Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Chassis Cluster User Guide for SRX Series Devices Chassis Cluster Operations

Chassis Cluster User Guide for SRX Series Devices

keyboard_arrow_up
close
keyboard_arrow_left
Chassis Cluster User Guide for SRX Series Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Media Access Control Security (MACsec) on Chassis Cluster

date_range 17-Jan-24
arrow_backward
arrow_forward

Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for all traffic on Ethernet links. For more information, see the following topics:

Understanding Media Access Control Security (MACsec)

Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks.

MACsec allows you to secure an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. MACsec can be used in combination with other security protocols such as IP Security (IPsec) and Secure Sockets Layer (SSL) to provide end-to-end network security.

Starting in Junos OS Release 15.1X49-D60, Media Access Control Security(MACsec) is supported on control and fabric ports of SRX340 and SRX345 devices in chassis cluster mode.

Starting in Junos OS Release 20.1R1, MACsec is supported on control ports, fabric ports and revenue ports of SRX380 devices in chassis cluster mode to secure the traffic. MACsec is supported on 16X1Gigabit Ethernet ports (ge-0/0/0 to ge-0/0/15) and 4X10Gigabit Ethernet ports (xe-0/0/16 to xe-0/0/19).

Starting in Junos OS Release 17.4R1, MACsec is supported on HA control and fabric ports of SRX4600 devices in chassis cluster mode.

For SRX1600, SRX2300, and SRX4300 devices, MACsec is supported on dual control ports in chassis cluster mode.

This topic contains the following sections:

How MACsec Works

To determine if a feature is supported by a specific platform or Junos OS release, see Feature Explorer.

MACsec provides industry-standard security through the use of secured point-to-point Ethernet links. The point-to-point links are secured after matching security keys. When you enable MACsec using static connectivity association key (CAK) security mode, user-configured pre-shared keys are exchanged and verified between the interfaces at each end of the point-to-point Ethernet link.

Once MACsec is enabled on a point-to-point Ethernet link, all traffic traversing the link is MACsec-secured through the use of data integrity checks and, if configured, encryption.

The data integrity checks verify the integrity of the data. MACsec appends an 8-byte header and a 16-byte tail to all Ethernet frames traversing the MACsec-secured point-to-point Ethernet link, and the header and tail are checked by the receiving interface to ensure that the data was not compromised while traversing the link. If the data integrity check detects anything irregular about the traffic, the traffic is dropped.

MACsec can also be used to encrypt all traffic on the Ethernet link. The encryption used by MACsec ensures that the data in the Ethernet frame cannot be viewed by anybody monitoring traffic on the link.

Encryption is enabled for all traffic entering or leaving the interface when MACsec is enabled using static CAK security mode, by default.

MACsec is configured on point-to-point Ethernet links between MACsec-capable interfaces. If you want to enable MACsec on multiple Ethernet links, you must configure MACsec individually on each point-to-point Ethernet link.

Understanding Connectivity Associations and Secure Channels

MACsec is configured in connectivity associations. MACsec is enabled when a connectivity association is assigned to an interface.

When you enable MACsec using static CAK or dynamic security mode, you have to create and configure a connectivity association. Two secure channels—one secure channel for inbound traffic and another secure channel for outbound traffic—are automatically created. The automatically-created secure channels do not have any user-configurable parameters; all configuration is done in the connectivity association outside of the secure channels.

Understanding Static Connectivity Association Key Security Mode

When you enable MACsec using static connectivity association key (CAK) security mode, two security keys—a connectivity association key (CAK) that secures control plane traffic and a randomly-generated secure association key (SAK) that secures data plane traffic—are used to secure the point-to-point Ethernet link. Both keys are regularly exchanged between both devices on each end of the point-to-point Ethernet link to ensure link security.

You initially establish a MACsec-secured link using a pre-shared key when you are using static CAK security mode to enable MACsec. A pre-shared key includes a connectivity association name (CKN) and it’s own connectivity association key (CAK). The CKN and CAK are configured by the user in the connectivity association and must match on both ends of the link to initially enable MACsec.

Once matching pre-shared keys are successfully exchanged, the MACsec Key Agreement (MKA) protocol is enabled. The MKA protocol is responsible for maintaining MACsec on the link, and decides which switch on the point-to-point link becomes the key server. The key server then creates an SAK that is shared with the switch at the other end of the point-to-point link only, and that SAK is used to secure all data traffic traversing the link. The key server will continue to periodically create and share a randomly-created SAK over the point-to-point link for as long as MACsec is enabled.

