure the key and the confirmation key for that profile.