You enable MACsec using static CAK security mode by configuring a connectivity association on both ends of the link. All configuration is done within the connectivity association but outside of the secure channel. Two secure channels—one for inbound traffic and one for outbound traffic—are automatically created when using static CAK security mode. The automatically-created secure channels do not have any user-configurable parameters that cannot already be configured in the connectivity association.

We recommend enabling MACsec using static CAK security mode. Static CAK security mode ensures security by frequently refreshing to a new random security key and by only sharing the security key between the two devices on the MACsec-secured point-to-point link. Additionally, some optional MACsec features—replay protection, SCI tagging, and the ability to exclude traffic from MACsec—are only available when you enable MACsec using static CAK security mode.

Starting with Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, for SRX Series Firewalls supporting MACsec on HA control and fabric links, if the command restart 802.1x-protocol-daemon is run on the primary node, the chassis cluster control and fabric links will flap causing the cluster nodes to enter into split brain mode.

MACsec Considerations

All types of Spanning Tree Protocol frames cannot currently be encrypted using MACsec.

The connectivity association can be defined anywhere, either global or node specific or any other configuration group as long as it is visible to the MACsec interface configuration.

For MACsec configurations, identical configurations must exist on both the ends. That is, each node should contain the same configuration as the other node. If the other node is not configured or improperly configured with MACsec on the other side, the port is disabled and stops forwarding the traffic.

SRX340, SRX345, and SRX380 devices support MACsec for host-to-host or switch-to-host connections.

SRX4600 devices currently do not support MACsec for host-to-host connections. Macsec is supported only on dedicated fab ports and is not supported if any ther traffic port is used as fab.

On SRX340, SRX345, and SRX380 devices, fabric interfaces must be configured such that the Media Access Control Security (MACsec) configurations are local to the nodes. Otherwise, the fabric link will not be reachable.

Configure Media Access Control Security (MACsec)

This topic shows how to configure MACsec on control and fabric ports of supported SRX Series Firewall in chassis cluster to secure point-to-point Ethernet links between the peer devices in a cluster. Each point-to-point Ethernet link that you want to secure using MACsec must be configured independently. You can enable MACsec encryption on device-to-device links using static connectivity association key (CAK) security mode.

The configuration steps for both processes are provided in this document.

Configuration Considerations When Configuring MACsec on Chassis Cluster Setup

Before you begin, follow these steps to configure MACsec on control ports:

  1. If the chassis cluster is already up, disable it by using the set chassis cluster disable command and reboot both nodes.
  2. Configure MACsec on the control port with its attributes as described in the following sections Configure Static CAK on the Chassis Cluster Control Port. Both nodes must be configured independently with identical configurations.
  3. Enable the chassis cluster by using set chassis cluster cluster-id id on both of the nodes. Reboot both nodes.

Control port states affect the integrity of a chassis cluster. Consider the following when configuring MACsec on control ports:

  • Any new MACsec chassis cluster port configurations or modifications to existing MACsec chassis cluster port configurations will require the chassis cluster to be disabled and displays a warning message Modifying cluster control port CA will break chassis cluster. Once disabled, you can apply the preceding configurations and enable the chassis cluster.

  • By default, chassis clusters synchronize all configurations. Correspondingly, you must monitor that synchronization does not lead to loss of any MACsec configurations. Otherwise, the chassis cluster will break. For example, for nonsymmetric, node-specific MACsec configurations, identical configurations should exist on both ends. That is, each node should contain the same configuration as the other node.

The ineligible timer is 300 seconds when MACsec on the chassis cluster control port is enabled on SRX340, SRX345, and SRX380 devices.

If both control link fail, Junos OS changes the operating state of the secondary node to ineligible for a 180 seconds. When MACsec is enabled on the control port, the ineligibility duration is 200 seconds for SRX4600 devices.

The initial hold timer is extended from 30 seconds to 120 seconds in chassis clusters on SRX340, SRX345, and SRX380 devices.

For any change in the MACsec configurations of control ports, the steps mentioned above must be repeated.

Consider the following when configuring MACsec on fabric ports:

Configuring MACsec leads to link state changes that can affect traffic capability of the link. When you configure fabric ports, keep the effective link state in mind. Incorrect MACsec configuration on both ends of the fabric links can move the link to an ineligible state. Note the following key points about configuring fabric links:

  • Both ends of the links must be configured simultaneously when the chassis cluster is formed.

  • Incorrect configuration can lead to fabric failures and errors in fabric recovery logic.

    Because of potential link failure scenarios, we recommend that fabric links be configured during formation of the chassis cluster.

Configure MACsec Using Static Connectivity Association Key Security Mode

You can enable MACsec encryption by using static connectivity association key (CAK) security mode on a point-to-point Ethernet link connecting devices. This procedure shows you how to configure MACsec using static CAK security mode.

For SRX340 and SRX345 devices, ge-0/0/0 is a fabric port and ge-0/0/1 is a control port for the chassis cluster and assigned as cluster-control-port 0.

For configuring MACsec on cluster-control-port and cluster-data-port on SRX380 devices, the node must be in standalone node. The MACsec configuration is applied on both the nodes and the nodes are rebooted to chassis cluster mode.

For SRX380 devices, ge-0/0/0 is a fabric port and ge-0/0/15 is a control port for the chassis cluster..

For SRX4600 devices, dedicated control and fabric ports are available. MACsec on control link can be configured on dedicated control ports (control port 0 [em0] and port 1 [em1]). Macsec on fabric links can be configured only on dedicated fabric ports port 2 and port 3 of fpc0 pic0 (e.g. xe-0/0/2 and xe-0/0/3), similarly on port-2 and port-3 of fpc7 pic0.

For SRX1600 devices, dedicated dual control ports em0/em1 and dual fabric ports are available.

For SRX2300 devices, dual control ports em0/em1 and dual fabric ports are available.

Both SRX1600, SRX2300, and SRX4300 devices support dual control ports with MACsec configuration.

MACsec on dual control link is configured on control port 0 [em0] and control port 1 [em1]. MACsec configured on revenue interfaces is used for forming fabric links. Fabric links are configured on fabric ports (mge-0/0/1 and mge-7/0/1).

To configure MACsec by using static CAK security mode to secure a device-to-device Ethernet link:

  1. Create a connectivity association. You can skip this step if you are configuring an existing connectivity association.
    content_copy zoom_out_map
    [edit security macsec]
user@host# set connectivity-association connectivity-association-name

    For instance, to create a connectivity association named ca1, enter:

    content_copy zoom_out_map
    [edit security macsec]
user@host# set connectivity-association ca1
  2. Configure the MACsec security mode as static-cak for the connectivity association.
    content_copy zoom_out_map
    [edit security macsec]
user@host# set connectivity-association connectivity-association-name security-mode static-cak

    For instance, to configure the MACsec security mode to static-cak on connectivity association ca1:

    content_copy zoom_out_map
    [edit security macsec]
user@host# set connectivity-association connectivity-association-name security-mode static-cak
  3. Create the preshared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK).
    content_copy zoom_out_map
    [edit security macsec]
user@host# set connectivity-association connectivity-association-name pre-shared-key ckn hexadecimal-number
user@host# set connectivity-association connectivity-association-name pre-shared-key cak hexadecimal-number

    A preshared key is exchanged between directly-connected links to establish a MACsec-secure link. The pre-shared-key includes the CKN and the CAK. The CKN is a 64-digit hexadecimal number and the CAK is a 64-digit hexadecimal number. The CKN and the CAK must match on both ends of a link to create a MACsec-secured link.

    To maximize security, we recommend configuring all 64 digits of a CKN and all 64 digits of a CAK.

    After the preshared keys are successfully exchanged and verified by both ends of the link, the MACsec Key Agreement (MKA) protocol is enabled and manages the secure link. The MKA protocol then elects one of the two directly-connected devices as the key server. The key server then shares a random security with the other device over the MACsec-secure point-to-point link. The key server will continue to periodically create and share a random security key with the other device over the MACsec-secured point-to-point link as long as MACsec is enabled.

    To configure a CKN of 11c1c1c11xxx012xx5xx8ef284aa23ff6729xx2e4xxx66e91fe34ba2cd9fe311 and CAK of 228xx255aa23xx6729xx664xxx66e91f on connectivity association ca1:

    content_copy zoom_out_map
    [edit security macsec]
user@host# set connectivity-association ca1 pre-shared-key ckn 11c1c1c11xxx012xx5xx8ef284aa23ff6729xx2e4xxx66e91fe34ba2cd9fe311
user@host# set connectivity-association ca1 pre-shared-key cak 228xx255aa23xx6729xx664xxx66e91f

    MACsec is not enabled until a connectivity association is attached to an interface. See the final step of this procedure to attach a connectivity association to an interface.

  4. (Optional) Set the MKA key server priority.
    content_copy zoom_out_map
    [edit security macsec connectivity-association connectivity-association-name]
user@host# set mka key-server-priority priority-number

    Specifies the key server priority used by the MKA protocol to select the key server. The device with the lower priority-number is selected as the key server.

    The default priority-number is 16.

    If the key-server-priority is identical on both sides of the point-to-point link, the MKA protocol selects the interface with the lower MAC address as the key server. Therefore, if this statement is not configured in the connectivity associations at each end of a MACsec-secured point-to-point link, the interface with the lower MAC address becomes the key server.

    To change the key server priority to 0 to increase the likelihood that the current device is selected as the key server when MACsec is enabled on the interface using connectivity association ca1:

    content_copy zoom_out_map
    [edit security macsec connectivity-association ca1]
user@host# set mka key-server-priority 0

    To change the key server priority to 255 to decrease the likelihood that the current device is selected as the key server in connectivity association ca1:

    content_copy zoom_out_map
    [edit security macsec connectivity-association ca1]
user@host# set mka key-server-priority 255
  5. (Optional) Set the MKA transmit interval.
    content_copy zoom_out_map
    [edit security macsec connectivity-association connectivity-association-name]
user@host# set mka transmit-interval interval

    The MKA transmit interval setting sets the frequency for how often the MKA protocol data unit (PDU) is sent to the directly connected device to maintain MACsec connectivity on the link. A lower interval increases bandwidth overhead on the link; a higher interval optimizes MKA protocol communication.

    The default interval is 2000 milliseconds. We recommend increasing the interval to 6000 ms in high-traffic load environments. The transmit interval settings must be identical on both ends of the link when MACsec using static CAK security mode is enabled.

    For SRX340, SRX345, and SRX4600 devices, the default MKA transmit interval is 10000 ms on HA links.

    For instance, if you wanted to increase the MKA transmit interval to 6000 milliseconds when connectivity association ca1 is attached to an interface:

    content_copy zoom_out_map
    [edit security macsec connectivity-association ca1]
user@host# set mka transmit-interval 6000
  6. (Optional) Disable MACsec encryption.
    content_copy zoom_out_map
    [edit security macsec connectivity-association connectivity-association-name]
user@host# set no-encryption

    Encryption is enabled for all traffic entering or leaving the interface when MACsec is enabled using static CAK security mode, by default.

    When encryption is disabled, traffic is forwarded across the Ethernet link in clear text. You are able to view unencrypted data in the Ethernet frame traversing the link when you are monitoring it. The MACsec header is still applied to the frame, however, and all MACsec data integrity checks are run on both ends of the link to ensure the traffic sent or received on the link has not been tampered with and does not represent a security threat.

  7. (Optional) Set an offset for all packets traversing the link.
    content_copy zoom_out_map
    [edit security macsec connectivity-association connectivity-association-name]
user@host# set offset (0 | 30 | 50)

    For instance, if you wanted to set the offset to 30 in the connectivity association named ca1:

    content_copy zoom_out_map
    [edit security macsec connectivity-association ca1]
user@host# set offset 30

    The default offset is 0. All traffic in the connectivity association is encrypted when encryption is enabled and an offset is not set.

    When the offset is set to 30, the IPv4 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic. When the offset is set to 50, the IPv6 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic.

    You would typically forward traffic with the first 30 or 50 octets unencrypted if a feature needed to see the data in the octets to perform a function, but you otherwise prefer to encrypt the remaining data in the frames traversing the link. Load balancing features, in particular, typically need to see the IP and TCP/UDP headers in the first 30 or 50 octets to properly load balance traffic.

  8. (Optional) Enable replay protection.
    content_copy zoom_out_map
    [edit security macsec connectivity-association connectivity-association-name]
user@host# set replay-protect replay-window-size number-of-packets

    When MACsec is enabled on a link, an ID number is assigned to each packet on the MACsec-secured link.

    When replay protection is enabled, the receiving interface checks the ID number of all packets that have traversed the MACsec-secured link. If a packet arrives out of sequence and the difference between the packet numbers exceeds the replay protection window size, the packet is dropped by the receiving interface. For instance, if the replay protection window size is set to five and a packet assigned the ID of 1006 arrives on the receiving link immediately after the packet assigned the ID of 1000, the packet that is assigned the ID of 1006 is dropped because it falls outside the parameters of the replay protection window.

    Replay protection is especially useful for fighting man-in-the-middle attacks. A packet that is replayed by a man-in-the-middle attacker on the Ethernet link will arrive on the receiving link out of sequence, so replay protection helps ensure the replayed packet is dropped instead of forwarded through the network.

    Replay protection should not be enabled in cases where packets are expected to arrive out of order.

    You can require that all packets arrive in order by setting the replay window size to 0.

    To enable replay protection with a window size of five on connectivity association ca1:

    content_copy zoom_out_map
    [edit security macsec connectivity-association ca1]
user@host# set replay-protect replay-window-size 5
  9. (Optional) Exclude a protocol from MACsec.
    content_copy zoom_out_map
    [edit security macsec connectivity-association connectivity-association-name]
user@host# set exclude-protocol protocol-name

    For instance, if you did not want Link Level Discovery Protocol (LLDP) to be secured using MACsec:

    content_copy zoom_out_map
    [edit security macsec connectivity-association connectivity-association-name]
user@host# set exclude-protocol lldp

    When this option is enabled, MACsec is disabled for all packets of the specified protocol—in this case, LLDP—that are sent or received on the link.

  10. Assign the connectivity association to a chassis cluster control interface.
    content_copy zoom_out_map
    [edit security macsec]
user@host# set cluster-control-port port-no connectivity-association connectivity-association-name

    Assigning the connectivity association to an interface is the final configuration step for enabling MACsec on an interface.

    For instance, to assign connectivity association ca1 to interface ge-0/0/1 (For SRX340/SRX345):

    For instance, to assign connectivity association ca1 to interface ge-0/0/0 (For SRX380):

    content_copy zoom_out_map
    [edit security macsec]
user@host# set cluster-control-port interfaces ge-0/0/1 connectivity-association ca1
  11. Assign a connectivity association for enabling MACsec on a chassis cluster fabric interface.
    content_copy zoom_out_map
    [edit security macsec]
user@host# set cluster-data-port port-number connectivity-association connectivity-association-name 
[edit security macsec]
user@host# set cluster-data-port interfaces ge-5/0/2 connectivity-association ca1

MACsec using static CAK security mode is not enabled until a connectivity association on the opposite end of the link is also configured, and contains preshared keys that match on both ends of the link.

Configure Static CAK on the Chassis Cluster Control Port

To establish a CA over a chassis cluster control link on two SRX345 devices.

  1. Configure the MACsec security mode as static-cak for the connectivity association:
    content_copy zoom_out_map
    [edit security macsec]
user@host# set connectivity-association ca1 security-mode static-cak
  2. Create the preshared key by configuring the connectivity association key name (CKN).
    content_copy zoom_out_map
    [edit security macsec]
user@host# set connectivity-association ca1 pre-shared-key ckn 0123456789abcdefABCDEF0123456789

    The CKN must be an even-length string up to 64 hexadecimal characters (0-9, a-f, A-F).

  3. Create the pre-shared key by configuring the connectivity association key (CAK).
    content_copy zoom_out_map
    [edit security macsec]
user@host# set connectivity-association ca1 pre-shared-key cak 0123456789abcdefABCDEF0123456789

    The CAK must contain 64 hexadecimal characters (0-9, a-f, A-F).

  4. Specify chassis cluster control ports for the connectivity association.
    content_copy zoom_out_map
    [edit security macsec]
user@host# set cluster-control-port 0 connectivity-association ca1

Configure Static CAK on the Chassis Cluster Fabric Port

To establish a connectivity association over a chassis cluster fabric link on two SRX345 devices:

  1. Configure the MACsec security mode as static-cak for the connectivity association.
    content_copy zoom_out_map
    [edit security macsec]
user@host# set connectivity-association ca2 security-mode static-cak
  2. Create the preshared key by configuring the connectivity association key name (CKN).
    content_copy zoom_out_map
    [edit security macsec]
user@host# set connectivity-association ca2 pre-shared-key ckn 0123456789abcdefABCDEF0123456789

    The CKN must be an even-length string up to 64 hexadecimal characters (0-9, a-f, A-F).

  3. Create the preshared key by configuring the connectivity association key (CAK).
    content_copy zoom_out_map
    [edit security macsec]
user@host# set connectivity-association ca2 pre-shared-key cak 0123456789abcdefABCDEFabcdefabcdef

    The CAK must contain 64 hexadecimal characters (0-9, a-f, A-F).

  4. Specify a chassis cluster fabric ports to a connectivity association.
    content_copy zoom_out_map
    [edit security macsec]
user@host# set cluster-data-port ge-0/0/2 connectivity-association ca2
user@host# set cluster-data-port ge-5/0/2 connectivity-association ca2

Configure Static CAK on the Control Port for SRX1600, SRX2300, and SRX4300 Devices

To configure a connectivity association over a chassis cluster control link on two SRX1600 devices or two SRX2300 devices or SRX4300 devices.

  1. Configure the MACsec security mode as static-cak for the connectivity association.
    content_copy zoom_out_map
    [edit]
user@host# set security macsec connectivity-association ca1 security-mode static-cak
  2. Create the preshared key by configuring the connectivity association key name (CKN).
    content_copy zoom_out_map
    [edit]
user@host# set security macsec connectivity-association ca1 pre-shared-key ckn aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

    The CKN must be an even-length string up to 64 hexadecimal characters (0-9, a-f, A-F).

  3. Create the preshared key by configuring the connectivity association key (CAK).
    content_copy zoom_out_map
    [edit]
user@host# set security macsec connectivity-association ca1 pre-shared-key cak ABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFABCDEF.

    The CAK must contain 64 hexadecimal characters (0-9, a-f, A-F).

  4. Specify a chassis cluster control port for the connectivity association.
    content_copy zoom_out_map
    [edit]
user@host# set security macsec cluster-control-port 0 connectivity-association ca1
user@host# set security macsec cluster-control-port 1 connectivity-association ca1

To view the status of the active MACsec connections, run the show security macsec connections command.

content_copy zoom_out_map
user@host> show security macsec connections
    Interface name: em0
        CA name: ca1
        Cipher suite: GCM-AES-128   Encryption: on
        Key server offset: 0        Include SCI: no
        Replay protect: off         Replay window: 0
          Outbound secure channels
            SC Id: 02:00:00:01:01:04/1
            Outgoing packet number: 1914287
            Secure associations
            AN: 0 Status: inuse Create time: 07:33:26
          Inbound secure channels
            SC Id: 02:00:00:02:01:04/1
            Secure associations
            AN: 0 Status: inuse Create time: 07:33:26

    Interface name: em1
        CA name: ca1
        Cipher suite: GCM-AES-128   Encryption: on
        Key server offset: 0        Include SCI: no
        Replay protect: off         Replay window: 0
          Outbound secure channels
            SC Id: 02:00:01:01:01:04/1
            Outgoing packet number: 108885
            Secure associations
            AN: 0 Status: inuse Create time: 07:33:26
          Inbound secure channels
            SC Id: 02:00:01:02:01:04/1
            Secure associations
            AN: 0 Status: inuse Create time: 07:33:26

To view the MACsec key agreement session information, run the show security mka sessions command.

content_copy zoom_out_map
user@host> show security mka sessions
  Interface name: em0
     Interface State: Secured - Primary
     Member identifier: 7A3FC14B77F5296124A8D22A
     CAK name: 12345678
     CAK type: primary
     Security mode: static
     MKA suspended: 0(s)
     Transmit interval: 10000(ms)
     SAK rekey interval: 0(s)
     Preceding Key: enabled
     Bounded Delay: disabled
     Outbound SCI: 02:00:00:01:01:04/1
     Message number: 2713       Key number: 1
     MKA ICV Indicator: enabled
     Key server: yes            Key server priority: 16
     Latest SAK AN: 0           Latest SAK KI: 7A3FC14B77F5296124A8D22A/1
     MKA Suspend For: disabled  MKA Suspend On Request: disabled
     Previous SAK AN: 0         Previous SAK KI: 000000000000000000000000/0
     Peer list
          1. Member identifier: 6A9B3CC75376160D74AAA1E7 (live)
             Message number: 2711        Hold time: 57000 (ms)
             SCI: 02:00:00:02:01:04/1    Uptime: 07:31:39
             Lowest acceptable PN: 1674733

  Interface name: em1
     Interface State: Secured - Primary
     Member identifier: 989CB809BF3759C9EAC10F5A
     CAK name: 12345678
     CAK type: primary
     Security mode: static
     MKA suspended: 0(s)
     Transmit interval: 10000(ms)
     SAK rekey interval: 0(s)
     Preceding Key: enabled
     Bounded Delay: disabled
     Outbound SCI: 02:00:01:01:01:04/1
     Message number: 2713       Key number: 1
     MKA ICV Indicator: enabled
     Key server: yes            Key server priority: 16
     Latest SAK AN: 0           Latest SAK KI: 989CB809BF3759C9EAC10F5A/1
     MKA Suspend For: disabled  MKA Suspend On Request: disabled
     Previous SAK AN: 0         Previous SAK KI: 000000000000000000000000/0
     Peer list
          1. Member identifier: 16015BCD3844F12DFA89AB7F (live)
             Message number: 2711        Hold time: 57000 (ms)
             SCI: 02:00:01:02:01:04/1    Uptime: 07:31:39
             Lowest acceptable PN: 111017

To view the security status of control and fabric ports. MACsec is enabled for both control port 0 and control port 1, run the show chassis cluster interfaces command.

content_copy zoom_out_map
user@host> show chassis cluster interfaces
Control link status: Up

Control interfaces:
    Index   Interface   Monitored-Status   Internal-SA   Security
    0       em0         Up                 Disabled      Enabled
    1       em1         Up                 Disabled      Enabled

Fabric link status: Up

Fabric interfaces:
    Name    Child-interface    Status                    Security
                               (Physical/Monitored)
    fab0    et-0/3/0           Up   / Up                 Disabled
    fab0    et-0/3/1           Up   / Up                 Disabled
    fab1    et-7/3/0           Up   / Up                 Disabled
    fab1    et-7/3/1           Up   / Up                 Disabled

Redundant-pseudo-interface Information:
    Name         Status      Redundancy-group
    lo0          Up          0

Configure Static CAK on the Control Port for SRX4600

Use this procedure to establish a CA over a chassis cluster control link on two SRX4600 devices.

  1. Configure the MACsec security mode as static-cak for the connectivity association:
    content_copy zoom_out_map
    [edit]
user@host# set security macsec connectivity-association ca1 security-mode static-cak
  2. Create the preshared key by configuring the connectivity association key name (CKN).
    content_copy zoom_out_map
    [edit]
user@host# set security macsec connectivity-association ca1 pre-shared-key ckn aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

    The CKN must be an even-length string up to 64 hexadecimal characters (0-9, a-f, A-F).

  3. Create the preshared key by configuring the connectivity association key (CAK).
    content_copy zoom_out_map
    [edit]
user@host# set security macsec connectivity-association ca1 pre-shared-key cak ABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFABCDEF.

    The CAK must contain 64 hexadecimal characters (0-9, a-f, A-F).

  4. Specify a chassis cluster control port for the connectivity association.
    content_copy zoom_out_map
    [edit]
user@host# set security macsec cluster-control-port 0 connectivity-association ca1
user@host# set security macsec cluster-control-port 1 connectivity-association ca1

Verify MACSEC Configuration

To confirm that the configuration provided in Configure Static CAK on the Control Port for SRX4600 is working properly, perform these tasks:

Display the Status of Active MACsec Connections on the Device

Purpose

Verify that MACsec is operational on the chassis cluster setup.

Action

From the operational mode, enter the show security macsec connections interface interface-name command on one or both of the nodes of chassis cluster setup.

content_copy zoom_out_map
{primary:node0}[edit]
user@host# show security macsec connections

    Interface name: em0
        CA name: ca1
        Cipher suite: GCM-AES-128   Encryption: on
        Key server offset: 0        Include SCI: no
        Replay protect: off         Replay window: 0
          Outbound secure channels
            SC Id: 02:00:00:01:01:04/1
            Outgoing packet number: 1
            Secure associations
            AN: 3 Status: inuse Create time: 00:01:43
          Inbound secure channels
            SC Id: 02:00:00:02:01:04/1
            Secure associations
            AN: 3 Status: inuse Create time: 00:01:43
Meaning

The Interface name and CA name outputs show that the MACsec connectivity association is operational on the interface em0. The output does not appear when the connectivity association is not operational on the interface.

Display MACsec Key Agreement (MKA) Session Information

Purpose

Display MACsec Key Agreement (MKA) session information for all interfaces.

Action

From the operational mode, enter the show security mka sessions command.

content_copy zoom_out_map
user@host> show security mka sessions

Interface name: em0
      Member identifier: B51CXXXX2678A7F5F6C12345
      CAK name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      Transmit interval: 10000(ms)
      Outbound SCI: 02:00:00:01:01:04/1
      Message number: 270        Key number: 8
      Key server: yes            Key server priority: 16
      Latest SAK AN: 3           Latest SAK KI: B51C8XXX2678A7A5B6C54321/8
      Previous SAK AN: 0         Previous SAK KI: 000000000000000000000000/0
      Peer list
       1. Member identifier: 0413427B38817XXXXF054321 (live)
          Message number: 8 Hold time: 59000 (ms)
          SCI: 02:00:00:02:01:04/1
          Lowest acceptable PN: 0
Meaning

The outputs show the status of MKA sessions.

Verify the MACsec-Secured Traffic Is Traversing Through the Interface

Purpose

Verify that traffic traversing through the interface is MACsec-secured.

Action

From the operational mode, enter the show security macsec statistics command.

content_copy zoom_out_map
user@host> show security macsec statistics interface em0 detail


  Interface name: em0
    Secure Channel transmitted
        Encrypted packets: 2397305
        Encrypted bytes:   129922480
        Protected packets: 0
        Protected bytes:   0
    Secure Association transmitted
        Encrypted packets: 2397305
        Protected packets: 0
    Secure Channel received
        Accepted packets:  2395850
        Validated bytes:   0
        Decrypted bytes:   131715088
    Secure Association received
        Accepted packets:  2395850
        Validated bytes:   0
        Decrypted bytes:   0
Meaning

The Encrypted packets line under the Secure Channel transmitted field are the values incremented each time a packet is sent from the interface that is secured and encrypted by MACsec.

The Accepted packets line under the Secure Association received field are the values incremented each time a packet that has passed the MACsec integrity check is received on the interface. The Decrypted bytes line under the Secure Association received output is incremented each time an encrypted packet is received and decrypted.

Verify Chassis Cluster Ports Are Secured with MACsec Configuration

Purpose

Verify that MACsec is configured on chassis cluster ports.

Action

From operational mode, enter the show chassis cluster interfaces command.

content_copy zoom_out_map
user@host> show chassis cluster interfaces


 Control link status: Up

Control interfaces:
    Index   Interface   Monitored-Status   Internal-SA   Security
    0       em0         Up                 Disabled      Enabled

Fabric link status: Up

Fabric interfaces:
    Name    Child-interface    Status                    Security
                               (Physical/Monitored)
    fab0    xe-1/1/6           Up   / Up                 Enabled
    fab0
    fab1    xe-8/1/6           Up   / Up                 Enabled
    fab1

Redundant-ethernet Information:
    Name         Status      Redundancy-group
    reth0        Up          1
    reth1        Up          2
    reth2        Down        Not configured
    reth3        Down        Not configured
    reth4        Down        Not configured
    reth5        Down        Not configured
    reth6        Down        Not configured
    reth7        Down        Not configured

Redundant-pseudo-interface Information:
    Name         Status      Redundancy-group
    lo0          Up          0
Meaning

The Security line under the Control interfaces output for em0 interface shown as Secured means that the traffic sent from the em0 interface is secured and encrypted by MACsec.

You can also use the show chassis cluster status command to display the current status of the chassis cluster.

See Also

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.4R1
Starting in Junos OS Release 17.4R1, MACsec is supported on HA control and fabric ports of SRX4600 devices in chassis cluster mode.
15.1X49-D60
Starting in Junos OS Release 15.1X49-D60, Media Access Control Security(MACsec) is supported on control and fabric ports of SRX340 and SRX345 devices in chassis cluster mode.
arrow_backward PREVIOUS Ethernet Switching on Chassis Cluster
NEXT arrow_forward Understanding SCTP Behavior in Chassis Cluster
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top